Malware Analysis Report

2025-05-06 00:12

Sample ID 250224-d1et8szndr
Target 919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437
SHA256 919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437

Threat Level: Known bad

The file 919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades

Modifies firewall policy service

Blackshades family

Blackshades payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 03:28

Reported

2025-02-24 03:30

Platform

win7-20241023-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSCNSCPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWEBPTYFGDMEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQFGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKIKAOVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSDERXOWLVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKECJTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJEDJFVIQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDBISINFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMQLTIJBIJRNWNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IVCMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VOHNUFGTAQYNXNJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QIRNIYSDTCSTQYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRWGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLBPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OWOBDXTOCYJEIYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHFQOMREIDBSXQG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDDEYEAVQDK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEFBGBWRFMG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNNLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTVHNUUFYNWJI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ODNDYVUYLCPLJXO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQVIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPGLDULJAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXHEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIVVDR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVUGOGXPLGWPBQA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJSJOGXOCMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFXOLGVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MNJHJMUDOTEQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNFKBY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXBYMYJIMDNTLCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFABVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRECQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FXWTUGMTUFYYNVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\KTQKUFVAFUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNKKVSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWUMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDNE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKXBLRYYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUPFTBJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCKBTLHCSLMVYLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFXWEYOEJBSJIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TGHDBDYTHOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSODRYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULMJRDKO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWVNDQMKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTNLNDIWVIQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYPP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIVXJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FXWSTGMTTEYXMVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMNKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQHUQOTFTVAQJMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSTPNUPFTAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\THSIEDQGUQOTFSV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTDPPQLKQMCPWG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGPWHDOHIYRVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
PID 2612 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
PID 2612 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
PID 2612 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
PID 2684 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
PID 2684 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
PID 2684 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
PID 2488 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
PID 2488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
PID 2488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
PID 2488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
PID 2884 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
PID 2884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
PID 2884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
PID 2884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
PID 2068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2068 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2068 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2068 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2224 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe

"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLWUSX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMQLTIJBIJRNWNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEWVRS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNJHJMUDOTEQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIPUFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJAACD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQJMNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "THSIEDQGUQOTFSV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFYAN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIGOAH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPWHDOHIYRVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSCNSCPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXQCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAOQLE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ODNDYVUYLCPLJXO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGIDBK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QHFQOMREIDBSXQG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJSEKP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCKBTLHCSLMVYLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJTOCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVNDQMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVCMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEFTBP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXBYMYJIMDNTLCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGNIMJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTABGESSFHCADYS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTFUETURBMSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQVIMIFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFABVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQVIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIPKOL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VCDAIBFUUHJECFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXHEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQROWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVUGOGXPLGWPBQA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGHDBDYTHOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBEGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRWJNIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHVCYS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXWTUGMTUFYYNVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQFGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYPP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKMIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLJRDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJASKGBRKLUYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRWHFJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QIRNIYSDTCSTQYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHOSE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTQKUFVAFUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVLJNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGWXUDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRWGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKVSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWUMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIVXJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSAGD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQHUQOTFTVAQJMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAACDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKXBLRYYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEHIRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLBPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFXOLGVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHUBYY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXWSTGMTTEYXMVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGEID.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSBRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFRXNL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OWOBDXTOCYJEIYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJBDQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJXYAKQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe"

C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe

C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempLWUSX.bat

MD5 7204a06fe4c6af19025e3a135074f1e8
SHA1 31d92260801824878df2959de00647fdb527793b
SHA256 64197a5604ac9ef13a04f026aa1bea63c7c4e34be7d4c621e5538dccc7a0784c
SHA512 e6dce1d0c6ed3a6ac593ff0014dbfd370aca9d2b45e4c8bc682a5a7c14ba0b109ecae3c7957de1a53b2ccff14b4cbf3219bedffc2cfa1edf7f0291360bf5a987

C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe

MD5 b112a9d3c829e0dc8ad5259759656f95
SHA1 0600bba1825eafd7167b0c3489342dd9a6bb1a81
SHA256 b9027b4a8b2fefc511a4cc5968baac8de4ccd5ca92411ae6cacd93f12ee1f55f
SHA512 4231812e73632a83eac07ffcaae1cedc8eea160ae154b08e1ce5db666a05ece9cd86c2d503b6eac7a42a04d136067d9dcd86d84da65b042fab0f1831766741cb

C:\Users\Admin\AppData\Local\TempEWVRS.bat

MD5 a8c790d48273ec251fc548986269eeb3
SHA1 823d2c1b96f84bcf0912ff21c16d6cb5f28823b3
SHA256 df6697f31385e066027adff47c4812c34a42ae634e64e91361d2ab02cf1a05f8
SHA512 d000de68f2830ee7f5d6e38dc2b129d3ffeaaa81334667480eb6a17188df60fe0981900ca5438eb03a1a4981e763895dd0b9295f05d863943aa36fbbe4e1fdf9

\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe

MD5 2f0f179d5d4a6393e556ff628fd52091
SHA1 580bcd3d93bdd5ba8a90627742a4e4820630026d
SHA256 fd2948cbf24fe68163c6f160100d92ac03c160747d751aad55a55f7a591b2d22
SHA512 d3ad904860a40bf3da900ee1b8db88c342b71345ab18a146082b5298447aac2c3da49d2aac2d55893777a0ec7809a05139fe4fac8cd875904da110beaeeccb39

C:\Users\Admin\AppData\Local\TempGAOXK.bat

MD5 64aecd88bb524016da30b286f950baed
SHA1 92f8ae67f2fd1ace58b19015a0d36a4e29e54f2c
SHA256 730103496361a09411f6a6156540068057782a81ebe5d57bb77027f27861669a
SHA512 12346be4c23e9f7f762d7b1162540a6f868a919e72ba9c739929d9a43f7d1b7d3b5c15f41f8a64a61f89fc3e1bc5beeb2484c1a1dd37cdc691dbb54d71f67a9c

\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

MD5 a0ca8e9fe438154e003b2e3f16d1071e
SHA1 5e965d5ce968f6f60de0f692c132ce3b9d69172d
SHA256 71ceed5b0e8d2ced114ef295419e090f14d4c8e1b76363bbf2a13d5170e242c7
SHA512 51c2a3b5b46a5430543afc8192bfa604a581db6700400b02ec8b7e5a7b0c6b5b06b47a4ba2af5d121f049eb5ed33d2e5028fd075a90bb2cfe7daddd3ca514d7e

C:\Users\Admin\AppData\Local\TempRMUIJ.bat

MD5 971080fcbe388252dffb632abd9025a6
SHA1 6b789100b910512d73566a0a8b2e29392aaa67c6
SHA256 b5817365eb96edda168a8c0fab6876ff593363dea6017b2573ef231fbf5d0971
SHA512 9202b0ea9ff52e8e45ce2690ff672b81fc4ed470b127aa0346c75aa4fe686edfaf7e3e36aa96090f5f73efe2a9dcee37e0ac8b23fe0af00d56a0fd8edc5cad9e

\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

MD5 1ffafd6e51740674a7f97c1c87374a39
SHA1 278dc22062bf94adf47c53c609e695f5ddcbdba4
SHA256 9072bc8d318d0ee0fe917b72e75f4b251a29340128467736269ae8474fbe1a65
SHA512 7e0ddef2add4e260a19add746702cfd7bebad1352d39fd258fdb89c6b8b77d6b082e10a8f8a3b4b04bfb3c07d5a53815d06d8dd718ab8279537ff118e8934bfc

C:\Users\Admin\AppData\Local\TempWIGKF.bat

MD5 4f57139833f2bf4d8e96fba71da04256
SHA1 412f72ef752e48c15e1235fa306e9954f868c4b5
SHA256 7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970
SHA512 1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d

\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

MD5 45353d02c58c62a006c1593b9afdb2d3
SHA1 9e6e28fd994b0baab3053a6b46b1246df17ea15b
SHA256 172dc8985fa2b003c782594351be4312cbc9c93c650644369f3cb2dc9891c22e
SHA512 0aebb7dae97f72793a4b41a83a08bdb6ad6ffa6ec5f9d4e2126d566fdca7e77780156129f48f7ffef33825b99fb4fa35f09f006c831b540346c62ec6bea5e1f6

C:\Users\Admin\AppData\Local\TempIPUFD.bat

MD5 784a5098d84059764c71be0f253fcd67
SHA1 a2798ebf53f4b0e163bee7cde37a17e3a53fd9f2
SHA256 ab5aecabdf1ed8d35319c4da21727a26fa53da3a7fb12149385947a7c1e13194
SHA512 1fd5a3615cdba9028b13ca7d3ea0f4287a9adbeec3d6e7f599e3cb873909468043cb2fe2026baef78249a78d906d785dbb90e5d431d5a5ac23e733fab2d5b498

\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe

MD5 001a2cbc1805cab4de4a53ffd2446e4a
SHA1 e8fe4d70504be85822f252f05ecccb07f47bb165
SHA256 63206817ac18f74f8bf5bcee7c7ac076ac8c29252a7435e4b2183f31bddaf5da
SHA512 c9c78dedd6002ddee8f8db683e94eeaea40f9dc708fd5d5acb55cd76dae9d54a770f29af088567c4a1bf24333c2fea24c964fc3180e4e95eb8214d952e54e984

C:\Users\Admin\AppData\Local\TempJAACD.bat

MD5 85f05e2ed586d3c54ef99c98cdf179b0
SHA1 a0ddb1cc87337f7304d699c11ec6a8968266f310
SHA256 896fd5e3c02531fcf6ebe92ab3917d08e6589d80ee3fffe0111a1a72ae6b37a8
SHA512 c597464fbef18cd4966f1d60f8003588c2de222700ca45cdde2dc6292c67d6099b0d904861bdfc5b892ce114ed5726f34113543084d370537d68335e91e83f28

\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe

MD5 7d31dbb8e82689041d3174ea9621ea1e
SHA1 b992f45a36c1a850c31b43a1bc886f2fc4ed7698
SHA256 c497f7fa94fc0f8a8be1986f3e64c95a97980a4c298c028ce6aadbf5a65a0d68
SHA512 310582fe923ca2327de1d599553fbf524dc89bef4fa5c4669025e6c4b96b069f329abd6f66c213f3be76b2666710674ebe3061ff6be9f2f99e75ff38b547d9bb

C:\Users\Admin\AppData\Local\TempPUGEI.bat

MD5 b5f8ec269fc0de7aa996551d56670248
SHA1 5f6260e975556b01ac76c759652236f3bdaeeee7
SHA256 c0071f2d226621e6583ddd77410564cc3f46d4b8000bdaa47825f866559de898
SHA512 d4b337b0b7477992be9f4f968a19c15fdc7aeec744f9a2829fdd2477798208a581da78e702316fe98238a8e7b2c5bbc3a0bb4b7dd8b4dd1d1430da2f4b390d9b

\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

MD5 26a7d884562746d629dc8e7a6e4f6b11
SHA1 650621527f8221d3beab1e8cad2b97af28a5105c
SHA256 503da3ed8febcc412e8c442f0359ae2f2d93819f23f5f0820870ac08c8b71ee5
SHA512 b12730817df2ccc980181e73515eb5167f8b932cc6eafdc5cb306a98abee4faf5108c604e4d6c2b120c0a864426b5ee9455d4bd29f1912530a15efd0ee66463b

C:\Users\Admin\AppData\Local\TempQJMNW.bat

MD5 4e607ef53e94c32c8f2432f78f628537
SHA1 2404c8b5a4c6520fc8dfd7a9e5020b4637e5ab72
SHA256 9e2468b7eb9e98e3c2ccfae790044fe6aa337cd186c99e4ab1d06939ca402f89
SHA512 e1c7bf394a5290d54746ee0fa934e5170c42b8bb17c850fe4ec3451c82cbf45f28d74fba6f53a2ad3c48944beb60111383e0140b0e7c82246f7059c45ea0152c

\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe

MD5 77949d6ea4b7536c4dc86afecd6813cf
SHA1 cfd8af3689d40e134d3915960833894f85704505
SHA256 c517036bc3a4e83d2cb60526b934e555952417ad70c135ceaf639c7eb76c886d
SHA512 0eb84a8cabb5d52bfac81352337036467e420b0a419ef5dddbeac88a2dc33954ea00701499c642c7d0be45915718b53aa8c1038c623e8a7e7b1a276a46251cda

C:\Users\Admin\AppData\Local\TempNUJJK.bat

MD5 946143a6b6c3e705ef6dcd819920831a
SHA1 9efa98ad100f0964331bc437d5cc9dfdc01f5004
SHA256 fcfe190704ca20233df417b476b75a0c7c1614c512fb34f286b3804e55bbc77d
SHA512 9e7b8b9c7434937ef5dd499dbd3e441e739a930d4f6e63ca84ec22b41e91b0fe8f68c0345d9f6afaf3ec0069467347d823b92b1532ce8014a5aa506366c723c4

\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe

MD5 9abb8a0358753e6ea8ceb81d38ff1826
SHA1 03fe2ed5d15760a0b50a4de0b279715a88e79f3c
SHA256 8dd9ca66cda8f3197af5782e61171f0026b674ac4d4abe4ff99dcb4b6ee33449
SHA512 acdeb5a5eef8d8ecf4e4b10723c6d87ff631f758888bc5e063e2dd06b6eba4811573d2c7fc9e9c0bf760d20883b390c21e290bfd0f8cd789e49dc90faba44013

C:\Users\Admin\AppData\Local\TempKSELP.bat

MD5 4f207b885baf9e448056f22a9f985300
SHA1 77cf487181fbde7f793471965aab814cd164ff97
SHA256 3c89444a399680346c4c1f11626796d63e184258654ad3958472248bb7fd5e8b
SHA512 6ea41e75444a6bee919c282ec7bf2335740a6f986bedfe265ecf2ca56d76cf634ae318759f7cc65cc1c9cfd091c750b6390db1395a4b400cdf2a4bd87796f212

\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

MD5 f52a110a053914f0ae5a4971dea7ec55
SHA1 74e8d3089ffe9faf1783916a50a53a9c88db83e9
SHA256 c4e126729341062173d36f1200e2f60b9f098e98954e3696fd5b684e439eb869
SHA512 cb99fc9b69d17c9416adcd7488c67dd02a27d85443bbf67c0230c54e4fdf3641ddbf2b2fd640f0226bde774981148b53f28bdbd7f83716bff9057a67cd4a02f3

C:\Users\Admin\AppData\Local\TempUFYAN.bat

MD5 10e58ac500f28d3bd87a6b66ad6b337a
SHA1 c88155419d3fa93423c816a6ab34e355c7be02d3
SHA256 f4073b688587e96e1eef3fafc77db30f70aba207a4c2636f5183e4f3609b4994
SHA512 b8b96bfc26895cc16a0756d73e8651eed5bd8b4cc8de19603619692ed46d58c3f8dfb42edac606c51b803cc8c38322d5356de8df370924a043be53ccdb2acea3

\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

MD5 55fcb8a8dbab7da3400fff8e99da070b
SHA1 4b97f55128a97c96d9799352c44824fdf419c455
SHA256 86b2b3f679eaea8899127bff01ce2e1e766605947dd155e7607588e115cf28f5
SHA512 38de0ed28e11073a9f66717e343fc5eb5fd40a0193ab5e92f9be7098bb3b043b49728c21c0eb9c8523e1efcf42289e4efe1bea314d681415265c02dcb7f160e1

C:\Users\Admin\AppData\Local\TempTFLQC.bat

MD5 f9620b4e3bfef932da8d86aea1eea86f
SHA1 b19dd6b7e9af0e21e40518f57e0f3a715b6d0f3d
SHA256 d517e4b6f837d440ce3d2e529fae19272b13a1e45a20fcba586e7d8f54937ef4
SHA512 10ddefed0fc5c0b0173d2fcd21f4fa44d60829132c4de6c08e61d4d58a0199706ecaef7bd311288251ad0148c89edc5814173b9d08bd4a435d068cb928385dc1

\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe

MD5 95c22c5a81a68b01310fdbb2018a3581
SHA1 bd13213746b2444b645635f64e805e7bb01b17da
SHA256 286213b6eb32a24e7b7186cff263ebf9baadf824f58e1cb4db39b7a70343ccd2
SHA512 7362b1ab900ba296f8ea4dea205956812036d051ca8a21d5dac6483c6951e4ab65479bbb837f4641c21f4048b055f90770023f74c25bc572c1f5918f9f3a3223

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 a7f29c655c9872138c89aa16608f66aa
SHA1 364b20abb1c8efe0f64a7932826c5fee409efb43
SHA256 89f6ff4a0bd1ca5da799ceea4b9a8ceb42a59ae14d2bc65752258168e3e5328b
SHA512 d0d8f36ad9eeb6c6bdf5dd125675afbda7ab6cd62e01f5dfa8fed25dbae730ddf00fbd0bed29436d5c92aebc93cc58244bccbcae4974a8109a037d29adc2e8ec

C:\Users\Admin\AppData\Local\TempDYBNK.bat

MD5 5c4c29a410bd00bbacd2611f885a013e
SHA1 aefca89f9eae0e39d6b8c72f03268ed6fc908092
SHA256 1f481099fa4b0c87b95a68a86c643ff38f4840353624b518904e42b634869c83
SHA512 e4b7b19b4cfd65140b315b5c8ff204c0919e4af50febc215e3a5d67c780ccfa157e78f891cc1f44c928bd472aa1d749ec2a6b46d8e0da13baa707b1220ed4195

C:\Users\Admin\AppData\Local\TempIGOAH.bat

MD5 d444a6fb241be59c9386b458c5373e0a
SHA1 489d163efb1d24891bf637a394adca3dcd939065
SHA256 20c702e4cdbb34ecab6987513fb0333593f1cd9d159e76ae8b725e1f6ccde625
SHA512 a330aa7aa5d865eba1a5982f99f6b61d4e1da6606190c02c8358662688bf655a3ffc90679720ae346475670487b597c0dbc1ee1cef2a4c160818c34fa50d9fd9

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 95bf0370ba3bdb7b0fa364f5bf2ab3ef
SHA1 338c6eeecf2fb46c3b1b62083a36f4ae33d63152
SHA256 7d44e969d4ed020cea05983130b6ad674434e653db97922db2a0bf1c1d6aab21
SHA512 db8144a3c097a5c856b4ed03a266b9ef5da7a14f0db9dafbf1dca411a707b43960aa58eedcb6d5d6036e35957a0a042b7e4f6185b61f746fc768821b41c9d9a6

C:\Users\Admin\AppData\Local\TempVHFJE.bat

MD5 9a0414306f49570c1a3daba50b7f6ed4
SHA1 3f75f0e817c0b8a10b1aa313dd3e018c032da9a2
SHA256 e9547f8817316bf3638ef7f267b063fb0333554c69bca2405cee471db5f1aba8
SHA512 a723373a2abb4a8b1512af8abe44813a080605e2453a98b664d5a6f72626415fe13562c0d5a4ef923cc177eed4eb9bbf08549afaef82f9027f8ec77c4fee8ca4

C:\Users\Admin\AppData\Local\TempKIQCJ.bat

MD5 3bf0ca3ba9863d35e7db3e7b2cd31b7a
SHA1 ea10955b351348e554138f493d3a22c60c44c2cf
SHA256 c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764
SHA512 d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb

C:\Users\Admin\AppData\Local\TempQUGEI.bat

MD5 762176b93392d3fa185d87beae5d603a
SHA1 661f80428f4c1d317155659a2063b5454e059ea7
SHA256 d90e1600d1aca150e396b865ba705281910a05f294ec56037f762927bced96ef
SHA512 7570c290aae23c81bcec7ede20e85811e4dd31168dc4f5eb992aff042d4a3ec7ea4687680003cdece0d53c142f6cdeac50f89d29cf28d1c82099be6c50277f97

C:\Users\Admin\AppData\Local\TempAOQLE.bat

MD5 9827306e45d8201111a07c3d6d285439
SHA1 5c3dc8cf8d650c89fca2d3a9df3c9c4edb5689b5
SHA256 ad0c844d6300522d84d2b5d1a15b188e2641fb691a30734a136191e927e3729a
SHA512 95abdf35094d340aa1cbe5655a2c71bbf7e3138297f75cc8d57b4471ade178bafe429f74c6aa0484dd0ef3a101f060a58ed2de0344c11add31362c85f6e1fac9

C:\Users\Admin\AppData\Local\TempGIDBK.bat

MD5 b87f04949524c96380854cc191411d2c
SHA1 c3684ad7564eef2ffa3cb442862d92e1f57378f7
SHA256 0e8157ec74be925f55302249ad4bb918188abdae91f0a57374706d98335c7f1d
SHA512 a8b96f198dc3470bfc435d063d5659189b1417670a42399aea2fcf00bbdbb1a107c63c9aef6834cf885139e33ba891875323f6b81e18e6eee7940d9dab77176a

C:\Users\Admin\AppData\Local\TempJSEKP.bat

MD5 1b1b156967efefdb78590a7a3e9d33c2
SHA1 6c5ac7e08e39ea82ad36dcabe55069a3dadd93fb
SHA256 31ad5718b34dc88ae54c4b7c4fe6c35852c23a06310d70e49330b13e93660af3
SHA512 91b4438b80a9602bedacabebf6f8b7a64d44f707f0aed47149ee5ff23de398ea0cde88617382ee637e2abdf41797405d130e14419e633e9a76de3eaf0979ce83

C:\Users\Admin\AppData\Local\TempJTOCO.bat

MD5 e0497800c1b80049d3642ad31dcd80cf
SHA1 e4dc9869864494ca7607efae678d21dfe1b7bc15
SHA256 92a404d3a5a3a8c544677ba414d63130b90c7b0cfa566622989d3b70d99751a3
SHA512 46aeb2e41230fcfb25cd6f82e6d1d0f66a29de2761cb9d092193cfa5a9c373f172024ded62a64abf0bc25c3e373ef00a3cd686a8dbadacaa9abb054541fbc1c8

C:\Users\Admin\AppData\Local\TempRSXEF.bat

MD5 ac9362774f31bfcbdf296a632796a031
SHA1 89c4abdea1a3bda18daf6491a8c4240bf98f85ec
SHA256 0a46f62bd7f2ba4920dc453683e3b5ed846ec42f3bcb5055063e2566eea2a5bc
SHA512 e0cba2caddb0a65db420b6fe063d9eb0950f2837a02c34f404e6e299e6dfb75a4dc4c63bf10dcecb7de7e230de64122d23c6c873e52ac11e8b70e46b7e15d9a5

C:\Users\Admin\AppData\Local\TempKTFLQ.bat

MD5 0bc34522074ea2d31f8e5445c63094bb
SHA1 a7ce9571ffeda237166b3a6d4f48b63e1221e4ce
SHA256 3ccdbb8ce9609efc9687b0f4b65223c8d89eea635bde407ad59653546412bd80
SHA512 5ff8abaced041a55b47fca5b03f3b1d598a37aa19d2d1a1223ccad4817d225bc036215fc2140bde4fa2affcda762ff7f5bb3301b286d70fd577225abe82fc3d1

C:\Users\Admin\AppData\Local\TempEFTBP.bat

MD5 e19535076b2764dd2bcf5f9d43999888
SHA1 06baa5de8576045fbfd5692037f8699d10edf18d
SHA256 807bc9a407c0063c5a2eac7a644977bfc1a2da7388d3f1176dadf4aa67fcf514
SHA512 f2f5a3fb014240a9d2258dd7e1da02c19ffe5a987a84c14baf337b3a066b72acab3f33f46ecbb88b5fe8157cea87724c1e8b8a18430b14ea711634f5d0828a15

C:\Users\Admin\AppData\Local\TempGNIMJ.bat

MD5 56deaf5efa7034a9aeeeef8ecac570f9
SHA1 61a795a400653e5b488fd93f857b6a2db89a6fbd
SHA256 3068027529b2f08866359874e1a04df41d740b0bb5ea449e4050cf390f9decc0
SHA512 3dfd46578f5ffc87036037dd50af094211bec7095c2b8cf77d4ff54f1a2dc77898e2a6429cf5f8d9f8915a0ccd4dc79512e3f3a1afd8130ca96300165e44b13d

C:\Users\Admin\AppData\Local\TempRMUIJ.bat

MD5 a4963aba3ce95dbdbc2a8b355d15db70
SHA1 6381c3fddf31277e3a643371d13707bcc036b5c0
SHA256 14acce0c2ba59b3163b863693b8832963e8ae5896d90f754a4c71215cbab6683
SHA512 6a9826e06a2574fbd4e2fb230605e8bce06012cf2bdbc8ec2f2dc7c7a31173588a916d853d35266c124748b9ac7f0044893fd9d6635cf05153b68171d6cc3795

C:\Users\Admin\AppData\Local\TempJHLGO.bat

MD5 b556063fbaf72f5dbb158ca5c57ecbff
SHA1 84cd6f33827f7995c88ace6f113925edef71a807
SHA256 ef57c5853a912880adfa9da35a20040252c31e5e3e5ee5649bf0c445d38c9d22
SHA512 357188a3e417c449ab98c1eafd838a66ec19f561a8bad9d58e6615986df8c221e4f9c74f7d74f3f4b5362f8fd036fa22451b9f92ed6558211aefa7ece9a8bdea

C:\Users\Admin\AppData\Local\TempIBCQM.bat

MD5 491982678e14c3b5fa503db0dba2df7c
SHA1 1bc48e8167f7714d767f1af4efba0771021d9b6d
SHA256 2c853fd13cb3c53b10edeabd658c5ea6e567ee0d38188fe982dfca8e7d367690
SHA512 eb7253b623ccdaaf550a76a359d6f3cf81950870ce901f7976e97dad0b7879d2f335b755084acb69497ca5642b8c88dbd6c692babac42cd2b1f085874662dd89

C:\Users\Admin\AppData\Local\TempVGFJW.bat

MD5 54263e5e8d78297a772ca72eb1ba180e
SHA1 9d9eb42faf004df8509be0024d888f9c19043bc1
SHA256 621da8a4a14a22ff931b379377912737c6f60417026915ad8ec9dbae621f39e6
SHA512 56e725385d9e134c3f0b38209075c308fe0190749e848caaae3f56591def8b444bc3e9a115a1a9b4ad690d462e0d79d1cb47dd34e26b78af269b2034f95d2acf

C:\Users\Admin\AppData\Local\TempHPBIM.bat

MD5 bd951f1c6a38f77d89a6e210c545ec05
SHA1 1b9742f97a8e8e9756b3e433703fb80251f2db8b
SHA256 553f07d385678d45388686d91740f9602e6112b51c124909bedd9ad9758937b8
SHA512 e39cf3456cdf8631c73422bf4e9d9a2589916742941ee5c0051cb5f7c1e8cf8c90ea6aa74142219e687da6e59a61e9d2c5f9309bdae0513527f0258763b29489

C:\Users\Admin\AppData\Local\TempVHIFO.bat

MD5 dbfd9b6db7038be035b143a5c27f6de5
SHA1 4ea42c16695201dcc20a48815f3af93c59c892d7
SHA256 b90b026d1eb0eba3c20292a65232d3beeb08b012d29063d427879b455366a2cc
SHA512 03b713d9248e078de7c3d2262e504d7454076bbffce59f94bb8dad5e394a0eeecacec6eba35a8f5f67972225c20873e4f17affe70d573a7d57ae0a952f958403

C:\Users\Admin\AppData\Local\TempFOKYX.bat

MD5 22cfcc62d6150661c22818b593a63d42
SHA1 08d01779440243562449a09463443b7d49d79c6d
SHA256 c984dcb81881477e6fedf68d637bc1e6992f2264d9e88d6d0a3fcf4e016ed682
SHA512 bae90905e83dc9c2c485d06e5158e7869833c8d9ddf2a3a9d00f956f20f95033f4b7598f607042d9ed6bfe9a8aac3fe59524b9198d4e90676c0bb92ff6879c10

C:\Users\Admin\AppData\Local\TempRMUJJ.bat

MD5 6b593fb8b415368de797469134d8e26b
SHA1 e36562ad8159eab7a0293a7905bcf8624b4c7926
SHA256 6ecdafaebf46ff72ff0a02b3f735655eed5adb5bbe77c9f653df8837c540d86b
SHA512 5492a0b04df54f969c9ea6b0aa799eff83083794dc52277259c3cfe22d8136e3a06adb425dcf49459f70b34a32557d0af0e5c07d55dc9badc51ae6342b8e21c2

C:\Users\Admin\AppData\Local\TempFOKYX.bat

MD5 918d95f0ca208449a1cf6f3f326bdc29
SHA1 67f6e06e60958a451016a8cd88aa23433b402155
SHA256 7a5bc9b0f7c9b56aabd6b1457849a5f30869d75f29999f3da83908120d6035f8
SHA512 2d5cd38353299cf78a04129ffb471e4d318748aee647c6d4ae2e3e0e68141acb457b23b90fbc9e3bb4ca8815b48a3dc7bf76d19ba6a62d6d8c6f22cb78179f57

C:\Users\Admin\AppData\Local\TempWCUYT.bat

MD5 797a05802a5f3d6699024252559afe38
SHA1 ab85f1b33d35de1a5d5f55187c816bb4237eeca1
SHA256 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074
SHA512 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

C:\Users\Admin\AppData\Local\TempIPKOL.bat

MD5 01583f8b98cc3ae847afd4b82eeb6e8d
SHA1 fcf0f81713f3c03378741ae6a5f20928e1ad2a78
SHA256 dd13cf7fed83aeff2d5b188f67fe641a6ff2858ca9e6808ea5e6d1d04a776c35
SHA512 a70d2d208115964f7d5a3911b52fd947bf6a3a27fdfc3ee5a43e815b87499f0fdaccb0d2c6259539ca76cc84548e2335245268e2e5c11da02ea4ad35ea9ee772

C:\Users\Admin\AppData\Local\TempMIWVH.bat

MD5 d348108fe1b716f19b8478b425946873
SHA1 d3de529e1cd41de3cdf6e461827a4f6304efe03c
SHA256 b6b95ea8e55d45e08d43a7fce4d070c7cd81d1cda6dab173f0595fc6343ef952
SHA512 68623cb1a08a1061af3729f36d7564f5e9aeb62c9d443de85c57979dbb5e6c6668c01c3417e85e7380e61480debe4aa89496e08750108eaea42aeb8604d25fd2

C:\Users\Admin\AppData\Local\TempGPBHM.bat

MD5 95b07cbc2ecad69c090b9cceb0aa64af
SHA1 31070e7730af64389cc7e95c6eddaef0b1c8cd93
SHA256 39605831d4de19322cc5edd1074327d27d606cebf932849f3194cfbb6df33d6f
SHA512 4b0d2eadce301e2e1bcac8ef6c495ec4f141ba326313e89c3f2fea717eb7f66c41920e4d31324bc62b50ee30bf23be2631a92c5f44e58a11dae9fcb365c3c0fd

C:\Users\Admin\AppData\Local\TempEIJSO.bat

MD5 ce316d102fe17369fb900df03386151d
SHA1 8bab2bd5df4620f24b14caeaecddbc6bba4ce07d
SHA256 c502884dc7a51d0501e9a4a09c9d1e53cc78d826c4fd7d4d57971ccc381da2f8
SHA512 0b64df1de5c1c846f0f0a1297eed4fb5ba0e1c096f106ae220a2082f33fb653195afd09d702e7b11db7f6260bf631d00091ac044ebb6a4158714f494c8786576

C:\Users\Admin\AppData\Local\TempQROWI.bat

MD5 c72db4196fe4198889ed8f8d1f5b39b1
SHA1 1e6c4f0153c996ba7dcc00be31025279ee724d1a
SHA256 85a46bb4cd77037244dfb97db88e3c13f52a951f93f1b6d9a2992ecd48949dbc
SHA512 7c2a82fd224387282664dc4429fd720cef56ab9e7157cbcf6f30ee8c8b0fc016f0451e2598bf6bf897fecbc86e81912359b77932d691409c332e43d57f6a8569

C:\Users\Admin\AppData\Local\TempQUPXL.bat

MD5 59d327baa0ff8c74dcb35b3998618181
SHA1 7a66982e8f03a700c5e8ff3464160b70839b9af9
SHA256 f6912cd49e60d0e2eed5dd9984c03af39f298cb781b2acbe0261657b9cae4e08
SHA512 747d61e9f2763c2910262a26e9965403d71f738f151171eceb0552758b259218a79b90a9a2c6f3eba28926ec1f0bfa92316875016240421980c5c3cbd6d9d36d

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 81c2b4bd205f871786b827e245262761
SHA1 50d8621b2787aed3678a9be9b307cfabe28c614a
SHA256 91b75c7bf1d4d605fa5dba628c7ef67e3abf828024c280565dd74c34c6bf45e2
SHA512 75fd1f6291f802cf9c71a7f8e57a75d08d84785d3385b9da5fc4420487fbdf916adc9002db3304db919ac4b6e7683dc38cdcdb07d25135b0969bf8be1c7bdf3d

C:\Users\Admin\AppData\Local\TempPXODM.bat

MD5 473dc30ed03f9d3c35194a3ec215d3d3
SHA1 66c1d2e60445720577b60f40c1c85cfcb79e5852
SHA256 5584ab2bd7a45c9a98c32c9d7b295d49a5f38ab4915509858e8d385bdf0ab030
SHA512 473732fd7d5893e6d619b64e41f3f203758b4f6f1355e2488ab0517546dc1acaa08ed3d0cda540bd53312ec3c0052c0bbc6dc7696ac5b951e08a0afe8345df01

memory/2384-1159-0x0000000077720000-0x000000007781A000-memory.dmp

memory/2384-1158-0x0000000077820000-0x000000007793F000-memory.dmp

C:\Users\Admin\AppData\Local\TempBEGPL.bat

MD5 8135d0c245179f01704fad424c3ad348
SHA1 8714ed9aa1431ac1c26d64b8de7319bafd5c2c83
SHA256 b35b8dfefc68ed48bd79fb108a68beba65453bd78e84cfdcbd14ddfd23f42427
SHA512 eb77dcc94520c5e8cadbe84147c434cce64de264c1e2192fecd2aff80b7a90237d6786044b0ff97d4df5e21e1733e527cab024f3aca62d1e2d66f857fd1ec801

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 de69c25118df8838f32524d5b65053ba
SHA1 d79b8934dab391b2f85b02ec96a6cf696e23d29b
SHA256 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921
SHA512 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

C:\Users\Admin\AppData\Local\TempHVCYS.bat

MD5 92936224a7bdc858ccd08ef026ce048c
SHA1 0fc8c92f82d8f2788a604082794c0b4296f4b3a9
SHA256 440b3f6edcb7c061a0a57c967778e8c3ec75b49b172f8fdcc0165b4fa21e8d53
SHA512 54cbb0d48722b76fc5655abfb02ee20d46e6732a8f7f971fb45c538c1daa210cf4b99843967ae468fe9ab7a1cc8d9e0d4a5057ade553bfccd621c44f023e0986

C:\Users\Admin\AppData\Local\TempKWHGK.bat

MD5 3b37b9199941ad74aec53cd9f49bdb4e
SHA1 acec10ae5e04fbc48b1ffcb98848b0fb70eb1e52
SHA256 d594ecd54df094dbc8e3f030c04446f32d5278eef9a7821ce9ef1ef6098c5553
SHA512 30718d29de125892304d1657c9fd2464dc446b5bd778fd015453d7158503f62de11bb2c55b6f1c76528f1e9a4b2477622e05579d7a54535c241fc15be264cb14

C:\Users\Admin\AppData\Local\TempWFFOK.bat

MD5 1f16c8669e2500574c94e9f513bd365b
SHA1 087ad6d732f71bd8e9e0b5dfdf5a519e0a9c2e7b
SHA256 8d9cd321758599bab82b0ae17c21ece06abeb3df5c64f388b8e83ec56e10ef84
SHA512 6c0107df33e649ba0142999038a56b55125c7a75706ee9c02e3d9f4ec81d0969c880046c1d89753788a17b591c9c4736fc472e9a40c496141d3e74bd40a68fe2

C:\Users\Admin\AppData\Local\TempNVHOS.bat

MD5 fe72326b3a174bcff560600751c53971
SHA1 184d49b39de1e9a1abd3015e3981144db6917076
SHA256 c538538b47345374ccf2c2a6e0786b5b6816f61668d507c1c6964e53e958034f
SHA512 0266ccd90a4c6d135b2b7b6d3b42ccc31ad777f5b31a6abf4d5c4325fd4b90da9dbb468784c160c44bee09414317486c2df0d0a70a0495918afd57d85525ec5e

C:\Users\Admin\AppData\Local\TempEFOKY.bat

MD5 be2600f1c2f5ee6248d753f686da8554
SHA1 e17fe9cbb92ba24423e7f88eddda95735326798b
SHA256 5398278f90e6cc018cb19ab7c4b3313fcd7919eafa17bacb99e00eddf9f68cb4
SHA512 31d556c6b5ad916b51e2453b8cd52e6146b5ae8916f6bc884186a21d120394950463817e4c0f0e59023431c610918bc93c4356dd611b33a81ab28c9f81807b40

C:\Users\Admin\AppData\Local\TempDHIRN.bat

MD5 39155584e2b8ed62256c099635192f49
SHA1 7908f00c5bc96c3e7b353703f0dd6e9317a45d01
SHA256 da32662de3aec1658009eec8c9659e0d63dea881056f5dca9140698beb502434
SHA512 8f7b29d8fe7e93614701734818390c04ed1a3e36be4d96baaa7ca4211089efc27389ad34e60ce1377ed417551d87b598dfe5afd4038feb8e97b0323934c29291

C:\Users\Admin\AppData\Local\TempXSSHQ.bat

MD5 269e8e32c43f5bdb4bf236afecfa3353
SHA1 7bfa229d641730eb33fbc0f3f67b2703a31e4181
SHA256 1fb16865cfe5308ea628a2cb692a24b67db6984594cea6e9061b3fffd88bab64
SHA512 8e9ed380d4b0fe9d311ab2c17c6db70ada1bf463c511778c3dfcf24f1cb6d9910535caf464ab6cfc1df834ea1201022dd33036a378b6d4b2036461a92b8e7bb2

C:\Users\Admin\AppData\Local\TempIACQM.bat

MD5 62cfc60834f769a371fada18b08451a2
SHA1 8b63116ab394f5e7ac46162ee0f393aacf397d8b
SHA256 cb9b2a30ec6f9f9bae09eb7216d61b25d57857f9ab0563899fbd9578a132abd1
SHA512 8040655d207064d98c1682521e1ab913f57615d609203482d286bc157a2cf6833a20bc0549cca44063bcfa98d950138487217438595891b087f46eada8217fd8

C:\Users\Admin\AppData\Local\TempLJRDJ.bat

MD5 7818c0bc178278b0dcd8295585bf3e6d
SHA1 c5f27a34fdbc9094577ca52740c3ec95bef3c03d
SHA256 1ae4f788dfafe54c0229d78f5b17a72263956b794878d9c49a4f3dca03480b33
SHA512 7a286c1a9d23089a60bfcbb64f92918091a8eff19cdf246260399517619be43bebdb767da1faa41c147e6433f968a648234965d686e4be8158a2b6dd95099392

C:\Users\Admin\AppData\Local\TempJSNWN.bat

MD5 15285851233d61e2a688de9c160730fd
SHA1 06b9b3802c61ba94d8828729ff9d7aba3da7e27d
SHA256 60bf2801ea6c831308a9257254fec51748f911dd5a3f1f384f31f1515ef6afce
SHA512 90a29fdefa94fab43a002dee8ab95449b626f3db30189662f5ebbc5aba313f3d63e9dfb7687b067e766f4193f72f4d5155c68302c34c7759e92c6e52c7326c31

C:\Users\Admin\AppData\Local\TempRWHFJ.bat

MD5 d3a52b120e78d8888484887d939191d5
SHA1 fbf132bfa4d749d008479683b90bdd0f0e69c108
SHA256 19f9175f5b52b9e8ea57e58f32ac7fc5972e90a5b223832e57aed76c8240a091
SHA512 1c2d10a1c43fbb54180a60016d69788bea913c6ff0490f049e78a990c07727d7dbae1441a991301d6acdbe214b6e98b290cb0abfa02dbdbaa435ff1fbba145a8

C:\Users\Admin\AppData\Local\TempVHOSE.bat

MD5 bd6ef03451e88caaeed81bf9d7823359
SHA1 62809a2376a8a11b5fc13c8be32396c6078efccf
SHA256 5e8268494d3c001d1ed6eaeccf7ab3724d016fde8d7ea75ecbff7f63f6281ae2
SHA512 9f6255bde0d7d40a546237a6d62a83d6210c20c1fd9a89e82e7f89d550e42f4119f56c7afa7d8e4c4b7fc3a55fe1408bc12c23df9b52f6aa953f9e974a4a7be3

C:\Users\Admin\AppData\Local\TempKLUQE.bat

MD5 7d45cdc80375c5f3de4f93c29f836de4
SHA1 2a8d2e36e0bc939663044d0bc07abadf4c4ca1c2
SHA256 9a6da83ea8053446d3fa4c4648d6e2cf8cd866a7b7c1340e8812dc0f4b5b1cab
SHA512 8efacfd15a6cf31949ddadaebc8ed69f685cddd3f2152ae7469b31b837a91c7bc7a48a9bbd889d8620438ecb675a3f4fb4fc8ac70b9cdf14f14f262979a7cdad

C:\Users\Admin\AppData\Local\TempXWSTT.bat

MD5 e0b6d59035146efe9a219489de4b188f
SHA1 7ce686fb1eaa3cef69ea834e1bdf0bb19520c9c1
SHA256 f76614bf2a512d3fbc7197d726bfa512fcef70049cdb49aee2dab66df891074e
SHA512 4d7519081b7fcf6f11d549776162d92466e70a2fd9aa7d80675917ec2f856c098d4513f44ebcbbebf40ec5034f75fd4d12c1df4cb7bd5454355ce7b026ae345e

C:\Users\Admin\AppData\Local\TempBTXSP.bat

MD5 2c697172bdfa07db7b67cfe434c5d485
SHA1 980edb9d879a4faf10012aa7bf70135a37bc2c8b
SHA256 4cd11d6a426684082d44d06b7b5e59f8ec06df066986e46f8817f8257bd16959
SHA512 d0a63928d7cf5b7789fa00c979d64efd09c6f629975bb2af7841baa889c420e3de3643352d822c408fc27331118360aa392da5ca3f7a5deb0b256e6657928534

C:\Users\Admin\AppData\Local\TempWSRGP.bat

MD5 a7a9469e62d5b3bcdb8fe4f112b2f283
SHA1 2fb9d8be356e204d48ae1f11185da02851471b1e
SHA256 23d0cb4705754b0fef2e1c11d05232ddbb1f6f3134a2f9f36fbf430f76fb48ff
SHA512 c27ab92f0aabe4a7e608341737fa558b6b1bf7abf4a3457ce76829e62adfe477dffc7d55094c15bf8ae4aae329585c31c577013821fe188be8e6e3424780bdd5

C:\Users\Admin\AppData\Local\TempTFLQC.bat

MD5 f4ecb1100a1a3004491f21629be3ef86
SHA1 cf268cd395372e58bc0b877cfe5484cf1cb459ed
SHA256 5b42cc6707b41204cb786f0e2e459fdc3b8adca488f7a244cc2b26788e19d4b2
SHA512 75dcbd7bf21b9352216f58d2fe3d406bae48158ad0a360035179c823a8d15f9f7ce0a5be2b9dc6fcaddb5c443fc952d5eb9eec730b681fca65a0e7e2cd9d02e8

C:\Users\Admin\AppData\Local\TempYJHLG.bat

MD5 50983d56f0303ab497d85683ca9b9fff
SHA1 78ddfc5d32c826c13ddf43cc04cca5f1426c9459
SHA256 7281fab97faa9c054f49750b9af56996b11ecf1fddfd8b6308221191e15ea206
SHA512 c355ea232f71b39b986465e7003da035b63e3c78a69987d77394982ff58a19105592ddb7bc08729123cae54ac44cfeaf3e78a112fad8e56cba06d10a625bdad9

memory/2384-1640-0x0000000077820000-0x000000007793F000-memory.dmp

C:\Users\Admin\AppData\Local\TempDXWLU.bat

MD5 dfd4cab5f88961f37b56f920f0a3bb11
SHA1 20ff1258fc401b7bc515f6d7718123bc2fbae639
SHA256 9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c
SHA512 2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c

C:\Users\Admin\AppData\Local\TempVLJNI.bat

MD5 015b92f720d4718bb32f87e8456104e8
SHA1 aacbff0d817ca68266f70aa626f3a4e4b9b7e689
SHA256 29930625740a6ccfd888c57e7e07350cf3ef60248bfcaf241980302370c3c3e8
SHA512 2b7843bd34f60d96745a3fa961de4e478ef2c4e7e48f0e98862118117dc31711b611366552e780a8c47a6270acf051ca6874a0c6c1114f9914d80049f60498e2

C:\Users\Admin\AppData\Local\TempGYXUU.bat

MD5 5e98485a26e1d29174a71fd2ce5f7060
SHA1 57656c90ba820f35a9d3717a22e2f99df3a550a6
SHA256 c4a119b3c3d3527eab9c6606aa9eacef2145cd952e4c61fbc33713f85776eb3f
SHA512 eab70f15bded304d8a4fbce9ff3d3c0a55683fe7130ce34ef5126c0840b7d7121ef130b0d2a9edbaab1a146bb4a1f351649a94d89943371e6db5708f7e49dd81

C:\Users\Admin\AppData\Local\TempVRQFO.bat

MD5 fe450ebf632a09f4f66111d45d141749
SHA1 34912ec81767af2e85aedc4cd1075178b053710b
SHA256 33ba3c1f094e807384e3955c19f080d01b3e523808cdbd6a42c5771ae25d6122
SHA512 5e064f2439d0d2f1014acd935f0c054e2aa01720656cb067b60dfdd36bdd17d4633cdda34a0c5d9df2d0e465f48865a8abc462a1f828ab63265e9199a44d0bb0

C:\Users\Admin\AppData\Local\TempEIJSO.bat

MD5 604f9a349912404b79f36a00ff580e44
SHA1 44695701694f6859082fda33380e97c86543e0f4
SHA256 8238fb6f37bb7fad279bfdb835e296bbd9dd92e8a340c4cc58b6d7a80d1633ef
SHA512 d9f803b15736c45dfb654eeafc4ff303bb3b0d43557042db6dc08b2134cb45d5eacafbe576947d62276b0552b5383f2b2d177b01bf40aa71ec98b3fb1febde18

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 1ca27e0a1f0f18dea3c0f00f033fd5cc
SHA1 abffc848fac94857bed8e6bbd0a0005f0ef661d7
SHA256 58c273c5ec65966bad04002ae6aa87dd384bffb231627f3f4b5bf6fd5b07d7bb
SHA512 c3f16d7193bb66da530d78093132be70b8323763e860feb6f33acc34c9004a051540a8437b1a6530988d687c9ec1378c63fd97cd6ac7858b29529950a2c790e4

C:\Users\Admin\AppData\Local\TempABPYL.bat

MD5 07eac661d1b577e5b372b206c824c2d5
SHA1 5e31c3f675be31225f7fe90c39b52161b503a7ee
SHA256 a42445b8898e0d4dfb54b8bc5d5e14c56ee52930c88e113112e0dce363d4f36d
SHA512 b17da091c3f5075e2fe629252281c160e439bd3e64aed6fb5bcd147076b9c083f5e2e9615d66651b0595d4e74049b4c5b1ed51d6f608069a49a554453abcc579

C:\Users\Admin\AppData\Local\TempWSAGD.bat

MD5 422a0444105ca7ae4fb0edfa0c9475f0
SHA1 62258d641c74403bb56c5d4f68e3ccf26d7bda74
SHA256 35a945832a1601251c30da928d68011a034cb4c3572970aa01076003c5fbc3e0
SHA512 7243ed5bf14c1da13855cdf27e8f710107991ae54e9a34be4f416f33fc47475ff9e523c6c2c8e5ac26b0cb05e504b0d95a10d3b113bf2d2dc2208dcee8de34f1

C:\Users\Admin\AppData\Local\TempAACDR.bat

MD5 a4e0810c98b777c5cf1a24c7c263c697
SHA1 d5cfda46b318196a5023f4f50a3a23afe9cfd856
SHA256 b60d3e45f1ce42452509c5496958ca661af93704311d0e674c5f8d9f95901756
SHA512 38e95cb787025e08d4af45ba3c3c4d9ed281525af5e6c60e57c5dd8ac1c36a06daed18ca1837c25a889d13215e99d94b1c5470d0e8ded9eaf23195e74d28619a

C:\Users\Admin\AppData\Local\TempEHIRN.bat

MD5 a1b8c40bb88a786c6001601d1ee0d05f
SHA1 d69809bbe4406c24fa2464fc487848fe75dbd85a
SHA256 c339f5fddb844ed2de03e8e3795ca5bee76a30694531f08eb6e9a2566f2d3f9d
SHA512 2471e79706d59f0f0a363f750b3b7ac682edbbfcb03270360bcb07e6c876c89d58ddd8c03efb2f9b708aa4ac7c8a6693f8a8b265c4568f710462483bc277b781

C:\Users\Admin\AppData\Local\TempNWIOT.bat

MD5 33a26b61c58238cba285178b1486bf0f
SHA1 2d3b7a32f2a42cee421e21f3de45b3a03cc39ed0
SHA256 3efeafa7f4646e7d578508b083347d25526ff443c2dc47d8f426a0963da4d7be
SHA512 a9070731533573c35a3639d595f72153dab4b59d3dfffafb455784c25f502962f945686ec728451412fe826bfe4f3ee37a5edab9d1688e58736354b7d4aa300c

C:\Users\Admin\AppData\Local\TempHUBYY.bat

MD5 45a37016efa2f9e37b42aed0a4726c99
SHA1 394ce87cc05ee3fd6599af8779ef5afebfd2c106
SHA256 b85390cea841e03ee2ce4127690de0edf31afa2ebe485aad6a7d318d608c9129
SHA512 2f46fbf8e8b5074d5318a9fea0c4f871a16d6e47a74256a75956dcbb6038c03ce9a826a807c3cf143e8e353ee8d9f4e4a3e60a6dfc65b928888cf3486117a297

C:\Users\Admin\AppData\Local\TempVGEID.bat

MD5 544ea437cd0d9ea6723d78a6053b8df1
SHA1 ff3cf28f2289dda4f486bd0087bd37dc58748458
SHA256 a168808f799128b67a718ce0a0610c3b3027ae8a96588e96b30bc3bd0dfc13ba
SHA512 66409d88d6f4da083e615053241220cd55c24233c8b57e76cc14938d14a03cb6fa4465c7ba18982b792b7e6363debf33a8ba25af9317cf6c42926231969d5fde

C:\Users\Admin\AppData\Local\TempEYNJR.bat

MD5 5a2d7d2fdf8d93d974d5b1e5e9e8b3ab
SHA1 b73cae44242128fcf54c491ac6d0e9a8fcc0b95a
SHA256 1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8
SHA512 8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f

C:\Users\Admin\AppData\Local\TempVCTMR.bat

MD5 e522ef6e90effcd867091232dd811330
SHA1 bc49e18d948bac5f62d742cebea31a4e25086971
SHA256 b6af6611a08e65045326aa360906362e279e119d2036e8da2dbb0fee3088781b
SHA512 97ea1d8ca86b9b5917eac9fe3a636a6a38f331c3d490e6c9fce145fbd19478f2067a21d0015ef36ea37f68c751fd32dba44a26c1c968311d154693f26191094f

C:\Users\Admin\AppData\Local\TempCGHQM.bat

MD5 af3bc0b9d7de11e60125789863d1bc4e
SHA1 95fec6cd34b10072f384ce4f1ed44e62908113cf
SHA256 c305e16af56500c386c409310743b41c44e74ec8d9f086f95df595f2db6b0642
SHA512 fa9b0f6dc1322f37ecc397d4b263a66ec0c0135e1d783a60aa5d8f48f81f7910450ca0289898441e942ff9b2a546d2735c0d790b54f9128221919edd89b6a7e1

C:\Users\Admin\AppData\Local\TempFRXNL.bat

MD5 eb4ec3f54b91d5fd06a506adf95420d4
SHA1 1179e3bd3e314f04e92d5da5433b627fedd66912
SHA256 46fe1a677e0e641c657819690047da1375edfb0cea39561eb5dfb4b480755d0b
SHA512 b410967072d5562a72a9289797927fa81cb2ced38d0d8d2b77209d3d0ac558a46a2458da4b926b2a4ce310f4161aa5c2e36832d3be54921174b4ded0950a639e

C:\Users\Admin\AppData\Local\TempPVLJN.bat

MD5 577f5996f783f890ba33c6040c10977c
SHA1 d1915aefdd08072f2e106d8b9542286c8a5fa759
SHA256 d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f
SHA512 a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

C:\Users\Admin\AppData\Local\TempPPYAU.bat

MD5 b6e7e717427b9a2a0cb73db79e705a84
SHA1 27812bd748e98425f675803b8f176a4256f194ed
SHA256 b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce
SHA512 47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7

C:\Users\Admin\AppData\Local\TempMVREB.bat

MD5 cfcab4ce7b33fe47d4a2fbd0db1cf6bf
SHA1 e6184239342f634b181e0ec242c106cc24d2ebbf
SHA256 10cb6c5370b11b8ecb9648dba6bcc01798433f19c98c4853e2397b6ecbbe8261
SHA512 0f926cfef3df33006e03ad58ba3c94395de2a20ddbb0fe49ac04a02ecd18ea10081efb480d883f587a02cedcf3bed0817a0fa6008361a87eb1ce4cde9f0a5574

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 1ec7e3ccc363d8da29003f6ca9f20bcb
SHA1 0f0f489d7aa81ef3940691225309146a6831f60c
SHA256 abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c
SHA512 bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

C:\Users\Admin\AppData\Local\TempJBDQM.bat

MD5 7943f1314bd997f07c8d719fc152e4d1
SHA1 2a90fec7bcef94dc5b7afec09346a22d684bae92
SHA256 e8caf17ca88b271aa0575f08217fbf7d375d0dcfe83582179be6ba2934e6fce4
SHA512 545716afb8c98ff890fb3cb81a1e782ecc5ca59aff5277969e8445278f532076b22f9062d6dae0cc5131bfc179b2873590a3ed624759076373cecc1b166115db

C:\Users\Admin\AppData\Local\TempPUGEI.bat

MD5 bd3265b33a7a2565da521c9c3a486153
SHA1 4c7164dc5142483ce424a84793f43c158053e0a4
SHA256 612043966a179f96b5ff883b465f352b6380e0cb0cece327cddd9aba34bfb6e0
SHA512 40dbcf6f63a893ccd243a58ca79df2447e7a8dec864ee394fb46b289fbf794d071ab59383e080d83918ff859bf1ae4d94bc4a27cb4d2581c94a0afa4f5988b01

memory/3068-2207-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3068-2212-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 03:28

Reported

2025-02-24 03:30

Platform

win10v2004-20250217-en

Max time kernel

137s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NFMMVRQFOBYWAOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FQSNLNDRYHTXIUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSISMKNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IOTFDHCKVWSQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXNSKSGRHD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRLLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTOVKLDKLUPYPEN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFHCACXSGNIMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXVYJOTABGDS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OTECGBJVWRPSHVD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCKVAXSQTIWEMD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMGPXHDOHIYRVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQYJJDXBEUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRINFWNBLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKRGFGCAHCXSFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DEYAVQDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTDOTDQBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJUS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCNTYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUAQLGAFUVT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJKHPBIMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFUVTCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYKIMAEOTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXTOBXIYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRUFJPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLQYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPESAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSPJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOJIOKANVEP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXBYTRABUJXFOFC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBDUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PFBXWANDRNLQCQS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NHQXIEPIJSWXIJH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMNJHOJNUDOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFAAVQELFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRSNLODRYITYIUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4776 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4776 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
PID 4892 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
PID 4892 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
PID 1900 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
PID 1900 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
PID 1900 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
PID 4188 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3076 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3076 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4188 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 4188 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 4188 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 5056 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5056 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
PID 5056 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
PID 5056 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
PID 4672 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4576 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4576 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4576 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4672 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
PID 4672 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
PID 4672 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
PID 3796 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5076 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 3796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 3796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 1652 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3156 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3156 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1652 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
PID 1652 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
PID 1652 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
PID 4332 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe

"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCKVWSQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRLEKC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NFMMVRQFOBYWAOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIQH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSPJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FQSNLNDRYHTXIUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBIMA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHQXIEPIJSWXIJH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNIR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCNTYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe

"C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYBNKJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHCKVAXSQTIWEMD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJREK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRLLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMKOC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXBYTRABUJXFOFC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSEKP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVORT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNGJKT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PFBXWANDRNLQCQS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAWVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PTOVKLDKLUPYPEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMRMTI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVQDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPXHDOHIYRVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRXJFP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFHCACXSGNIMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLDXAM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTECGBJVWRPSHVD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIWAW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FRSNLODRYITYIUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTDOTDQBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYKIMAEOTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.41:443 www.bing.com tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempDMDXB.txt

MD5 959ce2dc63c9a8dc415ada7620c0e6c1
SHA1 f14ea8fd1fce52814e7e2a466fabf5657bd29237
SHA256 540cc3fabbada66cb2a48e9dfefa10552f7f808fbad3e5ded47a9298c46db431
SHA512 d14fb69c2f904b73517475d1452fa01c8fffc705974e45fd19fd59a3d0d5b9c22161f4ef1ff82c981075c85566a897d4ae498583e3f9993d1b4a198d4386358f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.txt

MD5 c95ec7ae7c806ed9f9c7f91d1dc8aeb6
SHA1 674c9f0f3f069f968e427d073c2b8b8d2ceaa126
SHA256 ad460348b4b1dd463ebc75bf45d859bb61ed8947199f239f055758100bb00056
SHA512 fb999ac1cda132930b990a4e074432c5da7732724b3290ea4e1540d6cb628448bd102f18181b163f619e61ec6ed11dee97034816f5f8562ff3bc52bfe2fc2d9f

C:\Users\Admin\AppData\Local\TempOKXXJ.txt

MD5 bbcba080f74aa2b1f066df621ba2c56e
SHA1 7f4d7e934406ff949e209ef6df6e1c79ef62b360
SHA256 dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e
SHA512 40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe

MD5 b23b456ae177ce9559b34ec58d095ceb
SHA1 e3ec3913e03cbb29fb72fa078242f6c0f870b50f
SHA256 4136c6928b7b39f74575e9971d4dee8a47d7f21c4c48eb3e65f23e2cf6e317a7
SHA512 835803601b36101ece706086bcd88bf4961ca46c520c611dc9a73bba250b550b88cf5eb21d83959ca816ccd01a36f2348e1c179b105149432ebb04b747fdb9f6

C:\Users\Admin\AppData\Local\TempWNLPK.txt

MD5 ff8ddf6bf9e22f19b440a0e65f61325f
SHA1 53331dec6261ef73acac458313d465931ee3550f
SHA256 1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef
SHA512 1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31

C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

MD5 9b69f248bb1dc5bea6fc49fd2da3aca0
SHA1 336a9cd92c85bfd2a65a64840c501b5c41f0bd48
SHA256 194257ccb099e597d91f74391f883dec45269e6064334cdcbe9ac33feaa7d801
SHA512 9ec7b64462548e0bdc4c67827788707463236745e173234b91b54cc20aadfffaaa082abfbe400a37de0d3eeb43c834d11a13e5db072cb8523549992d17e25dec

C:\Users\Admin\AppData\Local\TempRLEKC.txt

MD5 99658831b7bc15a4bbd6b90b0013d9f0
SHA1 20ec38a3cd81de3e92d2e25df16064c02a235e5b
SHA256 d2f57ec35695ca2c404ab5ba4580b9a28c1e97e6325b0f3770f42721613ef691
SHA512 b883bf1b115c6a280bbf38acb393d28813bbe3d7c31ff09cc8c8a701cf24133e91ce2afaa734c533e83d2d7cf7c79c0cb470f8362c4b8758e942879aca77e4a8

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe

MD5 da4783f7e40a5f4e1c2951bc6a5a4bc8
SHA1 cb9f47c801f7961646a5be5de80f907841448a5d
SHA256 7ec5507c0f63da0d7f8e024c13b32fc4bc9651c41b67b48e2c6c08dda20d6e9c
SHA512 16aacf4b3938a61dced58bad76c5f1b766349fb0f4a29ca5cd0f71e1e5fc72c9dacb9141e16d71097c5a21b5f162d966a3c837af3da118b49918f2cb1c3ffcaa

C:\Users\Admin\AppData\Local\TempXMIQH.txt

MD5 4dd66c5c23dfd0cbf76b6949f432cba3
SHA1 0640c41d299e9a8be37c82ace59f023e274ebbfa
SHA256 6461d3a95e8f479223d3187d5d31ef721d0cfcdbbfbe02335cab7f29fb4967de
SHA512 9769ce048e1718616ee73fa6cce70f39b9082e8dced33ca56df8a3d25a49dcf5751f1d58c2c2e33fb47f1ebb11aa26c35a31650bca90ac30f9186305c83c6522

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

MD5 ef84280b377dafe63e545b3e8e943579
SHA1 36b24bdb42d047b1bfa745fc72b91bfa918d8a3a
SHA256 175d429ce0412c7ba74fd0cb27df7f25730b3b33cdb9bfbc55e2e426c2a44d60
SHA512 99aa2c335e9c8fa6250d54ba838b5da822c8e2ddc6da9682d872bcfc9da1e22b340e31275f66a28ee02058249d3e31b267b0f71838657c0544dca6b75352f9b4

C:\Users\Admin\AppData\Local\TempURAMS.txt

MD5 6652a702ed3f149e8256d04da6c7cc1c
SHA1 4570b6fb92a5ef85813ca21f35a2943e88f5df97
SHA256 6d00705de5d3db9ba7510cf597efa322255d19a0a47417cd74a5197c1450a5de
SHA512 b4c4eed12082d619278a3f64c90e18a7b0689df31b40ad2b4789556225deb4e535db732606709b9604e6673d1f820a9fe6163f0b07ad038b9a911a5a0a246a99

C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe

MD5 78a917f100cac8087321d4dfa1546403
SHA1 4067e3a73a3d0eb6a8f2a76d6e7e88192f3121f9
SHA256 167d07cc5b092ec82631ec39995378365922f7a0e666e7e3d4e0cab2434c9c19
SHA512 029be9ae44adcaf9fd0cf9faf9508c52691c5a29bf1c9f38047c7ee44db85470c4e5f1e7a5f6f6649248fe102722a203e36e07174756fd7be4b963889c5e710b

C:\Users\Admin\AppData\Local\TempUQYPE.txt

MD5 001fda6fb81f59f183629491e07d6ea5
SHA1 887172a96b984ce68a23ad449c1bee0ccc89b206
SHA256 17b05c2bfa9a136278b1df9bdf7f8549ccca141d2e1dbf7d385386d3da0f7e49
SHA512 308218b3a94a67cb0c4f3a96e79a9210cb02bbc4458ce6603dacf72d2d21a6580d15496e8b26565f82bcc144cabdad17cf1649eb9e277a7b4b4fff0ff6723fde

C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe

MD5 0dcb1974588ea208e76b7589b7e47ab0
SHA1 957bba3eeb2a868af4a9dc887aeda4114878d8da
SHA256 9aded40a697916d504cd898861bd19f923cacbaea11ce25dded3c607d4ca672e
SHA512 441192d037e7bdaaa83c20ec962b19d214359746831bf4bdb71c4427f11ae8671cd2fda25b7a76a703cb6f4415a8200504475edd7a577832a5f65710cf4ca38f

C:\Users\Admin\AppData\Local\TempEIVWW.txt

MD5 01b156184077e3a7661d9b6102b60c2b
SHA1 abf0c9868b54e26bbbbd202111a3c137dff532f8
SHA256 1c575544825aa0d84f634b9149f0ddde314ab52f5f5139580aaad205b8c8fca6
SHA512 70e17a11c3ec25ab07de16cdb495b40b3e709a5fc85655404fcfc3c91eb3ec0fc49e997d1be434ecc2470209651162e8d1a551f4d6991f99d28dfb11b3d3695a

C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe

MD5 58496010951d3961fe5a13425ea0cd79
SHA1 f80fc7d9c52300f54ddaaf286ecfec5f4b8a719e
SHA256 b1d2400c468a7dbeedb78110cfa949e95b0c06b9a675ef0c8a5235c30176faa5
SHA512 e4012b34b91c37220fc178a9ea1ef491e93d2908bea82c6851221797a5177529fe403c30e30f361f4d6387fb17a809ecbfb3de85226911f3d39d35185c10bfff

C:\Users\Admin\AppData\Local\TempPBIMA.txt

MD5 71ca6c13396be7214beb9e6c654b16a4
SHA1 adfbf6baec6d6ea41b1ff8bdb7b82d4a08b6a168
SHA256 f943ba200105c11907211f135a4bb85000cd15e80b7cf6171d7f326f67a75775
SHA512 657b0085988f93afabeaac89ad8897e4f77acbc1d32cde409f30ec00ee7729c8b2b5f1c05ef7be8d9602556d5ddeedc9df3450154f7ddcb0e52cc4c82ff919a8

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

MD5 ee55ca908f97384c270e61566fe47167
SHA1 0770c3f56c1a47a7f699bc0a4a98150aaa5a6d4d
SHA256 498af80d63ff4c0a5fe7fd8d32b37fb747bb92a97b528d91edacb1c4d75d673d
SHA512 0a7f54c15668d7b8137bd0476d5100c38994525a6c8967175b1d07b15fbd7f86f5d0be0f6c6050efca4db894f0c2b2b69632e976e87fb407df8cdf3a21aa646d

C:\Users\Admin\AppData\Local\TempDXWLU.txt

MD5 68bb6bc802f1cb81be567c87ac56bca8
SHA1 9bc6bb11c94e6ec822daed9904abb0a4b26a005f
SHA256 4d6bbef93b89d492b646a5f0420bd7836969ff291563b879d87466166261a824
SHA512 1522799df12c6f32f3441034a71b3b1f67cf4e8c6eaf3d5de6a7585f9b118891627c2d3dde4af82cb81b9766be9871f82e8557fa3f558b2267e5151e6d026335

C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe

MD5 b21357ddf5d2d3379f33ac9f06ccb225
SHA1 fa6de056faf5e909447d82a94c4c8e932ea37c59
SHA256 d10f30a84fe4f465378242ded05e595b25c866e4434c1671db71408edee34715
SHA512 83cbb0507207175ad09f474f5edf876e4bc846f6cdab227f90b02602f5a8f4e1dd0e4b5d3b44b44fd7bc45407fce83703d5d02a2d5f73b93c4eb3e502025a88c

C:\Users\Admin\AppData\Local\TempKSELP.txt

MD5 4f207b885baf9e448056f22a9f985300
SHA1 77cf487181fbde7f793471965aab814cd164ff97
SHA256 3c89444a399680346c4c1f11626796d63e184258654ad3958472248bb7fd5e8b
SHA512 6ea41e75444a6bee919c282ec7bf2335740a6f986bedfe265ecf2ca56d76cf634ae318759f7cc65cc1c9cfd091c750b6390db1395a4b400cdf2a4bd87796f212

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

MD5 8acae0a4b156ee7296ec93b36a7f2eb5
SHA1 7b9b3233b37ecc6f54bf49531447c8ac3940496a
SHA256 a6f77dbac1039f19b2fc63cdb22751ffa3b48d313da8f55e6e3a4087c58afb25
SHA512 8d808f637e73de1a0c7f862a3915a563a2ecb3f903de9686deee21ae8a3356c3d1cbc4543cf523ec74762d279cee46bbd0956dee8b60934a00e08fff89a87d7c

C:\Users\Admin\AppData\Local\TempEXNIR.txt

MD5 dc9dc289aef72df1c62144393c3a9dd7
SHA1 48b3ce4f7c50e7a4efaa91c0507693b65e30767a
SHA256 0e8072edfd6c45b33dddcb971d0f18d0746d07a0b9982a207905de63e7746a48
SHA512 43e47abef516d4926a493320c7f1783877a6722dc46679d791e603f1865fb8c212cd80a31f846719e8e6614ec48f5bddccee914c6d1464e9325be1661ad17f92

C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe

MD5 491464eca58b4a4c0e34f70701a44dea
SHA1 2cd375c7ce380780c94a4075045b9e2a9fcfabcb
SHA256 415313b39e389aa06ada027b05f36a80833f67555858de971dcafb0f08cba61b
SHA512 9b9d622c856bb2a41be1f9890d16b61a32d4a668d672559b9ef6a6de405fac0ab98f5136b1390358d6bf49c9785b8eaa69e9057b20b9c703ffda4a8b51f48f39

C:\Users\Admin\AppData\Local\TempNWIOT.txt

MD5 3fa377d490e135358ff8715b7130b57c
SHA1 90826df37fef897b8d9b2a225d23b581e87e5e71
SHA256 07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0
SHA512 cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

MD5 64ce9d48b6fbad040386360f87f90ab4
SHA1 59c77726575168b218690701b9f88d92f1345a21
SHA256 112d9af8228cd32820bea4eb4b0d21701eb06e1308f3c8460ad46c21f76794ae
SHA512 6615da3f8feec15932d8dbf8d8eea1a666ee66d0fa23274987ef08cc2b3c01191d611a1305a56ddaa894aab068f53b02bced80a07cf7bb8c2b4c1723d1c0ccec

C:\Users\Admin\AppData\Local\TempCIWES.txt

MD5 ba429fd56ff7582c4de4880c49452a09
SHA1 f39ab13e597a4092461eb550a4a343404828677d
SHA256 15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf
SHA512 83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

MD5 7f527620d43c47c728dffb7dd45ef911
SHA1 c23f6c4715156fc8a70e68864f0044c3d3c49f29
SHA256 46fc1e0e61e36b1cedb050551c2a3f31367a34ccf7b8b27cd8ca1a87a498882c
SHA512 723663d3006532d4eb479c8350395e7384f63b389e65db267d9ef6d7499a37062078d57e76f308ba56ef7195c8dd59f089805c60362831114a7778918fa1e533

C:\Users\Admin\AppData\Local\TempYBNKJ.txt

MD5 d27cc0987d99fd5301cb67a34fc30006
SHA1 3d355ba8d723f056eb6b12b53ae0c07cc3c5dcbf
SHA256 0872f2c1eb629375c6e191a9ce77c50112dcc8cba1a94f657a49457459c9dcf8
SHA512 28de00d1d0b9e11c31535f82b6f76d898034cda2e7a5a3475729a3f3a8e1cbfcfa6868261ff359aa0438bc5da6ce188c9bb1e420fbe57c5a9cd21280c456d61a

C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

MD5 869e554ed4fb03b75c5227cd2523d625
SHA1 181347516b9aa8ab3bc7f06d4c35acff5781195a
SHA256 773cbbbc658a9776db23ea4e7332fae4fd028a30985cf64c1c2cbc6bdee1daec
SHA512 ed090872b716db29f761771af423b815728886d287815a416a02f66294260a5f91213a37bbe200525db00ee0c2eb001f63fa140d5cf1c37b0392d256cee2cfa9

C:\Users\Admin\AppData\Local\TempMJREK.txt

MD5 e61b23312b437cd266bcbbf5f594c849
SHA1 4dfbefc30ff7d89390859c2f016808e83ca963ce
SHA256 4b1fbe9b6a793dc190efdf97661c34ce1dfa5392b60b0378dc21cffc6affb967
SHA512 da2725a20ef1a07436bcdde8aac24991327b049f6d9f953be35ddf32170bc94963c62ced72b0db32ba105d82ee17b20107edd9f22c89a363efa953b0ef4b26a1

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

MD5 7539c37de101bc6cf785e71548678222
SHA1 182516bb09650b9600d2a26a2dd58a8c24fdae6d
SHA256 d4b8eb2c486b0118c9c7a5f2cd5843e4f853efd52a95c3db80d899f70a3a0cab
SHA512 aeafdf802f70e6317c63c44cd3f2c251a6a832577ad905c63cadd18dd7b0f79483b0c92db54cc5843235a2cde20a2d8b555f41c59adce8772cdcd521969cbd3f

C:\Users\Admin\AppData\Local\TempQRWDE.txt

MD5 5f86bd202bfcd38eb1df9dc3f99b3f2d
SHA1 20eb5c3c335c0ae536940a2687e7a4b19f36ce56
SHA256 d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84
SHA512 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

MD5 86e09bae83fd7941691f3b7aa41491e4
SHA1 c3d5f729382447ea27fbeffafec849faef8c2c70
SHA256 60ce106d68502dc574550f9f03c738db1cfd01312b0c69baf6e1865ba31e454d
SHA512 0c24df5b4d2f2574601359ef86e1259a2858bf0047c035c089c331379df07f046cdfa3b2c4e0a4195633a64df78cca1be582432470bdc9200e9779964f0bff47

C:\Users\Admin\AppData\Local\TempHPBIM.txt

MD5 0e852e3f3893578dbbc3348986595242
SHA1 1580d7f1669b5d72ff048009acaa40bc9c6b6a8d
SHA256 acd2d8f85b9f16d5dcfae0a940261a752c0954fbd0e24794e9e62d2bdca9c012
SHA512 e601e7804202f35f98195848574164f11adfadd8685594bd764566a14917fe746a8f2fe9a8ce6e6c2ec86b2ef84c4b45ae1624fd58398631d265ce029bb79ed1

C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

MD5 46e694eb820a645f62a62b17e00ff8e6
SHA1 2e461e1fb68b2b4522891b9118069236e5b8c5a1
SHA256 52f03a93b95252d41292084f3b7015a66a261d273c4fae998ea1776b5c7f6cb6
SHA512 6d7ca3205fbcf045853723b1a2434f50f068e4851021562f21e9952636e332cf74900680a522ed51c80d81fcc4c6013432d33a7979e4364f40ecba7e136645e3

C:\Users\Admin\AppData\Local\TempOMKOC.txt

MD5 02b0cbfc4742667bd2e66679a91f5359
SHA1 b3a28d1593d027cc14844d1c46e02b317c6c474a
SHA256 767a3f58d48b0f987b0766f6c82f3861cacd29dc65f1bb0e2e87306bf88d709b
SHA512 0be8c095da302354cda62ce302dc0a41aef296ee93c0ef8d476078208d8532f61ed7aa0cd11269a02c8c4320a76df5757b93d9af43fd03b522f12717659872dd

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

MD5 b572e8faa9cefd41fc8df2fe55d586c7
SHA1 5702ad2ca31b33fc0da9ac4a55bf91f825868633
SHA256 1afe9998326cc03b6ff2a3a29d8cbae88b9c54717cc7c62e7b28c64e968d7f1f
SHA512 3f3052b2a60a4f2b60b331615430339be5c796e8b4b6207ac3df095ec9e6f6575ca4904218b9977e8e7512329db4bdf81446a1655741666a6e094d224958cc9e

C:\Users\Admin\AppData\Local\TempKSEKP.txt

MD5 32675ebc3e0872654680aa78682110bf
SHA1 ca1a6f1f4395f7044f1a4f5c861c1237d518fc85
SHA256 ab34abff316d3f92176f82c011f36556c5e2ffbaef3a0d9192c4f300fd7eba68
SHA512 d830e160e2a6ae056d51bca0068dd39ecd4a4e51469f338164d92032fde91b4ae7d19c91cb2a59fca4c56e6c9654f7f42c9db8575e7ebb34fe2499f066f66438

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe

MD5 55661ab1cb2ccc7b34a19f8bb0639198
SHA1 c5f9baea44468c3a0bda18b509069c3c71286cea
SHA256 66fb4f593c7560d6e3e6a289d77d452b3be80813cacb2eae9e2506409320b365
SHA512 3ba2a34726a9e23f01305a6b83e8c58967f95ed5db8149027530341e667b092e068c49cae0bcda1e8bd6c1c8d9057f70b7dd4220da25073a65c3c68676e11dde

C:\Users\Admin\AppData\Local\TempFVORT.txt

MD5 3ee0fab3312f08a89991b7ca8765c4e4
SHA1 ed596f47ace0db160d6db2908960ca3d3b6396ce
SHA256 463bebfae6e65d180c36077d35a8249f59b25c354fc7d769e89cbc408fd7c817
SHA512 19e639999512618e35c97d08c94e9555733d7c66a1442a7846dd0cd62b3c6377c531653cf32215f21c3eda870b3ced5518dd044377d4fbad7756b6105dc2bfa9

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe

MD5 eef150af89d89dcb283e6977aac0c84b
SHA1 8035e6a6fbf5dd2650ff48904b0f2f936b1be707
SHA256 7ebf39d536e9f65a38df4294ee3de3457d702ece12fd974ebdaa77b2fa094795
SHA512 890cdfe7ace3479da7dd41e5e92fad0a2f3886c8d908c245c8ad3f5b810ecca977802104e3a125f5df0a7407632da5fb46ea6ceac1ad9fdfc94c3e02f6940855

C:\Users\Admin\AppData\Local\TempGYXTU.txt

MD5 077975505ee313d4d0f5595fc6eb7155
SHA1 4744ed31f9d8fd37b77625e24c415c98e78676bc
SHA256 21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a
SHA512 f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e

C:\Users\Admin\AppData\Local\TempHIFOA.txt

MD5 b1e246ba770058be2c311a757b3bd63d
SHA1 d911296ad714a3357ab09687fdb3c6d679249a99
SHA256 b27120533de4153beb1365a5154c28f013238763589f04015ad068646441b8b8
SHA512 208126c01f598ab8c7acfd9950813d7fba88d612ede86c4fe042b702dd507520c9d3f561aebd837f5a725c6f0da0dc313b25f066116401983f8256f656de1f29

C:\Users\Admin\AppData\Local\TempNGJKT.txt

MD5 6387e55751abb7e5fd1b6a77317bfee8
SHA1 6fdb737213d86060a52ec7e55235cbfda16bb949
SHA256 c7223419320b28eb3f21d63ba0dfca8f0f4ab203ed82460ce14ce17af93c4cd1
SHA512 33a7102db83ea529735ddda12cbf77e7b65491c28f9f41338b72eed475d371c1cf48244641d361c0d61c9c61e13a870cb1504efebc4c011d66be7c3ae332691b

C:\Users\Admin\AppData\Local\TempYAWVM.txt

MD5 912bf90f23999205f2e6c4e79d85e825
SHA1 b7d9328d0fa01538d1184e0c8bed1478879d6676
SHA256 c094bfc3d194bbf154adfe98bc4d2f7372886f405e269ab9a287a78f3890cb6b
SHA512 7476c78368204af845409adb4d9961bc414bf6920583d955d7050aa99ab57e33f58599a9e12087909b2759e3a997db32e7063b447871b41c21beb71bb1368495

C:\Users\Admin\AppData\Local\TempMRMTI.txt

MD5 07a565dd42cc529ae297201564fed066
SHA1 debd8da45505fc92ca6008a28ac13208342a2500
SHA256 435043dd6d2fa4b82c88b0875027effe379b3facbe9aff3b6d7b3ba36fe71cbe
SHA512 87a8ac8956bdc6b6ceb892a4b1f9f16bf17fbff83bb0afaf99d617ad96670cb90eef7f42d6868b78f85d4e5a2c22dc517397faba50b8a82668a59756876c4946

C:\Users\Admin\AppData\Local\TempJGOAH.txt

MD5 ff8bcd6b43fb782cdb379b14b5df3b3a
SHA1 38255e5ef3b3a6d8efe0b92c57f4da182b2475de
SHA256 67ac74809d00522e7a606b960029548c9a7a54c756c4b8950c675b3c47329a9a
SHA512 8eb3e6cd129c99710d34dab4c11f3c1df2d498a8ed229e4ae993b5a9443bc1280c40ad3646532c9dcc485803b32071d91bef8472c328c7eacdc914f6bf880b59

C:\Users\Admin\AppData\Local\TempCFHQM.txt

MD5 fb1de3a686fc82769c21e956f8bfe308
SHA1 dd9540427d08c3d0f3320ae1d5c27b4e5da57797
SHA256 b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b
SHA512 093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633

C:\Users\Admin\AppData\Local\TempRXJFP.txt

MD5 98b653c709ac78d8d529ebe27c71d8b5
SHA1 bdad6f8189f16ad3bff1140ea557e1ea947f867c
SHA256 2544aeda712671d52192e04aab62d947ccbc0dad24fd2a05ce5e18128f8113a1
SHA512 7e08d56091d1ded058cd56cde8bf5295928058c85bcda4a41c1460a390537e45b316145baeacbc9d840b4d35967408902747acfa27b2960cf0b7e22dc0c6243c

C:\Users\Admin\AppData\Local\TempVHFJE.txt

MD5 6c0c0682818e396dd2f8d9cc3b15a377
SHA1 a7eef2f27232378b934bab9619f061106b788aa8
SHA256 67b5558d7dcd6bbba6bb4af5c56c29ac8051add17ef2e9f8e2f1881230ff9492
SHA512 3a31d50d9a6c59aa3e3d742a5bbd6d4f7a5eaf40e8d3120ec43d088be209e321f8e9efd3497c408bd1f639dd0dab0bfb1b9525b80d50e09774bda341a3e16bb0

C:\Users\Admin\AppData\Local\TempPTOWK.txt

MD5 c1d77ca7bfdc8a6c406081f85955c2c5
SHA1 91099f3b0c7bf5cc14745adf2d54323ad23dce84
SHA256 32a9ed729e9be02a1b51f5029093df81d37fcb77750dd6f3980bebbc70ee2aa5
SHA512 196dc34f912a0d9f636b181cabc8e61e1f9fc45af90d6ada44a3355d9fb5e356941260c0236bf8e8c306f88b44183a090ca4d884f76b0ffda62e3e78505125c9

C:\Users\Admin\AppData\Local\TempYKIMH.txt

MD5 ffc855aff102d74ae673fe8eac8c2e70
SHA1 d68a015334a2510a13d74d7d7391d88fccc0a141
SHA256 eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0
SHA512 1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44

C:\Users\Admin\AppData\Local\TempRMUIJ.txt

MD5 219d0228ed8fcb79b8cc0eacf85b8fa0
SHA1 85b7c06eda42db1d613d6e13fe89c964a5d6cb98
SHA256 9c42c45c317898cbc14f9ebbac4305370d4dee7a73fc508e32a481f7332bf5a6
SHA512 d9f389681dd4678ef2a187b1bfdf35956bf1a50cf90c27b9cde282310b6a94a20e8ed26461f1a0004054abb1eff7eb3bd6694d435a5fc6c44ecb773feb5b7c27

C:\Users\Admin\AppData\Local\TempDXWLU.txt

MD5 40b9cf20109025ad75be3402cbdebbf7
SHA1 ae4cc8e0bccc77ba300ee93182c4e9394bd0a4b0
SHA256 67d1420ef138770d14e70d0aeedcd6da05ec9b01b5a77bfc45119052ed524a5c
SHA512 9c3a5d3b20d84800a00c990ebeb2c07804baebbb270d75ed1f72ab86e56ec64d6af1f0c53d9bf130b5eb06c95fc569d3e172e3f7aa3b5a76d39d3a11caa301d6

C:\Users\Admin\AppData\Local\TempPXODM.txt

MD5 064980d572e573e41cfb79e310369d69
SHA1 c48f752070a34a7bf790e1b3e2e95503275edd1f
SHA256 11f3448ed0674a7deb1db20a2eac212e743461d223c786c01b3e5d7472f46cbb
SHA512 59cab5247fdc3567b394bea3024d42d7f04672efd90f0014a4b53407c84a5c495a705105ed2e8b471344d2ada9b2b460a17707d76205290f9198658447f39a3a

C:\Users\Admin\AppData\Local\TempLDXAM.txt

MD5 76805ae08aa7076e34684eedc16773eb
SHA1 a73ae860332954bbae7eda192e2c6331b903ad17
SHA256 49be724f542a113b9f64041d7f139d38c88ab1694b6fe83b1416c555dcf8337c
SHA512 be7389fc21d6fd83562e6c4b87cc86bd4d94c2cc6a4de677d63deb6875d169c26d7ca2161e90b2bba22d90b989cd412c67063a15962777fb9c295f6e2117b063

C:\Users\Admin\AppData\Local\TempWSRGP.txt

MD5 3c54abc098fcb0c6f5868a26cd95d44d
SHA1 ef4f63c77c4e794cefd7ac53e71a7f94b6cdf917
SHA256 f32e2472a9cbc20ed991e19e857513228fa1373253581dc79be85b9e3432594e
SHA512 3f222bc0dea422150b9d0170633e0b1a605a826dd9cf4e0e05ed5a36a171c3fc87173daafdb1d70d1b1703aa6f0dc52a66e1503f4aed22e7bb3addf730f14afd

C:\Users\Admin\AppData\Local\TempOMQLT.txt

MD5 9b8ddcb8a03dda0db854de76f0b97656
SHA1 33e6cf7b482d51ef46095957b6c7757aeaf3fe6a
SHA256 4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368
SHA512 967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840

C:\Users\Admin\AppData\Local\TempEIWAW.txt

MD5 f458235acbd4401559e22043a5075847
SHA1 b229821c9497246b2d23158268c63bf67b93a031
SHA256 4db71379845a52332a7230393122aeb3f5b834a80ebb01cdf04584839ba0aa98
SHA512 c62c105f1146bd7c956527c705f08ac2da9ca228813587a1899cc2cef894923ee4d280d2e50dca52f6176ce7ddc5dfefc1705d1161ecb44358b442f0184c78a1

C:\Users\Admin\AppData\Local\TempGBIWE.txt

MD5 ab76ecc74323655ff4be1c0400dfad48
SHA1 44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2
SHA256 31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a
SHA512 cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34

C:\Users\Admin\AppData\Local\TempEWVRR.txt

MD5 b56045d1debc87654a818053068d8477
SHA1 faddf5cafce626a78ea4f6c8eda715020062a18d
SHA256 57c172e9eec5faa067a65717cbaa81f6f56199d9c729684acacca93a41847801
SHA512 8258b9044f12e7dddb303879d04e4c774ba18018aa55811761bf0598d1dd2ff2ecffeb90f3597f70a44ed885967a4bc02766f12158f826d77ba0bff6ab638120

C:\Users\Admin\AppData\Local\TempGUCQP.txt

MD5 f1011e2ad9689a7cf42a9447ea0dc057
SHA1 39411847e28ba728aa33b0bcc301498eaf5e52f3
SHA256 55669f07ef4efb82b82c8a73655297efe72bff245e96e22b016f34880b720752
SHA512 fd56e5c98ac4d357f7d9b7bfa84011b336ad6ba226bc0f88f197a08f9c0279fe94a76a5646e64525c4b6fc6bbba476e50c060777ad4a1669bc2a24aa6c7cc6ee

memory/2932-1074-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1075-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1080-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1081-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1083-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1084-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1085-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1087-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2932-1088-0x0000000000400000-0x0000000000471000-memory.dmp