Malware Analysis Report

2025-05-06 00:12

Sample ID 250225-12157azpt3
Target 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
SHA256 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e

Threat Level: Known bad

The file 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades family

Blackshades

Blackshades payload

Modifies firewall policy service

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-25 22:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-25 22:09

Reported

2025-02-25 22:12

Platform

win7-20240903-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKFEKGWJRA\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXIYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRUFJPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBDUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMREBQYQDFAAVQE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVAWKXIHLYCMSKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGOCCDYDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCNUKIMHPDFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMYUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKGVJQL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTMNWNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQUIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDULJAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVDRQCLCULIDSMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QMLYFPYWGDNHIYR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJIQEEFAFBWRELG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IJGOAHLCNPKILAO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPGXODND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\USRVIMIGWULKMHA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVWUCDOVLJNIQEF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIKFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUIIJEDJFVIQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\BFUUHIECEUIPJOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNIHNJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUQOTFSVQJMNWSA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCHP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOIISVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJEDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMQWCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NAMUMBVRMAWHWCG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHCRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRINFWNBLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKFEKGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGSTOMPESAIAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAKXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGBUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IJCJJSNWNCLXUTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLSHIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCJVWRPSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOFXPLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUGHEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGCACXSFNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2904 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2904 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2904 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2904 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2632 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 264 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 264 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 264 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
PID 2632 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
PID 2632 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
PID 2632 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
PID 1832 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 400 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 400 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 400 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
PID 1832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
PID 1832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
PID 1832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
PID 1548 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1648 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1648 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1648 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1548 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 1548 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 1548 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 1548 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
PID 1076 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1076 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
PID 1076 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
PID 1076 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
PID 1076 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
PID 2428 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYWFFY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVWUCDOVLJNIQEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWXUDP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAMUMBVRMAWHWCG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGCACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNWNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCNUKIMHPDFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPUPWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

"C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMYUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWTRVQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFUUHIECEUIPJOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWMNKT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVDRQCLCULIDSMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVEQUF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJGOAHLCNPKILAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJEDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFDRRL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUQOTFSVQJMNWSA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAKXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVREC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKOOIB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJCJJSNWNCLXUTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCHP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLGKYH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMREBQYQDFAAVQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe

"C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUVHIF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMLYFPYWGDNHIYR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCJVWRPSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKMHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOIISVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe"

C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe

C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempYWFFY.bat

MD5 b632669968060dccd2ae955be6878baf
SHA1 3d6eefd207e05e90bc63ac56341fb73daf6cd6f1
SHA256 976e6b6f8a7db757916c260a4ef9fa037099f6f0314c826ba34206b3466bb09c
SHA512 eacf0ed4f7b5b42bdce234d541f8b54d353eb7e973e58e22e09a7ce05ed6b1deb6af96e7f6908bdf8e2886461c944d24be2315d828dcdb4df38b65a16cd592fd

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

MD5 b6fc8cc69d00b5c17ae4e0efcfec25d0
SHA1 5b1bf3cc63bbf99dc327340b331c7a37ea3bb705
SHA256 792910fe0fb379e874f2d319200561844c145165991f3f2dfb47874f152ac3ed
SHA512 ae2ea0de7daddd51c0ddef389e76f17bfe728ef565759d339cc72839d273f78f84267220aa44bce7ddc1fcc02fff484586b3da07816dd8aafc5c4f13903383fc

C:\Users\Admin\AppData\Local\TempWXUDP.bat

MD5 6702fd047e328215508c753f2d073779
SHA1 6141cefbc5a43095cbd5b9ab184e4e3757909cec
SHA256 8d2551817c16db1cd8a8ec949dd652d72bc20fcc2a6629eb1ea61b2aa24f951a
SHA512 0bdf4ec9f5e087d957e4f78dfdc0503e7251b53e27f4860f9b8c07127bc575682b1f331fb59885b1149dd6cbf0d19412373f77ff4691c0292f6fcc686019011a

\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe

MD5 993193be57ca1b0d83c7e70642c48c95
SHA1 c4e349e302882f5d716654c2b523e82e20a8b97c
SHA256 3a16e9872aea757ae4f913e122b50bb393e659365c512f03aecaa54f62457568
SHA512 1ecb48e60ba6e56dbb84332ca0e217553b0597c77d6b30ddc99dc4c4274c59c3a974541d6cd72373ba8961141883a7aed6cb45ba5253cd62579cdac0ef018118

C:\Users\Admin\AppData\Local\TempTOWKL.bat

MD5 c2f5bf9d52ef830e763cfbf11d7a644d
SHA1 d3671fab30167b7fda1b9d647d6ca62fe5f7d46b
SHA256 15bf53063b93083bce0042b1d810a1db1caabbd9771c141784b5898bd902d875
SHA512 9bd59059ae0a5f706c92255dd42feee63f4ef12578473c6a8d1b5909020e80732a2c98de44014404365b245bce65c73388e138de21e3c2c98984985909448054

\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe

MD5 50063ef51634c8123e50d1f22fbd4d68
SHA1 28a386f89ffe8a4e951c6aa5567bb9cf7b859472
SHA256 c0ec00cc26c266f4a4c3daf1549bb05638f15a2a52fd24da33ceaff02ade3be5
SHA512 407fe1f9340c1110737f4f30086daaff2a5d32af9c573c5495cdb9bf7fa116392e73b9c9a1bd5b58870aeaf6d8492359160113e166e23bdf1ffc4dee53dda8e8

C:\Users\Admin\AppData\Local\TempWNLPK.bat

MD5 ff8ddf6bf9e22f19b440a0e65f61325f
SHA1 53331dec6261ef73acac458313d465931ee3550f
SHA256 1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef
SHA512 1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31

C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

MD5 4788af33b6abd9dcd4f7f33c7c9a8859
SHA1 230150b664aa4c22ca455a396ad195e3c7cabaab
SHA256 ba5c3a51a2b321163bef5030983d78d6ef8dbe086ad591c5e89d3231ce0ec4c1
SHA512 bf93a15a6f0199499e475a688d89d56cf3a289ac164da0f6d4dcc072f3f8750ec2c430e970a9b2e981becc4bbb33e282579e707a78efe8730dc9494ed3390a4c

C:\Users\Admin\AppData\Local\TempMJSEK.bat

MD5 28e6280656f4432f6c5cf2f7d1efd4e5
SHA1 e9d7fe148d5eb7b565137843359fb0feef7fe28d
SHA256 df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e
SHA512 ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe

MD5 049bfded15e4f241766d4fb6fcd52418
SHA1 85c1abdf3111a7c0d77ee98b3418fba90895d0ff
SHA256 884c73c22731585ec7d33d6f35587a398870dafae833b691044c7e576ed90420
SHA512 b2691223ee7decd2e1eee89cd092ffd4062dedfc0976219fad5ca4d4f462554af70ca79a3f324f26e2a7b9029837b199b5f9770cd5e9d15a1890dc3807088ac2

C:\Users\Admin\AppData\Local\TempTFLQC.bat

MD5 2a203fa95c511f4fb3b42526e9c38269
SHA1 08fdb577504ba55a11d89dbda642ec864b792b51
SHA256 ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301
SHA512 c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

MD5 bfeee6cc665c6b156a6a04c44c8c8740
SHA1 d1f833dbe781ed6e762cc585d83ba900fd3129e8
SHA256 00b682423b8addd112ce5a2553efd19be83ac3facc9917438e2809a1672f17e1
SHA512 049302321e8850b6f17843a7c9c041e85de5d47d5294dd40a96540ed8b5fd86215330467dcd87cabaf593fc635f3c3103a2db16ba7e6a295a5a00fa02ac09ab6

C:\Users\Admin\AppData\Local\TempTFMQC.bat

MD5 71b36eb1395b3debfee30f3ff386a52c
SHA1 cd27b42e612b2c2b77c04e844d455fc432c74b7d
SHA256 12e9001c55d842d7fe7f784529a524f6607150bc7066ae62472b9b1631271479
SHA512 5404b38ebf43924d3279e862d3874b23fa5f0cbc4ae2cc729e34a32801d4de8740db73ba1a2fc92a3a8b3354a1957d170df55256a637b0a84aac05c858edf32c

C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

MD5 c4d4763724133add0c6ae95be709ea75
SHA1 03d10376801dbbb15ce648121cf500e4992d0dd5
SHA256 9a30d3d0245088eeb3a06b9d9e85a67807ff2dfeba97681769a09ae5e5b9074c
SHA512 ee25d6925b3316664d306b23b64ff46fd5939bb4e8c09a26fc71f5b3ae3e9836b821ce94a4af46d6ec3b9c0bde56d362866e9d14d3d7241fcac602e29cf44911

C:\Users\Admin\AppData\Local\TempFOKYX.bat

MD5 154e9dcc62f97dd01e79b5bf2789a436
SHA1 a10ff9c9fc5a8405250576ccfdb87b943ccd3832
SHA256 a0911a6494d02ac8e7f012c1352591077f57a12bfa30079cb28da765b907ed40
SHA512 f618a21ac20a2d240deeec6fc5c4f639e791e2c414d5f67afc6b7ba22b5387145b47930f141629d85bd9c4dad37e204e923644fc6a48598b3b1a922f19a37462

\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe

MD5 93f5b52895b35db5e521d05e5ab562ee
SHA1 88fe6ceac3333917bb16c71635caf1a2ec5b5454
SHA256 12e806e31e02ebbdc35bd380804f522c227de044cb0c311e56ab548a2294eba7
SHA512 b94b710032468d120feb8ee72bfdc30f46b7540a90d0893bcae65a9316280e11a611c9e7d328efac9831d88bfb0151b3f3b1c5028a8269f0cb059db161c60b51

C:\Users\Admin\AppData\Local\TempEYNJR.bat

MD5 972376092d791b26e2a41ffd21320b77
SHA1 1d99bcb6c213bbbe2e56c0d06492684e4fd29649
SHA256 91be7443965b5a6b366f84fe8c342546b3190f759058d36d2fd883032be22777
SHA512 b16f823abc71391fc59500066cb803a0bceef792f0fd3c8ff142a1ee585716aee05c3042e822fa4af2da4b217a18cdc7489e51f4c2e9d2b6e396642bf1a6c735

\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

MD5 a593f4e82ac5efccc99f48d25d524911
SHA1 dee80a4d8abf99554c52f09c145cdd9234f2304b
SHA256 f15dbcca617bd637285762c6bc390f0884f63cfe9583ef9287a72c679ce299d1
SHA512 d187c3aebf621c8d43f87f1f83c83e8bb07b99ade83f1665ab882bf8b2c550c855cdb5ec651da59730ca3aa74e546d8dac4b49aabedbf072ff157a83797d607d

C:\Users\Admin\AppData\Local\TempQRWDE.bat

MD5 19d5b04cd297fe8e47094f807b3a34c4
SHA1 db8516d521a80970a6586deff2343b8601b9df84
SHA256 7f597777f439222595b2ad9466e89a4b74aac8a717f0b6855c6804b7e3ef199a
SHA512 eb2dedfc4b5588ebd5063e8c3408abcf3315b6f8b805445359642324bdb8787a8ef48ac9c720df01be8171e1aa06c59eb9646dd39e01302b011eedea207f0636

\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe

MD5 ae35509ed8049a2941860608b097338a
SHA1 f6d2c0349ef365b9e13abd7f8da146a2afa03d4a
SHA256 5ee6a08082883320a116451913f08f66731622425facc4e949957414eb827e43
SHA512 216d2764d31d01e99719c0bd189c54ad57135c3ac80dece2bb99847f721c247ec017ef0e9f0346661c6051c62140f58d819787befa8059422aad0c0d1fb4fb6b

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 ba84db195f7d472229e4051ea0002f24
SHA1 d4d7b780d5273d1ec9c7fcdd6bef49c2696b6619
SHA256 91347d6d3afdbd3df151cdb3f91f2aaecfa09cd10ec6939ed211121d84b06dd7
SHA512 a05bffc253cc8028a9865c41670890a9cd966f5dea22c035d2cc991eb8fd573b924540b65de414f1867e3a9bed490eb09af16f3aab2fecd94563a03252788984

C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe

MD5 b3a9cf21b0b73b79fb99452414bcae2e
SHA1 94f36ac744258f4e7991683e91a8215f0017a4f9
SHA256 d9db6b29db918532ffd684105b2bf976d8e6b63b22946a94040c0b57f9616024
SHA512 ca969a09db3de21ada2d0c61fcc67e63cd25cd7cbc9f86656b92fad163841def10a0a17d22ce246bbc280cad15ef4c9889e5f206483bdb5bc750d919f69a1394

C:\Users\Admin\AppData\Local\TempPUPWL.bat

MD5 96ee9589f991bd9c3dcd56ca158d2b77
SHA1 d2f5d1b16cd3d9e20d97d95d27e2228461452ede
SHA256 73ac7be5d82c6725cb5c08a99f4af57ee5e888a45d4db04ebdc6a60137923571
SHA512 d37955950a9eaf0eef608960dec84def0baea494489226d19651c63d09e6c869007a9d44297c63de5fff6f5ecf02f14447b1f2a811a8b534ad0c5cfa6812f543

\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

MD5 493ebe937683248ec490a528a62b2829
SHA1 b51c315edd249f91b96c90a8f544ba69878fe93e
SHA256 eacdd17d777b4a35473736e82151aec51e613c1479621a94ce6f0aea20a6ba03
SHA512 96a587a4cfc2f0d2ed3ae4d9260ee7a69693d16bd018b9172b2621fef4f8cd6bc1cdee1ff9d19a20b5fb25f67f6e9a83f40736fc3681cef9e2fa3ce126bcb046

C:\Users\Admin\AppData\Local\TempOXTSH.bat

MD5 ae2b549c35665f808941e1948ff8de5c
SHA1 9577d7ed030e5211f8056d4847ad969127190292
SHA256 4b1401d73fd7543f52dfc1ba51e5966cfd368a4621188bbdb961cfb8d029a5d7
SHA512 5b55d86a36afbdff1bf92da6de42ab609bc8f7aeac2d4a1aa78348af31a24003ff218e85bc8ac9a116799a029016194b241bc04909c6c0d56e09b127615bc3b3

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

MD5 99fe29f7615dce583027855a13598d93
SHA1 67a37e292d45a834077f85cb632a179ef59d3ad3
SHA256 23a98274b5b64a004c17ac31e5b1d5d96755905801c3dfc9dd5b96a8ab521e42
SHA512 a95fd0389c55c0a03d7bc0db4d05fc2128c15b600d485e85fe11082e2711f79f7c91e78d91d7d0b3259ff07b3bae0fa2ac904275ab05775b20bec446b2e270dd

C:\Users\Admin\AppData\Local\TempWTRVQ.bat

MD5 ce683b4c1ab7f71c924ba4a0f1d71652
SHA1 6c2d142bb7bb7c210634f07737573580c1ebadbe
SHA256 ade22db992bd7ea345189e55e9e50c54ee03585ff892894099195e8179c1957c
SHA512 6fdfaa502c57b80e3ab2ecc9e8fc177cc0cff5be4988d41918a4c0633549ab828aed5ed4e536ad3cfa05f9651d1234fac1433d9f7d996b48f6382e350dd0fa60

C:\Users\Admin\AppData\Local\TempWMNKT.bat

MD5 432fc48f0e2114692d6dba76dbc88efe
SHA1 2b0727b5b72084f3a922fa572b0fec2973ee1900
SHA256 94151abe93fddabce2d6371c191717b4e93f8d1bbf2cf1d9ee859d42031f8b8f
SHA512 6f18bf10c6c9b64f92ec8060d53e5419249ded51fe082d115342e93317bfc94e3bb917cf2034f6c0f17be73303515e733ac13c370cce4b2aa2ad3f810c10faaf

C:\Users\Admin\AppData\Local\TempVHFJX.bat

MD5 80b9f7c395221ce1cd9e3dcf971871e1
SHA1 1a42d3cb515990ee39232176824bffec4a3044ec
SHA256 df7b8cc756be30d1ee7223f0e1605611f0635f1cf1c7488fd011face6cabbdf6
SHA512 a7184442ba1137df3aa2c6ca42e941a6970f9d2de321f320439ad74ed5dbc4c9df600ca387884ade2a91768255848bafce288a398f13247c27bce424bee9226f

C:\Users\Admin\AppData\Local\TempVEQUF.bat

MD5 182ca5df27c1d81948cf092591269208
SHA1 f6ae65277c210a8a43771182e9c4534fc8732819
SHA256 d143cd8fc26e4ca22531dac2fc4ac1f6428552451fcf59126974ece7f25b47cf
SHA512 7bdc01f3f181c9894d1f39741c9aa3ace0b4bb82de8629cc2f582d53e7a5355b6905c431931c408e6e55af4ff1bc6dce483cbcdd45f66894a73d4257001151a2

C:\Users\Admin\AppData\Local\TempWVRSS.bat

MD5 ecbf0cbab9dad148c5ad57d1ce1f59ed
SHA1 42a9f5253fe3e05faa59878b2382b77ea8341b2f
SHA256 169fef7bf9b907f256d2785a26cc1cae9cfb98f3ef15023d2b8827b93d8f5911
SHA512 5e5e40a1120d77c18885c99c2112aaec6e03305faca1e6cc665346d6fcbea46f56606808d7949edd8dc0ea3e212bad0d349aadeb07afdf9a96440c50e5c8cc58

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 fe7ce4dceba19a593ba323486a41bae9
SHA1 804f945f50e67824b075d4ddbacd9f2764dd7883
SHA256 8d028d9a4acc968a764cf66934c17e1c54b496019a2b2c74529b50cc969bed2b
SHA512 014398ab9169facd374c3712862167b95c14c3cfc956b91ada0cdc24e69a3970f79aca4273745f7679ef13f28302bff6bfc16a3b063a0aaef20abd1a4e2daef7

C:\Users\Admin\AppData\Local\TempXUASW.bat

MD5 ea4303efde76629374de6b11952f9e27
SHA1 3107eff0d36f21f7ff7fd8cf4ea91375af22b860
SHA256 8808e26f855e6a99c32e3d722231b39a8cba3af20129903699ba980ae759e521
SHA512 7c46ab22a890c541bf17af1bf859b750fe149483654c863c75bf9c33f5681326cf73b57758dec6b6d6fb17d343dd51ba6857f4af9fd04f5f1dbf68619033714b

C:\Users\Admin\AppData\Local\TempSDWWL.bat

MD5 f16c1205b7c8cd72877428f0b354cb86
SHA1 84a0cb14be7cb50b297871f4f955eec063c295ef
SHA256 9c38ec8952b4a829487fa54366720be3295c805cc78973c4a89d51dcddeccc5e
SHA512 5ef4b9f9a9df86623d30932f85948a6318bddd7620ea86f91a39fef1e5ba30355b7efee4adebecc157eec77fdce2855b8ffd5332df76915d6cbca45326cd446b

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 4004805be9425a828f1421bab4a3a78b
SHA1 b8a6fc4e959fdff961ce6aab8090fd1809c19590
SHA256 967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7
SHA512 37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0

C:\Users\Admin\AppData\Local\TempFDRRL.bat

MD5 9cd473dec896f18dc2e6b09613bf92b3
SHA1 3cd9db79952b96ef7a96137cfc419eacd30b50e5
SHA256 60360554fa808f51ba37885b76a89e62986379022fe4394adca9f5dc77e8456c
SHA512 d2245fa65d2231bc50ed2da2a1b60e1f56f78dd716deb41ce855bb2f583424cd2dba0c92a1569281d12fe52fb42df08cb32f1ef9852c1e7e028a982bd130e6bf

C:\Users\Admin\AppData\Local\TempKWHGK.bat

MD5 5afdc54e0196cc5ab4ea6bccfc4f6092
SHA1 8377d18b05d5424aa9ab36ab527fb133d9e6b581
SHA256 5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19
SHA512 fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a

C:\Users\Admin\AppData\Local\TempHIFOA.bat

MD5 b1e246ba770058be2c311a757b3bd63d
SHA1 d911296ad714a3357ab09687fdb3c6d679249a99
SHA256 b27120533de4153beb1365a5154c28f013238763589f04015ad068646441b8b8
SHA512 208126c01f598ab8c7acfd9950813d7fba88d612ede86c4fe042b702dd507520c9d3f561aebd837f5a725c6f0da0dc313b25f066116401983f8256f656de1f29

C:\Users\Admin\AppData\Local\TempMPQVC.bat

MD5 2345e2effec3d4b29d9778cfc6ece42f
SHA1 0f4514186a7fdbf545f4c65eaedcc8a5dce1cd59
SHA256 ba8075d4d8b1e5335016724eb060229485880daf90ba8775f4a3f229553b180e
SHA512 ccb745239f1fd6406553b2aaa2ad63128f5c22d8ba3e30e22749e30ebfc6df1e958abfbfb6f731f8d25e28df8de087c9b841515bfc584fbdf4126bb6daf9c73c

C:\Users\Admin\AppData\Local\TempMVREC.bat

MD5 4f8ceded89003e98e8588a51760c5d13
SHA1 27a5030a26d9fccc27e05447348ebc7b1a0f2554
SHA256 eccba1b9b0bacd7735449af3cb11c5718081e627aa5e8c50583003c428003a74
SHA512 ab2b208e8c1aaaa69c2e7279363774787a293a72541ab216c5265c79e7c6aa80258e72e9017505ddc7ab6acdb704bf3cf2173395c5cee122f3a36afb68e84527

C:\Users\Admin\AppData\Local\TempPUGEI.bat

MD5 b5f8ec269fc0de7aa996551d56670248
SHA1 5f6260e975556b01ac76c759652236f3bdaeeee7
SHA256 c0071f2d226621e6583ddd77410564cc3f46d4b8000bdaa47825f866559de898
SHA512 d4b337b0b7477992be9f4f968a19c15fdc7aeec744f9a2829fdd2477798208a581da78e702316fe98238a8e7b2c5bbc3a0bb4b7dd8b4dd1d1430da2f4b390d9b

C:\Users\Admin\AppData\Local\TempKOOIB.bat

MD5 b1e59753dca32ffc9ef653b7c62d4f3d
SHA1 cd2545e6eac413cb2a9127cfbcf0fa0a6f2dcff5
SHA256 6ee140e867ba7f471ffd68d182770d40a266175d506c65ee0c32d5771c812a7e
SHA512 1fab0adb5c83a12155da37cc7d7a079686071b11001e50c0395ab59e2f2ce3f7eadc8e81a2cc6c7f4e60fb3e37ac5b268292c9c26b4f48bb92bd64864ee7d215

C:\Users\Admin\AppData\Local\TempPYATT.bat

MD5 c4b31ba3788e537a88a6a78cd6738657
SHA1 0fd17ce58a90d654f949e9342de7b80dcee7e634
SHA256 1901d20e3c86c24989cf8e9367bd7d7674af390c1da0eecad6c37b9f84d25794
SHA512 290ec31684810e01d4c7aa4e3b9f6217fb7ec8c1fda8fb2b4540e51379a657952865db71bdf913e5d3cfadba703602ca4463e4179738aa1bb15fbdcdc786491f

C:\Users\Admin\AppData\Local\TempLGKYH.bat

MD5 bbc0e56f03df17848002210d87ee459a
SHA1 71d61c0bf1251597a87b76793442617cbf104a29
SHA256 1857829d287d4a654a0e5f179622e1746ed11aeebb4322577f7a072d854dc6c5
SHA512 93aeffb8849776ad996ecedd684d223c4026f6383dd56afac5e8f61a5d558b2b72984d6358b9efc59c62954074a9fcd820d4337b4eef84564e8ee5b95391b7c4

C:\Users\Admin\AppData\Local\TempIRDJO.bat

MD5 2f862968031e33678a88f2721ca60fe4
SHA1 eb9b36d5d7dbf37df95e68eb7f96a9851d677ca4
SHA256 e2782e5da22d51f2f8113104c8eb4eb46ceaf5b8f1174db2a0e208411d40c71e
SHA512 6d4273685b4801dc79d6b9f83a3cff53214f469fc7272a1c49a49ba6cc518e1aef20b31ee28c93c37be6d6356b04a0c8d32266ee34e565345b9a25ac75486f99

C:\Users\Admin\AppData\Local\TempHIRMV.bat

MD5 8537ec64ab9c824ea1b462610fbd206a
SHA1 ad65ebd0e4cefe33fe48c62e9b89479a0c298f52
SHA256 66605e0d67a3c79ef3eaa349748ee9941aef99836743aa0967ac48a5cc3d76fc
SHA512 a57dcf092df0d45ab464156efede8641d338c56e5179169086585d03bdc1d01fc7610d849203947958e913feff07a58e22491a20114415604d26e245910b81dd

C:\Users\Admin\AppData\Local\TempACESA.bat

MD5 7e5351f62d5874fb314980eab2ff50f1
SHA1 90a78dd0d008ca94767e7a78e4823d8b1b265580
SHA256 07e4e0ec8b8efd732a90b91b2e08ab15463b9f9123dd504907896b516931c9e7
SHA512 043a3f3a338e6bc6936f66a991c7e80694434250d3afa251927286c34185c33baeca31a60f358c8ba112a7051c4382a2cd89d4da40da0749480cc1f44015e937

C:\Users\Admin\AppData\Local\TempVLXIH.bat

MD5 38582d0b8684e515acc8a0b855142358
SHA1 091d9a23d9ea9a7fa0a7583fc3233521f038d3f8
SHA256 86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776
SHA512 b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

C:\Users\Admin\AppData\Local\TempXSSHQ.bat

MD5 ab783518bacc2f458db40182ced8fbd6
SHA1 eb52c1b4d705d906ad71f726d5253c16b8f231ce
SHA256 48172211812a82bfac83fd33628ad41781aad202c46658e9f81ac0d0b294c5f1
SHA512 dbe97dc0a8cb018bd4c78231cc5c33ab413ffce7cd1151ce9d31e278615d8c8584debe67702e6191008b1bcd3935e93332ddcf79a8e046145d12a2c828c377b0

C:\Users\Admin\AppData\Local\TempUVHIF.bat

MD5 c612bdf9e59b062a01bc9550b67d4322
SHA1 9b22839c78ba43f6d57e00a0aefba11edab91ceb
SHA256 084ee87bda829113625fd1087d234dd3e538187cc69780f6d0185659f67560b6
SHA512 aca3eb8da86bad82b12cf8a1ab06db5a82cfd4fc185fd329276268af7572b84de29d85648475ec17fe4ff66fd1c7172db78c1541c9e5cc339394927759851c9d

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 aeb4d38b60edc8f0aa4f95ecc32cf195
SHA1 d1c7dc58eb0f534e1a4b64ad17650a3c945292a9
SHA256 8de5f04ed63c66698d8c9ba4f4e830fb284f9320391cde5ef27ff1018edfb281
SHA512 ae56452b6f45ed80a5cc95e1710167675d354113f21cd7113514122cb335fe66a67ffbc262184d78063fad4d2880c7f39963cf805551ca1bc82748d828cc5591

C:\Users\Admin\AppData\Local\TempDXBMK.bat

MD5 a62976807346f4a4533efeca428c3457
SHA1 eb78cb1e8f980430c16738f94042a5a51ee42379
SHA256 4ab4e8f358b30dd1ad14723f6860475fcf6ab919182383ee82980da5cdd8b312
SHA512 1c2a32728b3762e46699f952da7af17a8fc89aec6c4dd2c47b28d3eeb449cc99953471b5280c96f9f186064e00d04fb3acce24c5f6381821143101880b82a5e9

C:\Users\Admin\AppData\Local\TempWIGKF.bat

MD5 4f57139833f2bf4d8e96fba71da04256
SHA1 412f72ef752e48c15e1235fa306e9954f868c4b5
SHA256 7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970
SHA512 1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d

C:\Users\Admin\AppData\Local\TempEFOKY.bat

MD5 e44f02118374a90a8ba3e09267e179da
SHA1 459e8278d40b05608ddc09bb43e943b22f19ed87
SHA256 3d003b99acacd83a0ce802a00e4cc2273c2dae708fef6ebf5830b5011214c2c2
SHA512 4796bf245db68637c195ff2bb91130e5111b6f148c202aab805bdcf421e31435c5226b05dca0e6d7071dc39004f211a66209ab73e5b99f92ac2adb2f3bc4e0f2

C:\Users\Admin\AppData\Local\TempJGOAH.bat

MD5 96bc0e1bfaa763570465471b7f97742c
SHA1 855303f3ef0afa1eef86c0cc36001df6124c2f5e
SHA256 02ed2e54daeb3ad36f54d82f6352cfd1659a036bea2ed2cdd7cef2276ef120ef
SHA512 7d5623c776961c63e02eeca936bffb280509ec7a7633127222017c77d9f4d8128498a0a9d0dade965efe7885783cef2426c6255de7dc8274f23aff5a2e01e6e5

C:\Users\Admin\AppData\Local\TempCFHQM.bat

MD5 fb1de3a686fc82769c21e956f8bfe308
SHA1 dd9540427d08c3d0f3320ae1d5c27b4e5da57797
SHA256 b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b
SHA512 093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633

C:\Users\Admin\AppData\Local\TempIIRMV.bat

MD5 c29b65e2d961463ea3a891d4853c8097
SHA1 084ea68f1e7dfc34469a56f244daed956777d943
SHA256 f22fd4efc0bd3b02c6465be47f31ea9eb84691a0c71f87307045d0bac798177e
SHA512 d3d04f5f4fbb5e9d052777beb71aebd6a36a73510e0f53137c6dd91122dc0b3055ccb7bd9085b86c8c9058cf1e658c5cadc431fd46479c1aeb2cb366cb924a70

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 f5384b44e8e5e967c113012b496349ff
SHA1 81eb9aebe47f4ce35b312f234ca6e33bc81325cc
SHA256 5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5
SHA512 5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f

C:\Users\Admin\AppData\Local\TempPPYAT.bat

MD5 cc9c1ada7fdaed2a52818e157e3ca8fd
SHA1 e6ea5f02eff96b7692c6f518f009309955d7f301
SHA256 289234e410e83bacbaa477af94ce1c1432c34558b17c6a5287f5dd07e65f26a8
SHA512 0a697f07b9c0c4157564d2b3bf1b8454c1cd85d0fed9eba5c4f790aeb029664617eb4a0ae80c7894a779b13d1eff84e3b1e91bbb93689cf990fd286a3f5026d1

memory/2552-1170-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1175-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1178-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1179-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1180-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1182-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1183-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2552-1184-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-25 22:09

Reported

2025-02-25 22:12

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWVIQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBPVNEDGBHVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJGPBHMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLUSDXKDXEUNQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CHVUGPGYQMHXQBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJIOKANUEP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXNOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCHCJVWRPSHVDMD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUEBLFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVGHAUBROYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWIOVVHBOXKJXEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXKSJTPKTEUET = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFBBWREMGLIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYAVPDKFJXGSYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKTFUEUVSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLWPNQBGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVRGUCKB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PXMNFMNVRRGOBYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UFGEMFJYAYLMIGI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOKHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBIRINFWNBLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWDMVTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGATARNXOJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYTQRDJQQBVVJSF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIXVLVPNPBFLYXK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAEAOUMDCFAGUCQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOESITYJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIQHRNIYRCSCRSP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDXMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGTAJXTRBWICWYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHAFMVMRJRFPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JECTYRHHJEACLHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSXEFCLDIWWKLGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPUBCHAETTGIDBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFVRSANNHQXIEPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXVFBMFGXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUIVGFJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNMSOERYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UBCHAETTGIDBEYT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSVXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBCHAE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJSEKPBDFRSNMO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QLJYOBOQLEHJSOB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GBQVOEEGBIWESRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRLLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGEHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNRFIECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTAQYMXNJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUVIOVVGAOXKJWD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHWUKUOMPAEKXWJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGVTJTNLODJWVIQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPNRMUJKCJKSOWO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQERCAFXWSTGLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOTMCMGEHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XNJIWDMVTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNBBCXCTOBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFWSSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQDJQQBVUJSFERV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BEPRMKNCQXGSWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSYEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGPYWHDOHIYRUWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMRCAEHSUPNQFTB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QDHDBRXPGFIDAJX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJJURPTOWKLELLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKXAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYXUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MOAEJXWIQIRNIYS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIMIGWULLNIBEFO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RRNMHQXIEPIJSVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UWIMRFCQQEFABWR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPFSOMRERTOHKLV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHBBQROXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 1864 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWVIQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
PID 2748 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
PID 2748 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
PID 5044 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4544 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
PID 4740 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4740 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe
PID 4740 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe
PID 4740 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe
PID 4016 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 4016 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 4016 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 1080 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 556 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 556 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1080 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
PID 1080 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
PID 1080 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
PID 2204 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2204 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2204 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2204 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2648 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2648 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2672 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTMPQV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGTAJXTRBWICWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDLXVT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPNRMUJKCJKSOWO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXBMKI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FCHCJVWRPSHVDMD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSVXI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CFVRSANNHQXIEPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYUUV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQLJMBPWGRWGSEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDTCST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MOAEJXWIQIRNIYS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBQROX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUGPGYQMHXQBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBBWRFMHLITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFBPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRTYEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESVVP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYTQRDJQQBVVJSF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKQVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIQHRNIYRCSCRSP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempELGLY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UWIMRFCQQEFABWR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBJBE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAEAOUMDCFAGUCQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSXDEB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLUSDXKDXEUNQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEDHYV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKNCQXGSWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPFSOMRERTOHKLV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHEMF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXVFBMFGXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGOFA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JECTYRHHJEACLHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUEBLFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOESITYJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSELP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYXJR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIMIGWULLNIBEFO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWIOVVHBOXKJXEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QQCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURBMS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXKSJTPKTEUET" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBLHUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNRFIECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVTRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGFJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIFOAG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGPYWHDOHIYRUWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYMTCN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFGEMFJYAYLMIGI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFBBWREMGLIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAVPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHOJNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UBCHAETTGIDBEYT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJAVKW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GMRCAEHSUPNQFTB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCAFXWSTGLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempERYIT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJSEKPBDFRSNMO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHXKRB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OSXEFCLDIWWKLGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSVXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYXUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVORS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XNJIWDMVTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFTSEM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDHDBRXPGFIDAJX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKCFUL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNEDGBHVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUMSEA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUVIOVVGAOXKJWD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVMGA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QLJYOBOQLEHJSOB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYTHOJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPUBCHAETTGIDBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBFXWS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNOKIKANVEPUERC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXTSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRTYEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe

"C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYPEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MJJURPTOWKLELLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLCGUM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GBQVOEEGBIWESRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVPING.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQDJQQBVUJSFERV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJREK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRLLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOBH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWVIQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWVIQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWVIQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKTFUEUVSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYRWIF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMSKBBDESAONHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAORSL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PXMNFMNVRRGOBYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJGPB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RRNMHQXIEPIJSVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempXGGPK.txt

MD5 2d1026fa3309a6886fa74ca53bc9da22
SHA1 f835a1022d69159ac024bc58d2b74ad712c94f52
SHA256 a4d2e0271ea578fe5cebbf7dfa26543889f4040bbbd45e9dc7c41f59727797d9
SHA512 afc2bb98c1b6361006c164062077420e11ce76e5db6dd7dffa159d2ce2d246874fd0f0daa2e0570aaf4b5b703f348fa534a8a1d2de4e6128dbbff57b5ba6c00b

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.txt

MD5 7175f38353d4109884ba30cf44819010
SHA1 65cee5607680e5306273467f699edd424561b18c
SHA256 b285d9cdf01ff78403680f29bba210f8c99ad09c1fcf973488a9288b06edde4b
SHA512 fafeea4b30abef40336961cf83a11c60fcd00ae97e389d4a599609dce155d385e37aeaa465d16258aea3b8c44676a905b45884977a7edd98df29cd2e93b645f1

C:\Users\Admin\AppData\Local\TempTYKIM.txt

MD5 d6c294e6681b6ed947cd0025c2ceaf19
SHA1 eb4c2dd273775666d2bda0086805bd5d93f4f0f7
SHA256 674ca72e2f46c3e4d64ffd731659d9a183b71ad9bd6f2dffb4a63da0995189e0
SHA512 bf3f172d1b8d9316c76d0f2feea7f7cbdcbf7fb3e4376041589ceb866605d1a8dbe57fe2f0c9a3f0c0e3d457b19f259ae625dab51d8571b2de056e3f72eff378

C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe

MD5 91a6159bc8836dc960e35c965bb6ab5c
SHA1 0139d47c1080328ac951090915e909a82be7f9c7
SHA256 8a862ed9f7610a5b444d74a1bed230e926a0ea9d9d538526ed03898060c2983a
SHA512 361e1e76b5dc90987cbbe75dde8ccf57ffd28afddd108f3a80036ccc17b56fd9592c7a70538d4c4df29df250f7240809173b4e8e100340ba3f18513ce53c6365

C:\Users\Admin\AppData\Local\TempTMPQV.txt

MD5 bfac85e370fe530f7822d42d63ad696d
SHA1 cce8ed41e80ab4e6a3c5f56e4f848a53db259751
SHA256 d226e2fd6a365c47e818fd335609e31b7c5157b8dabc8f733a1229afca327393
SHA512 c29dd63b83bab7f128c9c60f453de02f21ea0fd13c690edd141ef69082c855d245b98e24186d98a58317107d288f08e2a38a0266e1a6236a285975d9384e7b10

C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

MD5 b56535480bbd94f4c650466425f03255
SHA1 e747997ae0e48bd2df4765beeec30f6863c50c73
SHA256 4ec9e81b1b55dbe98d24abb76dc9ed96dc6113c178ceb5df3bbc76c1d1f8a3c5
SHA512 c452375377d1f9651b26e863ad5bc6e4735cb2ec8b662e92b3af1be784eaa604848091ea91f59e8acebeea3c99bb4c89d0405834dcff8e8932b0f73d3d41e1be

C:\Users\Admin\AppData\Local\TempAHVDR.txt

MD5 15e1372867e970b91375effe5a748248
SHA1 9ac65450525aa421316ffc5681c15c16ea0c819a
SHA256 ad09311768152098e3f821d65e6d3eb60a0582382cbb731537932b514445ba48
SHA512 26399d87b8a7219acf7bf7f3111acb95781cef6453388b1b75f3392e2caf63c2700e54d0a0f64227a57d0aa8f8f9f8dc5b170a81945a18e73010f89cdbc35d66

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe

MD5 e7d210348bbbbb719ed76c96fbead41c
SHA1 7844e1fd54fa5a94c1a4c88efcce7b692930642b
SHA256 c4768b67128ec90fb3c3ebfc3ed864a3730ca83523f27f4d6c4d52090e06c53e
SHA512 668d08be00f6bf741c1641f5730d28d0e9ce580bb04cff80eef62923e5a30d40da8292ad96212a9da2f9187566ebe29bc54c1d78424623ee876b35802e27ad89

C:\Users\Admin\AppData\Local\TempDLXVT.txt

MD5 6c1f1c41f1ce4eaa80b14913ca383468
SHA1 84d53b87b2220cbcd6f5d1a32e0c7ad08084224c
SHA256 d60f9e21fe8cf8edd793a4fdd7b127df9c04edbc0cb5685cc284bc266f940ca0
SHA512 fbe40bbe21a5d3f1aa1af977482767456c373d3ebe58d6864a52f607791766bf23bb418c2885b1a8e10e4ae0f2a4f44c1b08f95f0745da9eb89e8986dfe671f3

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

MD5 aa384a1e9d2116a25d48806fc91f0e56
SHA1 b72ac8c92fb8333fdfc09a99d322e852da815c82
SHA256 823081ef9f16b3943bd11ed3bd725e53a6ef041cc4c3f3844b641dbf42cd0896
SHA512 c0abe6381f39425d294a2351f70f5aaa4488ecbf527d3085c677ed53029c26e6093658d61a8f797d5e2727af3c553cb89f29410158438466316eabf8c05fbd42

C:\Users\Admin\AppData\Local\TempUGMRD.txt

MD5 0c176ec2a0fa49a2df8d46b34e629873
SHA1 1edd51048e03433ef740f4d0385db987e3129f9a
SHA256 6b4a31496c1a379e4dcead0b182e3b16424c6808dbfdb90ad452628522504421
SHA512 98c539747050352bae5c6217a039df00499463d6142f13a9c8b5f453e55e1722431a3ebe44fe318b6f53c56c72a2c49f2c125774ff0d55a22c5fe807ae37ef96

C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

MD5 304f3cd8779e23914bfd22ffdbd42be7
SHA1 2292c686105cf5c70260281175c0260471c65627
SHA256 823efed249b2911d8ed8deb44e9665b1ab2f242fe3faf822291741f7e2490f22
SHA512 be743edf078621cd1aab2bf17e81ab6e02c94d6db81465fc2834717fe752648d57835d9cf4a51b75b896e87ba2b73f81e9c88f5202a270d32cf3472b6dc617f5

C:\Users\Admin\AppData\Local\TempRMUIJ.txt

MD5 c7c522db578f1d683eb6134ab8cfe967
SHA1 01258f5c77c2379a3cd4b0560ea421b0e6642251
SHA256 757d0efac62e4fd7d0808a4b635125270b0d528323150192344af9b070570e43
SHA512 11c26bd9e079e51374e6d92955de630b2171d89b470ecd33720f0cb3846f61a6414908ced866b50a95822ace29cac4dfa11630109cdf382c53361bad479d32d5

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe

MD5 7f2047aa565be47aee49b5cb79f55581
SHA1 496cfbe3ecbbe03664306817d912a78f6c6c6ab9
SHA256 7419fb6aace3712417a73d63b942a261a6ad78f8a6129c73291f3f011dbf9b0b
SHA512 93ec6bda77fa609e6f349e3c5a39e3af68382140b7684306c3f8d13f484033002cac93b6c054d171b64c385ca7ad923807bf4cc42700830f63760b024f7f5689

C:\Users\Admin\AppData\Local\TempXBMKI.txt

MD5 efde1ce81e13b6ec008a4c19ea298dc7
SHA1 0fef890315cbbd90ed398648bd6574c52661e0b6
SHA256 5b411d51c1a590ad1f0b379df5d12916129562d6f785a6cac1a61b202da029ec
SHA512 c0d84bec1c31925857f3a561b813c602527044011467493a368f5cb92d2e3b52001e579316cd51b93490370513a7337e314e743ed800190feb37ce79eab041c5

C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

MD5 88113a44f8d49ab7716d87c67a0bcefd
SHA1 19d5258aaf21298cdf97640fc4851d0ad0a4b0fd
SHA256 2aa4f0a602cd79423cb03e790522adcdea7c0de48aae72eb0a776867ced169e0
SHA512 4b1f34885169d4bfc3c206e4bf6edcf246cc0484bef8a10b72d57c56670fa2297f1774165e732ca51263feef7c79d5115b537077b0879d0bd27135127dd7e29a

C:\Users\Admin\AppData\Local\TempJSVXI.txt

MD5 1b0ae16dc8e213cf291dadd4bdb3f03e
SHA1 1e8cc0333ab2c0063e22b95c06afe7d738a7f8e2
SHA256 1cf61db89cce2cf23643be8367ff214ec9dfcb03720e7e47c8cffddf40851808
SHA512 91480dfca2997f89778c397004f03ffd404a497409552fa6daa3497a56d54e545ef1fb72fc77fc2991e2fabc7eb093857b7c8113a51880e17bc1408aebe546e2

C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

MD5 7c9892d735b89ed0b92f1bc3b5fca68f
SHA1 adbc669a4fd0dc72cd2922a0206008d19742da1a
SHA256 82314119d93650aeb516e1bc9f17d74588373c91a5426fc10dab7dac8cf8ae4f
SHA512 0e4d6bc073712b488d0bdc8409b0024166c21e0279d538dd11a9508cc113305b67a324416d5ee901944ac9ea654a3e8377a53dbfd980b5b56348153f22fb80cb

C:\Users\Admin\AppData\Local\TempGYUUV.txt

MD5 23a761cf979797760849e35fe73dae88
SHA1 3b7d935b8a01ebdcc3b4fbe2546473e1fb2d5bad
SHA256 eeaabcd8f3b958f2be95384606d7312c8bf3d34085a0200b606dd18f3506f192
SHA512 4864d60984c240c3c4f5ec7abf81af587d7aef39e0837495c1bbab696d7737bcec5483e4e185841459db56882b8ad7823a2cbc69e47ce017b5659d95c9f4f393

C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe

MD5 303826724b0b4a5ed89b3a4c93e85fe1
SHA1 b635f06735ff5a14b283926bcc38ff741efb0a25
SHA256 560791ba8553ac9fe2c58284d5ef5725afa315f1ce6fdc4ff75cab28c0f37720
SHA512 fd30811bb4eab16abb9871384f369456e1d2653f7a2eadefbd42152afc66684fda79fe3f8b827416d014c9dd9e609fafc29809b8e87c4b19d651bfb45a5a640f

C:\Users\Admin\AppData\Local\TempDTCST.txt

MD5 b9447ab9d5ba6c61f3abdac08b6466ff
SHA1 14578aa66f031eb1958eb8a71694dda3499eda68
SHA256 1c473bf179558373f416cbe6a0ea4a01ba330b2285e7768e49b1182e920340da
SHA512 4e707b001cf07a819bcc9f03a2641cd1ea4f8f85c455961a3cf03deb4bad81972fa2d79604ee84ada8e6cb93ae264aabe76299fd07962ec03c171a3fd5049791

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe

MD5 86ace060603f0ee0422677955b9a7689
SHA1 c8774077bf0c98d1204bd7a7ec0a417de1045742
SHA256 2b25bd215bfc44cca1ee6962160b02ad5182f1ee23d8d914192ec33ed1c04f58
SHA512 1a1755aeedec10466f9035384c7c4a8058d5db765f475deaeae5eaec2e6704f7552a7884ce5b1540f6227317568816090a47b464522953be413c476c7a25262d

C:\Users\Admin\AppData\Local\TempBQROX.txt

MD5 eba2cb37b922bdbbbfd13d5f0cc84356
SHA1 9b0f74e30c9411a70a3e8390a15efdff9b7a3146
SHA256 dc1be1388f0242fd589bf97bfe5f8fc077f62d8466823c3cfecc3f6b8dc60556
SHA512 60b4bbc0847f365ada0331b8c7ea65e6789684c2f49e5cb0f42ac89744e9a8d7fade0444b10dc8323ddcc105a01d181bb03c77c63950d6ce673ede9de8514849

C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe

MD5 7dfaebf785cbe30db4c6ef8efeb9760d
SHA1 aace637fd81cbe4ffe6ec97e434e4dc8cb24455a
SHA256 5533e3a5a7e17266e04e241b305e1381b11301603bd9e6e09c2510232862aa41
SHA512 e78dd24cde0114965cc79bd92252fb8c6469fafcd0fb459ad963cb4f52708fea92aeb7062e0e0bc8ee441723060264f93b139488afd45346a9053d79991858c2

C:\Users\Admin\AppData\Local\TempCFHQM.txt

MD5 239eefbaf454ce3171eb75aa104a7a8f
SHA1 50893d5e37d59ad3eefcba0a9e1ba21e577eec57
SHA256 42a5cd25a77b02f06eb1ae7a34748b049a79133c66d759506d97042a453c213a
SHA512 de14c047d07056c963f2ba149e747ccf5e0a2bbd14ed0fc999a9d66c4000f765ccfaa191825d6dfd4aaffe8536612ef7aac7a521a7f0904bf061151983d4711b

C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe

MD5 96f1bedba57f10a90184ee15f7655719
SHA1 be193af53c7e1b210141143297708424f30ef099
SHA256 1d50116b26a3e087d76a885a0b47d76084c6a7ce35c9905aafc29c7f375f16fe
SHA512 af41dfe03ca5c8453b034abf943997049928b4a9fbd62a1dff353fd40842e89aa8add1ea590ec25c9df4ba1ac8b1fbe19716bddde416e3f7bbd6bffce8804d52

C:\Users\Admin\AppData\Local\TempNVJKK.txt

MD5 0edb0ab4b7c786e54ac8cfbb7b878f9d
SHA1 b144b49660a3628eb94992b6233b7b9fe43aaeb3
SHA256 f52e283de13d7e683da2c150123b2df687b96e691e0b2d5a2cde6eaa5a9afcf8
SHA512 3709e65974cfd5d8771fe17db1b7a868da8bf55c5dd9bfeef4f4a1bc95043d525bc9bd3fb137266c70b667c22dbfd73ddeb9d3c3c8442f3c0880747c6ffd667d

C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe

MD5 0706fc5965607dd08d1d1613fea261f5
SHA1 b2b477e7e0295dcffbfcbd7ce9136534f57d1c42
SHA256 b1d0f436a8cc8613616060ac66588e95a2715f5344dada432c1ed636f7955faf
SHA512 9c2bdff67a36279547acb172eb2d818ea5f97c42e38bbe7d7dc710aa8bf84987a2206f3cd1cb99987e17c90cf8e1156d3823b7bb3a5edf3c0cdb4d92633719f8

C:\Users\Admin\AppData\Local\TempAHVDR.txt

MD5 7075fa8adb0a3d258cda2952a34e7340
SHA1 5801a6b2e8a8e1844ec57a65f78ba4e77bdefd1a
SHA256 88f92a3a89e0063f184b177b605ce5affc597fa8802e49b4b8c4b56ef8e977b9
SHA512 5cc82cee1092136bc4555b3d444571c590a0cd0ec77f213c717ef826a1e68c55dd80f87951223ac3dd0b7abcb7cd9194dbd2023fab0f4339ffe6419831460277

C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe

MD5 619729abff37eec1cea57d783310f85c
SHA1 d603934a99c563b40add2a2b1f27acf38bb5d1ee
SHA256 05f762149cb3c747f099ad92ce24aab5d6148ef8373db744270fc404160890b2
SHA512 16fd26834a0e1d907e2c048528854ccd2cca0d114a2db8375631f221fdc57718de7626f4af39968a94131916cf837bf538348227ba588bd5268379f2637b295d

C:\Users\Admin\AppData\Local\TempOXTSH.txt

MD5 bc36df4141c4571df4b328c6269397ef
SHA1 7ca87fbb23c5958d6a159b9a32a60e3f2fd4e967
SHA256 046d8a81e4cd3576b293b213036f947095867192d9918e65feb0b65ac35b4c3c
SHA512 a79049d0b3026e1519c6b154452376ad5311db825e6593ee75cf885c422b65968ff640d38bb51327f86b0fa8e9b382bdcc10a4a8db0859dc7ae5a8628f8930a1

C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe

MD5 fdeb4a84fd3064eaa5338c362d6355a2
SHA1 0b9f0f73458a8ae95467f87d1b895ef3203dbafb
SHA256 f346988bc54fec87df82571a8c727aca219e2a253eaf32dd957e4bf1bc1905c9
SHA512 855589a5c3971a756c2b40a614aa6723acf3c826d2c0e8999f6796067662c42a45b79eb3c0c72fcd269a0da938ce748c373efc694dba68ea8f7aa10b1378e161

C:\Users\Admin\AppData\Local\TempRTYEF.txt

MD5 8a471c98573c32fb000e49a27026dbaf
SHA1 c8e852f251159b3fd227b968c935f284f4b3d7b6
SHA256 fddf79ded5e8e38107b86bfbdbf38a58ee7e77c354fed01ca00076e52e390f15
SHA512 88ad4e534fe8a98cf86d083e53e1851ee0229e793e32ea466b7f722388a070eb7f279acff3a9d61b6327abc6ec14fc5bd60ed7754fb0e76c917487574a75880c

C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe

MD5 72016b37825983e9a71d2952c09baf2c
SHA1 bacebf36fc5cbfbf0dab9118dcac9210e74f1dc0
SHA256 a49723bdf92b19d4b138e9cb40b3d8b4833395c0d49816ffec88856bd1f535f2
SHA512 6031f05b77ec2cdc5000098e93137c652d1642861bc322884d910a3d2f9a06ed0eb7496e93a85635a638dbe22ed5ac4ff7f96bc2f5c287566bd7f0e62ef682db

C:\Users\Admin\AppData\Local\TempESVVP.txt

MD5 d78f6dedb7d8a21303a364531491ea94
SHA1 0f4930aa6055ac6032a425858ccbefc37b0bd5db
SHA256 18601f755e3b8c6c37f8136416d23de60b6d9b73bab8fe726a8948dfb2c6ad08
SHA512 5696104777d4675475103ca5b95237dc9fffd67f112f114d5dd0aef53b263483b61c12fcfebc46a3cbd8aa2e31ae4fd466acc9a40c6756735e56df39a29ae34b

C:\Users\Admin\AppData\Local\Temp\MIXVLVPNPBFLYXK\service.exe

MD5 a09610c23e26c5780511ccaa762bffeb
SHA1 270e61baee29e0a7ccf95618473f732573e31974
SHA256 e9642af7ffa39590c4d1ff0553a7d4017bb935fbc9e3108eeadce46c70275be9
SHA512 03f71c1cda3b68dc483a513239bfe0569ce311b7bb811cc4afdd00b84f7de0a73598e04974e68ede576e8ea711897b70d415535a5bcf459f0aa6489772e97995

C:\Users\Admin\AppData\Local\TempSQUPX.txt

MD5 e585d2abdf0649119785a17fd016b689
SHA1 5a06c0c60423540778480c2dccd5ac56ff93749e
SHA256 afda9046126916d981e00f7df9c0c1e0968df7fcb55c6bd8bcc38ea2182c1027
SHA512 66cb5646b37be081220ca9bb083912301d6a1a14f3358d8fad3e0380dd62e7da76d54f38679fa14f0843201c09e9fd7fa6ed1273766cf9a765477c3f5915f3dd

C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe

MD5 4cf46a7be26b37ad874a29a2bd755b37
SHA1 13e5652a3392cd78e071bd39490a4e8916c4afbd
SHA256 ca2eccddf407c229acb3a0d258f50ebd346d64b03656b9b6de1118c1b49a417b
SHA512 29a6c902141dbacbec2d0262c5d56571767b9fe701cd95d47c9a77dbf79092e5254e9bc13718c528c65ef23f5ac8ea6ee33a7e6e57e1875cde4106a648cf1dd6

C:\Users\Admin\AppData\Local\TempKTPCA.txt

MD5 e6971fc5ad2bb62beef1e7af5975375e
SHA1 28cc9cdf959d6949d98d965a0e5c6686fae0c421
SHA256 631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58
SHA512 8f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

MD5 7083186f90f4ae511be02da32f8ffb03
SHA1 6ad03ec79a4e291a1e4515778a77badad66c288e
SHA256 b831923bdfc7571e8385a66eccfc9b3af95c082ad457ada5dccebfade62a399b
SHA512 212c4f7dae21d107775410be9f403b9315f6a2ce4bfc50447e51cc1296fe23d668c248a55a0957c2c39800a4fb0cbe4ba9f30c3ccc53787d0ef1029d8ab90e8f

C:\Users\Admin\AppData\Local\TempMIWVH.txt

MD5 058680478320d20e5e434265503dfb07
SHA1 aaf43191c1521e090b943cfb6385e9d167e53884
SHA256 4e4a309108a39f2769d11f1a209ab8ee34b429a594fdfc8dfdec4a812993988d
SHA512 52e173061ec80f2bb36b72f78f9cc1adc5138017436cb9a4d044a782bfe0a3db660011bd89614fcba2acf99915b73d4ab3ad1170bfa220454a47d5488a07ea91

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

MD5 3475b58859760297f647f9821d8476f6
SHA1 81aba444bf5f008faf0f9a68e323a078fe62c80b
SHA256 599b4ef3b16f70742154a118cd7caa9ae1b709991810396d02603fb3172bd4d8
SHA512 d747039dc5a880eda0dc784ca2631e09a736a77a1c022715423ecbd5806e3fdd71146b93ec96b9db2f8dd376158bcccc7f07ef633e5171a6d489ff5817e8b488

C:\Users\Admin\AppData\Local\TempYKQVH.txt

MD5 fd29f235a1b919d4f856b04d33afd0d5
SHA1 68e62d9ac083e200570587bba3156e4f69971d04
SHA256 68ed474973f3d498b284d5f4ca696769c8299d776c1a5f4e8f3899b4e5a1f1a5
SHA512 5993dcac34eb1ef2dbd3a79894a5c9f120cf032f50bb55e90b3374d4f34ab898ae24ab0c00b2cdedc947ac2dd2920044a784e834c8e2a353cac68142591be507

C:\Users\Admin\AppData\Local\TempELGLY.txt

MD5 2ff3daf2637c99f4ff2080f0a5d34189
SHA1 56690c7913cbd10e287e5b5f0fdb11a7bd0467df
SHA256 09d285e9a94fa0a7f360ae4d6649de240c96c21dd6229d9eb5f396bae015cb06
SHA512 fb2e0a32b631c189f2815c6118239cbc94484ff058ff669d11611fa21d6c43430b1ae4fdddf7b298aa1a308fc9aeb05a7d32b226a8df8764235b17c817ffe382

C:\Users\Admin\AppData\Local\TempPBJBE.txt

MD5 acd0ab956d270e7b2d7576a6ccfcc4d7
SHA1 5220c3745710d5eb63091d6952fa4925acc8d61d
SHA256 307000cdef3b33258646f94ff55ab94102276561b8d27e2b0b3cb7ffc17a9fdd
SHA512 aa711b27e1338649158692a7ef7850a73c7f3ad51bb3219dac40a04c52bf096a58e86a6fc120be24b50a0014fe1ce92599711c00adae1174c4b551dd17ff159d

C:\Users\Admin\AppData\Local\TempSXDEB.txt

MD5 2ba106b3457b5e4c1e874b3d931718f5
SHA1 6f1d297dd3406e04e7639794d81e35b8889b3625
SHA256 73c1281e516baa682d0b73fa59ceeaec1e766ac4cfe7d9309c11876056b6cd89
SHA512 524922a98ea4d3f50f58912b55ed7cac2c5feafb15d2eb6a0524ef3b5724a18e50acd8a0a8651d70819008fc96443613569306e50448acb5ac9a6acc4caa48f0

C:\Users\Admin\AppData\Local\TempEDHYV.txt

MD5 6e41e2c2744a82d14804eedd879aad75
SHA1 76ef457877c17405145047c1529dedd08f45cc64
SHA256 e4746a595fdc615924a1ada3e77f3e8f9678160c8eb9c179c4c176ee364e7caf
SHA512 59b434da532ab2e3e94b44caca3c7c8c6ba110ff50be29107ad217e934bd7eb856d6db8173915a2c8714d6e0c9b58086c9d7e2309bd5d9a9079dddd4871e8feb

C:\Users\Admin\AppData\Local\TempREBQY.txt

MD5 51eba0ee090a6b5662573df3e0176a2b
SHA1 1160b17d02746c5e4eb715a42a7bcbce41bdde63
SHA256 fe9d5476f999001770ce8a3567946c6e2c5f157298dba6b4023121bc0770ee1e
SHA512 33b52b7a1fec0a48ca1191c67492fae3d73d096fd89c14f9d0f4785ee2caacf9f0caa8ff6665f08748010d64665c5d16a1320ff489b7799a626e72d364c2fa37

C:\Users\Admin\AppData\Local\TempGHEMF.txt

MD5 a0b5387ec783ceb4de092ba1f91da5c6
SHA1 aa2bedfff43e346abecaf025346c02d47c08f977
SHA256 0bc2a16c6fed5c00acd4e2c6fb118464d0b06728a25662d4ae08c694ff0ad986
SHA512 5f201f4f6a08e7f2ac1c5d4d37589a52d7efaccd5b664c09b8b1e5583e629c6cd08b82e05327bcd23254c36c964ec33c73abb6cc0bebbf20f8428cd2eafe904c

C:\Users\Admin\AppData\Local\TempUGOFA.txt

MD5 ff41d9faad68118dff9c19481d95ccd0
SHA1 ac0c79759ca165e3b46995c9fef9bccce2a8d299
SHA256 86cea46460361ffe35763318d48c2fe552426d74a58b288801242912df03687b
SHA512 7aa42920b853213be0206f512f922b405329d97549163bb70ea9afa34b1cc8570c03ae2ad3506168a14249380c6c3824f5d8506984398453d34434ff2435ba26

C:\Users\Admin\AppData\Local\TempYFGDM.txt

MD5 277bbee719763e009a5e8bf22f8bf81f
SHA1 dea210d15df545f4d65c50f2695ad608c0677681
SHA256 3a58e680b7c79659f0a8588513dbe29d259c8d7e60f5ab806c80c2894b2ff44c
SHA512 7ff238358d28238418cc5af223051a206ad478ea6f48067bfefa6779b37b88668394df6b4f35f5bed93e0ec01fde32689b5e246586df6aaaf5214895f9be5ddd

C:\Users\Admin\AppData\Local\TempGFJWA.txt

MD5 fca6ab0fcaa34f257acfc8482268d7f9
SHA1 642c2a049ba6e18f0a855b526690b1b632ce8979
SHA256 04bae0907f86f94d00b3897b77115977af81f59afb51ce6de6bebf5f79edfe74
SHA512 dbc4c624742c49f2cbaf7ab206a02d62ca01a0df1a5adc914667584c970a338303765927ee77fb7e0f02ddfab7e5f9984576e9fb3c77b68d2297952a034d906c

C:\Users\Admin\AppData\Local\TempKYXJR.txt

MD5 d5c9aecacb25532193ab5e252af65c0f
SHA1 a26600c96b8544367a9c6347f6cb3bbbd0a2f5c0
SHA256 bba335354f719d183fda2dba171225dfe5757b955d3b5922e37a2e4e777b9da0
SHA512 1efc3dc37251fbd27c93fd3b2d9f0afc4718fb99f1fa46ac24b25267e9768b15b10146ae6984891f7039e3fb12f0151b056d329b58f2182de69b6caec97b4e88

C:\Users\Admin\AppData\Local\TempNTFBL.txt

MD5 004b69405a21013ddf838ab8c254aa1d
SHA1 8dbe7c8ec05c45ee6f8b5182ff331ffdf2e8cc33
SHA256 f9bb8da1428339048390190d8f62ecc0f47f6ea0018cd1473659c1ed72eb5d1d
SHA512 945c5a9138167da34f9acd25db3ed255d2e352ae39d41040986cb57af202066a2d1e6c399ce4afe48eb776e1b4c1fa5bcd221bfba99eb042933b6ad5e99732a4

C:\Users\Admin\AppData\Local\TempMJSEK.txt

MD5 fce13af42af349fe8ef6233bc79a08e5
SHA1 2e34f8f65b59160664876013b9d0e37856b585f1
SHA256 6f629893b54835cd9df0c9826f7bca25025be05ecc4a4b3f113dc572965bd7d8
SHA512 5058c3a7efb6db2de8859d9577f1860fb77af282d9de85695f9b21396518798d44df4ef7ff2a5ae663594fd0b51ea7fdb0832ebeb1dd8a433207bc2e5823d32f

C:\Users\Admin\AppData\Local\TempCIWES.txt

MD5 ba429fd56ff7582c4de4880c49452a09
SHA1 f39ab13e597a4092461eb550a4a343404828677d
SHA256 15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf
SHA512 83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

C:\Users\Admin\AppData\Local\TempURBMS.txt

MD5 ed08b814a1d72558e8820ef8f1409b51
SHA1 206ef3949fab2e59aea58d852e32ee5d8d855217
SHA256 d2f99a50c58fae4b799a657859c6a4b8f314f67fbc28bd1e1720dd776013c4dd
SHA512 5b104f348c4dadd8b1d24df9992d702ca1c53698bc479a9a85b482f4472deb3cd1185df96899119cf019fb5ae61c02666dba1af56eca84f3e62c8c14b412c2da

C:\Users\Admin\AppData\Local\TempOPYAT.txt

MD5 4bcca904a941f8d8e580f005b741c70e
SHA1 af3a26eb0bb66219315e4cd7c1d4b8f8a4530258
SHA256 758ddbcc0c4b04ab8f8746bd0379badf35f28728ed12489572bf6e6a19ced52d
SHA512 85df4081ec72ef5ab53c29f84c4a80d53ab65514ed8fa3c74ac7eb02eb17b16042e7f10ebde6f809c57c7c74c039a6067800e68fed11543b7d8a295b5d52de09

C:\Users\Admin\AppData\Local\TempBLHUU.txt

MD5 cde6c5a8e8cd7976f3798f4b10dfd14d
SHA1 f162727eb0c9aac3bba47fee95003832397e94ec
SHA256 dffeab104c981e934d8fe1735fcd93aa25883145c540879da03440e86a1485e6
SHA512 ecbd1b7a71a5ff05b446bf1061ad153bf666b1fbcdfdc9c35fd7b732585bab58f121a1feb3ccdad686a0d66943510d603d8723983a9214b1d97ac035435a0e86

C:\Users\Admin\AppData\Local\TempBEFPL.txt

MD5 a6a9fe7d8be45323bf05068f5b2686ed
SHA1 528bf4a9b252731a33830cf76ec4f0d2134f7f9c
SHA256 02067c989143b747fe4702df88a33cd934c4da2e33ebe9485da92a01353b3073
SHA512 316b2140e4bcb3478e20c539e0e31ba53eb586fb51c251f7f01793827b539367c24022c58bd3d50db966d8780619f076b1387dc41b2093f58784f093907b0c77

C:\Users\Admin\AppData\Local\TempIACQM.txt

MD5 0c93273fe509ca4737c4f7e074cf6127
SHA1 66e65c5dede2af61dd1563932ae5d312f4175115
SHA256 e9fd90ee7a00c5fd8a3b742c598eadbefbd91b85b9e8d2e28fea28cd8eebafe8
SHA512 6f98da283456d94482c6d05d28626f54b50d37cb8c5ac0719d667594f9ae74bf72b7526b296c20ab8545114aaeaca9842873f23f5af08dc6b1114db919b637b8

C:\Users\Admin\AppData\Local\TempIFOAG.txt

MD5 925c0e38d874568738de69eff01c0cdd
SHA1 2155911356d495f6f5329e91f54a03cc452a1739
SHA256 923b066a22281ffba3a8db0e0fce490039c73dc3687393e7d0954d050fccc824
SHA512 beaca1515244f17f2379177ffd8b29fc87a6c5743ca875416b7d9578aa4d64c2fcc1d8c07f5fc439c5a1d0ec996ece74815c942ea056fcfe8844958b8c2327a4

C:\Users\Admin\AppData\Local\TempIRNVM.txt

MD5 e38aec32951f8c404e5534ad826be0e7
SHA1 fca39211065c60f17ba5430c1b854fe90453bf55
SHA256 30d9c64d7df9592bc5ef50b1bfb4e050c1c7294c1669474ab0ad1d45607dab76
SHA512 f34a51aadd4cce7b1804a76631fd5ce0cf1edfb6d2ccd44a0f591186b30dbc4083dcef8b554aa30f01d8a1997330861e4ea236951f10397bc231f211e58fee8e

C:\Users\Admin\AppData\Local\TempYMTCN.txt

MD5 82b22a0bb7581c00d1565a6fad85358d
SHA1 ec4b86103ba9930a4e21de33b436266b5c73e390
SHA256 abb6d88162d024a587c81820869081be8c8bba3dc9267bbfb28ef042d60b610c
SHA512 0a778b2ab13691927548a7af940140d6fd4228a01e760247bf852b5487e488c0b6303cd44894ccb5b2c4d089a34594244f2309ce12ef4843bda23d071f59bae3

C:\Users\Admin\AppData\Local\TempQOSNV.txt

MD5 576d896ff6060362b4cfdc87463dc1d8
SHA1 6de9e4ddaaec13639872964e3b8f0c0458c6f356
SHA256 fba5683b5b33bf9c5c64163ce01aa15488cea13384c33bb07cb94dab8fe2bc9d
SHA512 d7ece3271b99f46673a3b6d1357fa7db090993425c21ce9309164f06635571b4db9f5ac682e78add31f086606280af51ce21cb0608eb6d5cc540561f7f14f882

C:\Users\Admin\AppData\Local\TempMQLTI.txt

MD5 b6b840ff8307ee32791b0a11dcfc6c1b
SHA1 48ab0432da2073016e17dbd5475f8ad1df654ce1
SHA256 4ae54b9e9997d21ea0277357a399b36349def9b6f1ad5fe59d2ff90951aface4
SHA512 3b3d034efd66858153a7b032357ac6bacaf75be3d46c46f16f0a1471871aca13b8fa70690567f5af92617e9250086c76d664126ab8dca87c5d48b444224f0762

C:\Users\Admin\AppData\Local\TempHOJNK.txt

MD5 1f5a54b5b5ffe2dc82301161e24f5ef8
SHA1 98fd34cda8610c469d98307b0da05f81496ecdd9
SHA256 df63c841bd5dafb446a1af9bdd51578d9abd827f37cb07520805e8fcd5fb8e91
SHA512 82d081df2a0dab80b598aba9a226102f512bb2f7d2fa8087f17c15f9616740a4a3a799b2f987b1b4174d20016953f59a073917fca6f349c5d5cddc46aa8684ff

C:\Users\Admin\AppData\Local\TempJAVKW.txt

MD5 08b8f738fee7a819c1a0bf37301bc546
SHA1 99a9c7735806e811ca2e73cf59c6846e51ed4082
SHA256 3392e9f50f9fbdab555495dc4a01762d261f6f375bb250e4c62fe826615f9be7
SHA512 e9618c34970f77b43a94b91efa29f6963600cb05cfa8f00fa551b79de8b9f2aea0c021a8369896d408b9a14e985f993f300237f6314f6ca84553170a4a76023b

C:\Users\Admin\AppData\Local\TempEXXMV.txt

MD5 9f3601ac51f3fa3d6dd89d4c1e09d933
SHA1 8d67359d566d882bda36f4b4d1bcb74ed3b0d3d9
SHA256 87eeda147718431c55e100c0c79f9e6d255cff79d7bc5bd4bf5db236cdb69b0a
SHA512 e5257dfc1219a17bfbf763faea359609a14846044ea571b2710a03d8b8250f287c616def9e96742baea276fd073ba63d976cce1a158fa86df861e48abe13c702

C:\Users\Admin\AppData\Local\TempERYIT.txt

MD5 803dd39d991f424c4a58b6833805066e
SHA1 be57545e3e8162239cd68e10683955e9c8e4c142
SHA256 e098a6d376584cf4cb5f0cf26a9acd806c1335026db65ee146301b7aba5c10a7
SHA512 d096547e7b503ef43e9a0eb88ae9e6d5a37c7f4e4a058738e018850f2b7e9688e29d634c040b22ec800f422eae044f78d35485e26a8637574821b3d535e8717b

C:\Users\Admin\AppData\Local\TempHXKRB.txt

MD5 a20ae22df5a4b075ff8310a38fa3c811
SHA1 4e07f8cb9a1e7c8cca2dac760660d9e87fdd0b97
SHA256 68622832dbc44c9f72a92017bf8defd5eecf168dff6c024dd763db583458a378
SHA512 c6793775a5c09186fd161b2451fc4f8ffa11e297f3024326cafa9465c27e09ae0b15641b06cf005a6bb2cfdcd82d7217008008f7997f2911a99ef1e0efc05176

C:\Users\Admin\AppData\Local\TempJGPBH.txt

MD5 2d776f5619f2154257a667d8b10d04bd
SHA1 1757d5fe8f690f695fa7a5fb86104f7389065602
SHA256 be47c29859ec4d22fbe7182e97e14050fd1a2e8f452b8cf1c0b5ad374e66bc18
SHA512 ed51a27a9ea02a2f0bb0fe0c752937ed63124cf0769fae92250846f6297017facb715ed32003c234da02a48fc401920015a779806d156808bb08d45049fdb65d

C:\Users\Admin\AppData\Local\TempVGAOX.txt

MD5 85865382db0c3034796a23eae3402db6
SHA1 a4d0e8b10b45bd49f8953336546535adc6a622de
SHA256 e2becd6b1b3b366cd0cb80cd9e410ea42bdeb74b05dea0ed57f63bfb9bf98ce3
SHA512 d3e82a6f932c027d19625408739d33cbd1e98fa158b738ce56554790a18ddcb47055131f7f90688d808e8bb0eb7e1b53cc3eca471e0a5ad5f91c9a6c31ca7cab

C:\Users\Admin\AppData\Local\TempFVORS.txt

MD5 559afaf7685a70580666587bdb27a940
SHA1 a8f3f909dcde7007a76188e2ea2cd9c2145f9299
SHA256 cb6fb7e014cec7cedb78e03dd6c91e63164569be152c6f453272e6c2830a3ac3
SHA512 b169def8fe19322775279e942d7189a489f63333468425781d92b74cf0bbf95e5deecde2d581192646b49e92f4dfdc74187c0fb7592afd69bd4742c6ad2e12b0

C:\Users\Admin\AppData\Local\TempFTSEM.txt

MD5 737f127b649ad7091e07b16c06ba9113
SHA1 240da5adfb057c0f84bbc627305f8008d91c0a2b
SHA256 b8e47e8aa25f87db17d0126c2fd722976320dbc3530db9366c523baf964b4009
SHA512 9544426ad3c2391e209e36f1070fa5f17c363feed2a8dc04b847d6ebcad8e66784ae81eea7de8b43be4f3d6edcdd0ed8bff593c76aa3ac11c7782a1bfc1688cd

C:\Users\Admin\AppData\Local\TempXGGPL.txt

MD5 cacf80cdd088f778bf72fa7018c2f0fb
SHA1 463f72f1c4c960b6e243e70d832b3049dda3dc66
SHA256 967cabd30ab93fcc2f9ca42c620c48abd7fa029760d9c9d258f829672b1ecb0e
SHA512 1fb268ba97b9bfa00bc111867f2904000be75bf7f085b3dee6ff084a26454978e0132af7c9b708f92b23b0a8b2df4886e13134a077db37baad526e4238049902

C:\Users\Admin\AppData\Local\TempKCFUL.txt

MD5 807fb3edb788337b68c32da8c827b920
SHA1 2d5cc80b68e865ac6e80db9c2707673216bfbb25
SHA256 b95e8f6d3a265b69413dcd8cc72389de41f91f378fe8e1d3de18da5e69b6de8a
SHA512 71063abb30166005204c85b92a893635fe2f700cb2052e50158910f2d57bdc0af12f6b0f77751ef084a6c47c073a870ebd69d09b9d8b167d7161964655e0fea4

C:\Users\Admin\AppData\Local\TempUMSEA.txt

MD5 500891b5ff34a8bfc9469593df308e23
SHA1 b447a8987916a9b3e91e89bf8b840a03fafeefc2
SHA256 46ab197c41d1d2f55da2116bd15be0618222efe1e7900eae4cf828a8ba865d67
SHA512 0e181d5e5cd0811b526215b6ba185e77ba7e26dd7d9fd90d7d37ce2633245ab47e6b20940ad855e5bb2ba9fe84122e979651796be2238e0893de0c6884692625

C:\Users\Admin\AppData\Local\TempNVMGA.txt

MD5 8d599bae06a715855cc013ba4ecc0acf
SHA1 defc420f9665f05e3bbe2ff84d4a2d7cc86194cd
SHA256 153fa5e8180dd094ea98faa2e3622d53ca83c02c1d0c0d219500b4dce205945c
SHA512 49238c2da6df08f7e2abf57553c6908a5f55ad25a27eaf2900c326bf922e84f55faaccbceeda54ba570b54d7d60ae0e71191d5bf4aef31760c4a0483b57340f8

C:\Users\Admin\AppData\Local\TempYTHOJ.txt

MD5 dcbdc52308d09b67c51fbe6d829a04f4
SHA1 7e5e29dc39182c6c61d6130cf758f9cf18fcf5b4
SHA256 8df78170cce738533daf04ce4e477f26a949ae9682e71444b40c9e74b07a4a7c
SHA512 7578f70de326fb65edd35a76e1e17240f7c4cade9425ed0d4962fb15eac10b9e1da36672378a4b837b93783c08cdaf3a66742f3dbff46e44984452ee9cfa71c8

C:\Users\Admin\AppData\Local\TempBFXWS.txt

MD5 e8d6917c565e917b8689b4865de7c56f
SHA1 c137c12668e1a38d7b252d4bc0b6ce6baa3691cb
SHA256 a4e8faf66ce7cc42380a7401a8bc3a406f70115b8438eced9bdbfba1fb705440
SHA512 78ccc026f4782973823a9d1db50480406f81946e71025e7f6fc7b2637317061b5bded3bc4bcb773a03a1854f043577acf6ae2ecd75d5e2d3e301008f0410c10d

C:\Users\Admin\AppData\Local\TempXTSHQ.txt

MD5 e3f0078c4e0553abaf25bf1e0e3f0c7d
SHA1 e05c2197a62257a4b1dc3a129811b8e51f002a91
SHA256 a2011fffb865a3120fea054a1c0f0c6de29068fb2dec4469379795cfcee0ac84
SHA512 c50683dfb9fad702b47512de3e7e76fc2dfb46504cf63a750869d6b7581b4d43f62eaa4ec03e69ebcef3201befd5809f98b1537d0937860eae1d69a15b4e9714

C:\Users\Admin\AppData\Local\TempRSPYK.txt

MD5 7ddd961a9021996aa5c71ddf61248940
SHA1 55792338b0db186a94648e2bf08da97c56f30864
SHA256 6567416941d5b4abb20aa084b649abd3294e3a29eafd2232cf0c10c4be231769
SHA512 7faf36f2a654579d973eadd364b2f517a5d2df29ed7cd5a4ceb1a5fbe397c9833f4a196dc1fe16712a51e5e1d848672d2c21ecd187d86435e7ba93f725f22baa

C:\Users\Admin\AppData\Local\TempRTYEF.txt

MD5 90caa60d8e5676440f628aa01b474f04
SHA1 b4058aede18a079146c5a2c350e8e22b1fc884dd
SHA256 8f0419c918ddfc0c417dca90855371f69bcf39bc6327e2df41f94a92bba166d9
SHA512 70a26ff12d21de88b3be1868a07f84219583e5298719a73ad19b4f59b2e2481da6600656a20cbbca9941b29040dbe65aac9a95cc82b20efcf26032dbff1be584

C:\Users\Admin\AppData\Local\TempQYPEN.txt

MD5 38ae4247b8ce1f6c48a227f553a5f848
SHA1 a4e6510eec6631850b93c25c83682488bda5f890
SHA256 98aa913240b71d6d2eb946bdc4da07fa5e178f4c41c12679327a7dc68881d8be
SHA512 3af422af9c3fc40d71eb97d80336b7db3f6a5324adb805dcb11bbd09b11afd7d107bbff78a4b0a587b8151e445503130e1166ce1f123afdbf754184f278771aa

C:\Users\Admin\AppData\Local\TempLCGUM.txt

MD5 cff7b2836e336b8c30753705879fbfc5
SHA1 7e6c0746646510e34819128032e318f977295b51
SHA256 5bcec7c16cdd5e808e8d6e4413d54f4acf45471b48fa993cf0f9557da449f5b7
SHA512 2499452374aa17eb8d3ddb9343147d4f2be17881d5e704ee1cec39c0372fff25ed0563bf2b07bf3e7107153d7d1703a4e71abdb8a4f9774c768db66439dccb9e

C:\Users\Admin\AppData\Local\TempVPING.txt

MD5 78945b672b49c28ee79eafffa96f150e
SHA1 a58f0d44ce839dcc312037c1773cade17563d55f
SHA256 ea1df5f5cc9e4705e1ff894c183c85047842195b16a71be9d972ced3b0bd54ec
SHA512 e52da6e3de50dc75e30c53b938ec4074480ad0696ae7fac6b122e72decc63b38d8fe806397361fc848e35d970dc9f0dfd4470423d98850ad4dac46b0a9c7d277

C:\Users\Admin\AppData\Local\TempMJREK.txt

MD5 35bcd936ca9d921cf95f244a53b9fb0b
SHA1 647060e16fc44dbd9c8829ec1512036618e672bf
SHA256 9ecb15dd1c599c67f4bbdf3177e44fb4d72f70649e4425361eddee933004f9a2
SHA512 f85f258232a0e12226c0c490d10eaaf9eca85e5e8f49d804071ff5ea248e86c480e4b9e23476110a5452fb80620464e2dfaa00a492b2a2b7647afff7836bfc9b

C:\Users\Admin\AppData\Local\TempYVBTX.txt

MD5 c2772bee63397964fc1f25ee8bbbbca3
SHA1 48e44c0cce80ee73c63a25a3a8009b3fd528b67a
SHA256 32a4d5b5dd10dcf83cd9cf00cb85f0c7cb7da4967d6d50ce0b706bd9f2ee31af
SHA512 708b5d55de48c769733ff60926ddbfe69db79880452adb0716b6d2f86306ee1b24c9f31c677bd8d5b780e2cb1a71baa9443a28783417a2e0a9de08a40bdf6d33

C:\Users\Admin\AppData\Local\TempKWHGK.txt

MD5 50641c9d5b7166bcf781c6adc7e2b1dc
SHA1 26d56ddb82923857198d1d69de8f3d9b0e60853a
SHA256 d8f73203064b13864fb4b902821f2864a13489b951b282c231ce8f40e906c029
SHA512 8779e6610bdd3d9b937150d5fe31899ad3f6a81b9dbd73300bd384f99807dad7b3ed2e557c2b467b00aed932f0b89d76b8256cd71c03e4b9ad38595b867300f5

C:\Users\Admin\AppData\Local\TempJGOBH.txt

MD5 f87d5c52eef43f4774ff1f3f5546abbd
SHA1 1f2d1221095c4a20ef510c93fed95eb39532bd5c
SHA256 77242b1505b2b7eee2f8283d34d521a7e434775dcdd5df622d77297bed8b1843
SHA512 1f0f1d1274f3b95a8e0532a573b909f501304f9c06191142193adec33bd2cef6b5cc4acdede95a2dfad4e21faf30363a7a7dea5f883e6d704e36a716da96a673

C:\Users\Admin\AppData\Local\TempVHFJE.txt

MD5 e4e9efd4153ad8b1289044239a8b4ad9
SHA1 15062db4c161b539b66753b1b62ebdbb9cb5fde5
SHA256 b16d872d86ae49ef9921f0f028c09ba8323fc15e3616fc4894fce0cc96449478
SHA512 96312b6bee1279c9b4ee46b329e2c1c181e907383f69249d5a7c3d50a9fa1fcc87c217c7b7e493bbf96ceae5281c80610c4d67026ce68c9e7efb10f2986d2cd9

C:\Users\Admin\AppData\Local\TempDXWLU.txt

MD5 40b9cf20109025ad75be3402cbdebbf7
SHA1 ae4cc8e0bccc77ba300ee93182c4e9394bd0a4b0
SHA256 67d1420ef138770d14e70d0aeedcd6da05ec9b01b5a77bfc45119052ed524a5c
SHA512 9c3a5d3b20d84800a00c990ebeb2c07804baebbb270d75ed1f72ab86e56ec64d6af1f0c53d9bf130b5eb06c95fc569d3e172e3f7aa3b5a76d39d3a11caa301d6

C:\Users\Admin\AppData\Local\TempJHLGO.txt

MD5 8509bf9401bc0a70df2801d1a6c97866
SHA1 8c3c97ea6e580ef8abfb31cd54a8d3c933b08f14
SHA256 79f858d8438fba230ba0df8e090549c443ac3a95fef05ff7f7495876af4ddb54
SHA512 35192bd18f309f2dc562f5eca04c9444844f032e7d81f578c2c737470a11d200d9d3d1ea0b9450f57e2cad3b83a8ff0a97fe039852d76d644df84ac0d479408a

C:\Users\Admin\AppData\Local\TempYRWIF.txt

MD5 0b342940c6cdac52449dbefcf8af5908
SHA1 5ba79a26db578755319917601b398b1a8fd8d52a
SHA256 5433ce0d89fc0ac687299543a6061dea6f02dbe3489341e7b6582ddbd387c75d
SHA512 94f85f5a4dedc27b0ce338da54ee502c3da7c62e0e105f254c5b87fb34dc02da1d8cc5fdfb93454131637e6bbd69184ad87710f8ece13c2f77e2b687196f4f79

C:\Users\Admin\AppData\Local\TempAORSL.txt

MD5 5796d385bff78db55f88401804e93533
SHA1 debbdc8ed25f569fbf44b21131737284383a9561
SHA256 bc487c20398f524883005dd5162364c45bae6664bcf890c70c420441fc112419
SHA512 47752dfaa6c7dfb7409ef442435d92ef93cdebc5f84a49acb38ddcb15d34181837be3477299a8832f91dc0e5f8541f1215463087a3746225b48c3c04ad757e44

C:\Users\Admin\AppData\Local\TempIJGPB.txt

MD5 9545e1b6b1a9bc92baa304296a0109a7
SHA1 0cf02e0ce3a62c1eaba0c769fee8310cf6cb9afa
SHA256 8fd8511e897c9b2f2e76b9639f5b5b46aac22943d3247eaae6d80db4a06b1a2b
SHA512 d7317c856bdbecb9af8b3c91a866ba82d1c89ec547af42b49aceb521f5c17fd3f7dea29f362c8f5624622bbb339da418a77ff14bc261c6f04d81097d110ff136

C:\Users\Admin\AppData\Local\TempCGHQM.txt

MD5 65becba90ec3c2268f08c642b299af1b
SHA1 2516e80885adbd1dbeca15e478b8c60b47676f28
SHA256 cd1902e1548181d4faedb54a7929a04e262fa779d8ade5413697bce636e25e3b
SHA512 4777926a9c50b958813fdf3ef2c77d083f2817e9ab12700f994a61a7c639c3ca1dbf777d65a87a8239f5362f8cb02252362f416621dd1f5ceff898a5894e5d45

memory/1864-1914-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1864-1915-0x0000000000400000-0x0000000000471000-memory.dmp