Malware Analysis Report

2025-05-06 00:12

Sample ID 250225-1xg7hszjy4
Target 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
SHA256 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e

Threat Level: Known bad

The file 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Modifies firewall policy service

Blackshades family

Blackshades

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-25 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-25 22:01

Reported

2025-02-25 22:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWTUGMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFEUVSBB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWIIBVACTPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPQMKRMCQXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJNTAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVHPGYQMHXQCRBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBGPGFQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHBRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGIVWER\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHNUUFYANWJIWDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRTFJOCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOCOXCUYTQRDJQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SRVIMIFWUKKMHAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULJAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
PID 2996 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
PID 2996 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
PID 2996 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2932 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2932 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2932 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
PID 2636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
PID 2636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
PID 2636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
PID 2820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
PID 2820 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
PID 2820 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
PID 2820 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
PID 2100 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1148 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1148 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1148 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
PID 536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
PID 536 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
PID 536 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
PID 536 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
PID 2248 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRPXJP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVHPGYQMHXQCRBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMSEAK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHNUUFYANWJIWDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHBRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCVVKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOCOXCUYTQRDJQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIFWUKKMHAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWTUGMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"

C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempXQWIE.bat

MD5 a563256e5b27640c5a670a6df0c4f257
SHA1 815cbc4a223458f04c83ddf253b015d28a557279
SHA256 fbef3874bdcc41b2fbc097b0f0a90022535cfa3ea8f899e4dcbf482ffa193461
SHA512 a4c75a9cbc67071cc5feaff3990183fb08561305d95ee8fb76b231235fe5cfd7dcec356693e3c9de0987a3e2ea3a64934dde5907906c8f45f52433f5f52a8ea0

C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe

MD5 7175f38353d4109884ba30cf44819010
SHA1 65cee5607680e5306273467f699edd424561b18c
SHA256 b285d9cdf01ff78403680f29bba210f8c99ad09c1fcf973488a9288b06edde4b
SHA512 fafeea4b30abef40336961cf83a11c60fcd00ae97e389d4a599609dce155d385e37aeaa465d16258aea3b8c44676a905b45884977a7edd98df29cd2e93b645f1

C:\Users\Admin\AppData\Local\TempWSRGP.bat

MD5 37450be2103b6bd05f77ac81bd64999d
SHA1 e6e0087e881ef57b93c85b257bf746ca289b4c43
SHA256 7de2ec0d83e6453074123125a857167f8c16b00ea4a99bba49d9f1f4c6ebd838
SHA512 4e5ac6cefc77d2db677b4f681166e21ea2bfdd525fcfbb04a2adcaf68735ffa2ff49b30df14955cb7a4187c541061f4593104350a653c8423d526a3054e1759f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe

MD5 771947c66c6bf245695c6b1d98a601ac
SHA1 788f039663e5d045287c882cc9da88ad585319c1
SHA256 6fc61f1b4368f145435a32bc3f3a9735d0d6505058972abf5dcbcde6a06d2650
SHA512 35df06dc7f3cb5aed14a943fb0324359434c70d06caaef872a6737623558e67ecb295964769ae2a32e51fb995d03c6f6db3e69d3d50d5383c85b4c15de7c2a58

C:\Users\Admin\AppData\Local\TempRPXJP.bat

MD5 37c862667a98ccfe62f37f7246d5f9ca
SHA1 e89f151a97c536eaf1543a6d5ffb38938c434f57
SHA256 e71ca55cc24ebcf30c6cd17e758477294856ee373130cd0a6c258c749e6d8d62
SHA512 19c5d50aae93e70b16cf2a7e64c9321f24b0895401848713641f0e9f8538c660bb31ca0719892d1f2c04a48dd2b3698e6097c0c5ee2f95269576e5639b0d5c4b

\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe

MD5 57ba2ca6903f57be858b83fefc333c68
SHA1 2b7f9a1be723e57db98868823a51816e5127ea2e
SHA256 1070643f5cc3e503fbbe98a81adbcb34ef5e80c8ca10c5af0e36465b1153340c
SHA512 1b37d3046194fe3cfd7db1c091bf51dc18e80a196739919f47dd13b6e8f9d275d1f77b6a4cf92001f40607dadd3eece8635abbc7ef0c0de567f91dc5defbce8d

C:\Users\Admin\AppData\Local\TempMSEAK.bat

MD5 9c319adb38135438ce4e189b1d1ca26c
SHA1 a8f79ceedc291be87206849e55feb43bf9286818
SHA256 2be86f1e707fc160c1481ba1d3927637a448f54aae306431819701e1001131b2
SHA512 03bee7f6de91ecaeab48b7d5afd3e2af2a75ad497066209911450620f8d222fcc80e79a148c548676fb4d86d0836fc0e172095be20dbeae1114960799f8eef41

C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe

MD5 397d2ffd10ce80ab4f735bfefc7adaf4
SHA1 37b845b3c3118e7884c1a215ca246ab35cfb5974
SHA256 c898f402eccbae13bf8c7d34931bbf5ca311c5f59e1f9d6f076fd30e9655c72f
SHA512 ed9ac60d959e198303e0e46dc39c490612efc1b26443ac83778a0ee40a13e792e2b86127bc55f21c8a74228f7933b31a042462d72a8222725d0a1d480c4cb64c

C:\Users\Admin\AppData\Local\TempMJSEK.bat

MD5 e77159f9400b36307346f4e838d3548f
SHA1 ea8e54a5773dcd1120a94024f3937219e6d18615
SHA256 6d6b2cfe9cf7c84965ecc5807b8d8f8713ba7a47112b81da77e12d8373a78ea6
SHA512 c95bf5507d262f35b7f14f669a764db383d2e7a453f24a077ffb10449f8e7d399655b025f63e7db4afec1d2a3cdb747848dfdaf6bd8cd490847704724198b51e

\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe

MD5 8fc5a2b5ea33ece96a07c2873d12ada4
SHA1 ce3966736e248575706f07b763ee46010401926b
SHA256 4e4c58c1b9ab0d5fd1f44f22202c8857a94fca769618aa2c4d165b0ef7fc162a
SHA512 ebb00fe5ccd24b62c89a5744a305ed3f0742ad50ea2303a5bfed2941d656a0696727f5b5af044e52026e2d25aed10035aad81d25acd11bf9d29eeb0134153f22

C:\Users\Admin\AppData\Local\TempTFLQC.bat

MD5 332be4124670305d4298ce7777bff4f5
SHA1 32e7f0d04b0d74095b0d000cce9694b8c502cbbc
SHA256 59a598fa4e8fb77b311d695f3ad63850786546b35ba9e572b79ca00587f72c01
SHA512 ce0e32ff59f98461f51eb0196db1a6f551860aeaa67cb322be0337092353e2994b98c3eb12b033973c019f2079471e87f06f7ea8d24db890e05f112818dc2037

\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe

MD5 9d9cfe2fe3aa67faaa2e105b960a7d21
SHA1 5015781bc3a0eedf9093a4ed93136407900ed384
SHA256 61a6380559a4a3b3b92167eb722e17b0edd284c8bcd6f2f066e6a23dcfa62c92
SHA512 72f4daa9921a67b03e2eb7235d674e403f7ba16c6135d355bc1f14301dfe85811943a2a7e29d2f9bb6567024e53ad0506fed5518b455c2cf5a37a211486168a1

C:\Users\Admin\AppData\Local\TempDXBMK.bat

MD5 0209111bbc2fcfef39fc6801f977e786
SHA1 b124af40f009e68cad8d58a1fca9dd3af83803e5
SHA256 22b38c22966e0646cca356accc277a432c037478d4e4facdcadb1ec4184426fe
SHA512 42319942bc273dff4b2761e94e8389448b92a74beb3e35a1ca0468e8b8812a6f87f5f8e6c34e4d19f2622aa8c5d1f6564f0ec144cf8710336eb3907bb700a908

C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe

MD5 df8df4acf2e6ebeba85f0ac55c2615d2
SHA1 322e7221b932b9cdbe5a1bbb587ae1d85e805297
SHA256 c736a8499ad18ee9124de261458892f9724ca5148e856e2595361acada7eedc3
SHA512 f1f96ab0acafab50eb629f1da91ee94de166a985a1d2d85e34b0d03a9321fef7e9a56d7809c5e94910a32b85fe44054c1961345e32316998a91cc4630b5756ac

C:\Users\Admin\AppData\Local\TempCVVKS.bat

MD5 133a3fb4656dc431e688c356c81636f0
SHA1 cf26a98bf339292c4a067fb6fdb278aa80d8d844
SHA256 81cb9b68882f3b04e9674085f8799db74b4f0b7989e86f1eacb0ff4d21d6ffe1
SHA512 9a61bc8ba2da3882e75c9063cf566c1f953d262d94c32cb8e883d3a8f23fb8e5e67def9851319fc05f86c036420d0a1bf83f4bc527bd171f8d30b9a075a699bb

C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe

MD5 f397a0e699dc98c2bfb02b035b265496
SHA1 f6c86e59f700143eba89b964c2494c29a246baad
SHA256 837c9e0ac427f9964a156398f01d5f4ad6302942c49b6292ad24b20fc9f9ab25
SHA512 deff4df800b3245165d50ebc33da2d02dd2c2b88e498abb25b43098ffa0d28d21536148e0ab1f224d8052e2d92b39c9854651f3c6a0c85c3613877b3bea6582c

C:\Users\Admin\AppData\Local\TempFOKYX.bat

MD5 11b68cabe8569ca664245dab618b5c7e
SHA1 6ef2876d707696cfd3383c627c665b84b46b31fa
SHA256 ffcb75f1142bf59e3cf6428ab7783a4a61460760f50a6f8e5af7199a5285d564
SHA512 e732b5b4d1a53e2f30ee349ee8076a95d2ddbe05f0e6ef11274dc471007ba3af841c22e9ce5bb64b931b4f9c9bf5c0a11219048e6d0853e83b5a29a342b3d528

C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe

MD5 ba7c27413e7d8f473266df139dd8ce10
SHA1 be44daaac74320a966d6bfe9541fca43e9ac6a91
SHA256 96a5984c815a3f65f500962929f66ba5ec049e0feafaae9a1506edccb358dcf3
SHA512 293a095fe95717a3d176d478eb2dfafc89373299b4989bbbfa3f7a34d20bf9d0dac733cce16cad14f83bb49f8d830a9821786c12860f5632184e256eac41b006

C:\Users\Admin\AppData\Local\TempFYYNV.bat

MD5 839d1106e87898165df42f76a5fa9125
SHA1 d6660f08080bbf0d1ae87c33bad5343120123e7b
SHA256 810660990dd89f3d36ef8f7ca9e301e8187608885a36a6643a9a2a51130bcb61
SHA512 5cfd7c2cdda1296769ed2c5d7e8e5936ca801216ce4ea7715e4b154f57e74ce7a7f6e3dce7771bf00cac0229b838671220f61ee9555752c9010de8f4b557681b

\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

MD5 ef381899105c388cdd715cbd3a7d6372
SHA1 0fb84a5b961b3f6914f40fe3a03adbb658ae3763
SHA256 98ac10462e133d0f6c76d253928db434997ab53234c36bf9f36257f07639d37f
SHA512 09de0e890259095f654851426460f7eb660fdd54ad9fc9b2c7f30910e5dcb565734366df423753a83279c934fc0dafea11b3876300de11db71b3724479e8b232

C:\Users\Admin\AppData\Local\TempMIQHF.bat

MD5 d0599a1e9a892afe76f42cbe1bcf621c
SHA1 ef751a540b9b623e2c20f82c4d24cb47e27b33e5
SHA256 95db162aae0b0d9018face50a8affef69cc31f339c4dceecb5f7cad02364a436
SHA512 6e71ddfb6486872377e67212b129d25ed46df1337bcc08734a9c8caa3f292d8ac73b1a4cfa962ccf9263946ecb6fe7b865faa7c075cee1dadee17a49854b9708

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe

MD5 a4db63f61e6a5d775468fc399f7a2c4c
SHA1 893adb5a90ede7ea76f4a3656ceca5a166974c7f
SHA256 ba3207352710965eb65862f24173bdd008609c007d2dca538b9c6fd2e22ec16c
SHA512 d3cb694f54e7806fab002e83c91211c0b7d1e3d402abd6de6a420c0d16cd2fd7a023c0d07646d6e6721cb7a18ede39e8c674615c40cc4794df194d9f4608d7cd

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 a5414e97da952d040b48e8c396fea4d0
SHA1 57fc81d07d933bc1abf80608360ee10ced574a07
SHA256 852fdba6e9e396ef093c00a2e8149dba075859fe89e552cdb9dfd8d0bbea15b5
SHA512 edef55b41c1c6b61812ff93816e3b3e5d9ce1ac49089ce0fff8ba7a5f41f6416f3a912930f10e8a8d57d0b119d9d284064ecac614f152ff5c9d12c3667e0fdf4

\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

MD5 e6b80abae17686feac89d657953574ef
SHA1 ec0525dfc4c7781dc72b379171a145ae9a9dff3b
SHA256 0b069f9d5faa8af91efb08a01980746efe6bcc4e705e5d041b38b091527786cf
SHA512 e962eb789c6c3689b61ac0435667431b3a34482029942e688da06da1ccf52050e544504022447f6e226e208617ac39e0bd312814df13717d010e85315a03fb80

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 7c6b33b25d35867115c50b05fb15d28c
SHA1 f5f68fa6d475b45caa2b11fdf94f3fb337076a67
SHA256 065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2
SHA512 4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93

C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

MD5 19e5069c7220126acfa99d3369955d98
SHA1 7ffa07b5393e478b503d6bfd03b5b23712983f39
SHA256 3a70c172ef7a551e7a588bed6b6a2d26f6cc0a268aace16a305ba3a8fccde69d
SHA512 376e75522dfa6e1d2e037f139e0185f0d8be5695fa0d9e1b8c017ca2876dd25c09c597789e07bd9bdaf905a631c915b9d01e19c0e0dfeea2ff4b8a299c42a562

C:\Users\Admin\AppData\Local\TempGAOXK.bat

MD5 2300cb5af7e72558b1df29662f6ab94a
SHA1 effadf47e13d552146544ba3057559caa0e2782b
SHA256 38cf66d051374eec243a0a680b5050ae5f46f836a0ad01f1916fcc26b9abed9f
SHA512 6c33bc25136836c2f41c51a773bb9a0a3974cfffb3b7a31e8f3f6179ca37cc79be37407f12bf6dc373d8b6e0ef98dbbcef5d788b778ef3250ec43b4ffeb553ec

C:\Users\Admin\AppData\Local\TempGHENF.bat

MD5 d25fabf09ecb4d750d954b98c93d412f
SHA1 ea8ed935ef4a91ec148719da3fd6c69a7084ae35
SHA256 3019c2c297ace5e8c1d05be2be81148f5353268fda5b6dad38b1ae75aed45626
SHA512 7bb49eaa8030633ea1b4573d0b53aa278d2ff5a51a2eb5d81c2e3504cad8b8e11f4ae54a07839c7db2a2bd5e39f66fc0b54a8f6dc5adaad4863f5c549019ff0d

C:\Users\Admin\AppData\Local\TempWIGKF.bat

MD5 b96c1ebb8b5ae79aaf417f1571d5ca9d
SHA1 4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f
SHA256 5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d
SHA512 63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f

C:\Users\Admin\AppData\Local\TempUQYPE.bat

MD5 e5f6bb61139965cb6eb667a51c1c94dc
SHA1 28029916e0b2629120efac44758bac285fe4288f
SHA256 de653e425d22be0931c13a52d954bc15f722f65167d1e43906f7e363bb1e0e5e
SHA512 b83b86d6fa5b8d1491834b09c9e811c38ed253423e275b069b7fc502d070bf72eb249ee8581d109096f9ba94539323f0ad669ef122c013b8b8cd0e35bed57952

C:\Users\Admin\AppData\Local\TempMPQVC.bat

MD5 01005956b2e2f9618ee5d54677a17f9e
SHA1 d06659adf8a2855ee3ad04156b940a9563c9dc64
SHA256 ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a
SHA512 56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba

memory/2740-501-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-506-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-507-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-509-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-510-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-511-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-513-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-514-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-517-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-519-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2740-521-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-25 22:01

Reported

2025-02-25 22:04

Platform

win10v2004-20250217-en

Max time kernel

112s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAOTYFFDLEIX\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMVTEAYLEYFVOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWVMCQMKYPBPRMF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUCDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AFTTGIDBEYTHOJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQHGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFSDBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMKJNAEAOUMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HJVVWRQWSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGDHDKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYPMHBBQROXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGDUSIIKFCDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLCPLJXOAOQLEHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXTOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMHFIXLSBNSCOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HODEWVDEXNIRIGR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJUNLOEJXWIQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ITYUIVGFJWXAKQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNJYMT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMLYFPYWGDNHIYR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJIQEEFAFBWRELG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVGEIDLWBYTRAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SKGBRKLUYKLJRDK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XKMHFHXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAOTYFFDLEIX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUIVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQIYQEOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MDNTLCBEFTBPOAI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCIAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHTUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUBKXTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSDERXPWLVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNMPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4000 set thread context of 3816 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4084 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
PID 4084 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
PID 4084 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
PID 4060 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4100 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4100 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4060 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
PID 4060 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
PID 4060 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
PID 1792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3180 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3180 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
PID 1792 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
PID 1792 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
PID 3232 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 536 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3232 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
PID 3232 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
PID 3232 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
PID 4604 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4604 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
PID 4604 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
PID 4604 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
PID 612 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 612 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 612 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 612 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
PID 612 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
PID 612 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
PID 2496 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 2496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 2496 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 3652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe

"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIACQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ITYUIVGFJWXAKQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMKJNAEAOUMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUVHIF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMLYFPYWGDNHIYR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGEME.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHTUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQWC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKXTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUJXFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVGEIDLWBYTRAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLPQVC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFSDBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempADSXJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MDNTLCBEFTBPOAI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRNBMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLCPLJXOAOQLEHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

"C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOACFX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SKGBRKLUYKLJRDK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJSOC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVMCQMKYPBPRMF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXTOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDHDKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWSQU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AFTTGIDBEYTHOJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPHBK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGDUSIIKFCDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIXLSBNSCOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPNSFJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HODEWVDEXNIRIGR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFHXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe"

C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe

C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempXIACQ.txt

MD5 471eb1050dfb01e7204011b0b79ad7fb
SHA1 bbd6a22dce8422c708f486cfcca371c4830b364f
SHA256 7747882bb31496edb9a0f7954c9d6595d73e59b32c41d87de343e02be6a9f78e
SHA512 4ccf51e24882e4d99fed33ceec4390a3d7810ce19ab9869db7719cf68e917d52a26ec2fe44e52698bb652826de79b8d5eced1cf01e21d012a642ba041e837593

C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.txt

MD5 522709b336b58a34e63c7427529611b4
SHA1 39a007de63f061b825f266cb59c25f994779f632
SHA256 939c1c6fa74bc3b2de4c16de50a9494c4de0e45ef137cea975cc5cc599c3c96f
SHA512 ae4f73933d5133d5505ee8a2e3cf5b272424206b396fa1ffdffcac40bb43fcc513d662b36a3a86493434f25e68a8d2ee215f576150c891fba277cd639effb752

C:\Users\Admin\AppData\Local\TempGUCQP.txt

MD5 da2da4db20b9c85b0ba6636edc06c00d
SHA1 92893883053fd258f00f4fbc5308e53fd3c785a7
SHA256 8fcac993078b5faabc185c771380087092f93e72411ce0cbeada60351e0d598a
SHA512 14d1c25f6c74bf4b05bbce3c69c7463933d7d0fe9dab4cd022842b5c9623864cf8dab2be444f620024670d89dff16c13fd1a3a908532333778c49e33549a9474

C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

MD5 435b43d3d20243096dd1a7d4f369b0bc
SHA1 cfdcb9ab7eca91c0ebd725fccc70cdc92424aa40
SHA256 0bdb82f72927add44603343a8784ffdf8181dd892d849b3b092ff6a54462b2af
SHA512 b02b9c3e4dc8b6860424e3115d50fb06ebe53d5e0d7eb0d0bfe4da58be7bf6567204cbaa0edc290374b3a125aed57a329cb7e62f41b41c7f8db12e58be202c85

C:\Users\Admin\AppData\Local\TempBRSPX.txt

MD5 d3213841806caceea777ff87e0167695
SHA1 31bd92efa6ab0d27ad6cb690b425db8e167528b5
SHA256 e1ff61f68aaf669aedce7ec0f607bf6755ff98f3f7f0369a5dfe40b415281a2f
SHA512 f49b894249b54b486d1a90402e5415621eb0a7c8eeff2c4d3bdc43166cbc2ddad0bbd969ebd6d67ddd9a33f38bff7d2ea997ecaa907e3e4e31a98571071127bf

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

MD5 30ef6d6768187c02e21a7ad2d42f8d76
SHA1 5b3ad781b4ea483b6e206ff180aa4e2030cc6746
SHA256 018902ee3697b7b17e90f792477130e2f7d74f4d4cd121c224287dd1a78ea84e
SHA512 3b0475893da8848087301daf8b3269e3a8cb1fd08ec0fb7dfe4560842252c25f098c19e6ac88f6cf70d2ed7903d6a4979b9a55513186a1999197ec3060655c2a

C:\Users\Admin\AppData\Local\TempUQYPE.txt

MD5 5a4384ad153eee40e71481f1b84e2979
SHA1 c4f6eaf1a1a7e034ead8fb98d9f946ae66547733
SHA256 e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935
SHA512 68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

MD5 8c181c308fa6eae229678f770f855f1a
SHA1 7f33131c9416a401947bf45b843b3e18dc914487
SHA256 69f1f91363792e98166e762c7be6ed00c20e8c96956e8f1a6efafcb978fe1f3c
SHA512 bd55d9316ce36e8d7c7318075844531d32e793c1e29a266700f471256012cce495a2ff329319c04da30623c2a60677d09aa6761fb63aa4d509dac46ae8e4b081

C:\Users\Admin\AppData\Local\TempUVHIF.txt

MD5 c612bdf9e59b062a01bc9550b67d4322
SHA1 9b22839c78ba43f6d57e00a0aefba11edab91ceb
SHA256 084ee87bda829113625fd1087d234dd3e538187cc69780f6d0185659f67560b6
SHA512 aca3eb8da86bad82b12cf8a1ab06db5a82cfd4fc185fd329276268af7572b84de29d85648475ec17fe4ff66fd1c7172db78c1541c9e5cc339394927759851c9d

C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe

MD5 e9b600601a32ec1691bb6040fcae505b
SHA1 f3c584e7ca5aa3b4a5138fc1bba663ca1fad669a
SHA256 e7ac219dc75fe5ff0223a64469fe35cd848c56bb0302af7151555193821fb72f
SHA512 dcee72575dddf8bc7607a83eea4029f2d3debb49fbefd25e5b9bbfef346b952d658824e45d9c1e601adb81ec7fe8c33e1977149586c4f39952a4ac5f2db3c4f9

C:\Users\Admin\AppData\Local\TempFGEME.txt

MD5 9ad31f63c61d7346f4c43878045ffec2
SHA1 3b1ec0a1d60a4088d6081308864f5e740159080e
SHA256 954d8e16ef3604f9bdd397b77cc9a44263164f591dc392d6490df2369fe79b2f
SHA512 4cfe6ca028a44e9d57ab0f192de5092c71dd06a5178c8887057d09f787c79d3c1f5a2065b75f71450d7eec70897ed47672b13bc5c771669764a2f640c71702f2

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe

MD5 86c0003fffa0d4e849c58797a9c9f4d7
SHA1 be94afaf505810a858b7e32ce9b55b9ae33685bc
SHA256 374fcfd0c51055a0ff8e2828f6aa51a6953157e7a697a034846c47a02f32ff62
SHA512 267af8189642299362c8cd5bb53e61a37e3431e8aed86d5a3ada89308b1e07ad1bcd9ae2cbe4e52bc1f2cd4f5bdff9c1cb7c38eb56b883152379f3d284949124

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 c1e9cc859b16b9aaf13c7abbc8695e56
SHA1 fb49c82be270cefd43f9154a833d9f1fd2b811dd
SHA256 fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027
SHA512 dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

MD5 4e0ce3f9c984f34f64970e1ddad574b2
SHA1 5f1c4d4b9cfd3c97ac84a14c7835de6b2f3d4770
SHA256 1037e3681f816830de0506db70463b7c8ab6b5281d7a06fc8df39a28114c5a18
SHA512 a1b5b8c5fe5e220cb6fe72afeb00d034e634f86305debf710cd86ed334e4e3a05026b7f4d367cd3850b9f289e99f31eab7ac05628782243ddbfc539ad78f4a51

C:\Users\Admin\AppData\Local\TempKWHGK.txt

MD5 7d91fbae34e3b22b8ecd08e9589faf4e
SHA1 c0a663f1ed8b2c31fa3e07ff9ea2beb36b14d2b0
SHA256 c415e6c0545dbab68eb36e8ed2726658f1b06c18c2210c28cd87a5ea6c461590
SHA512 3202b819a02005b4de6c990c4235904cddb05f3a20c3549ebdb7016ecd4bcdb4f9976ce24596c26154bac6f6e6133cdcffa4f468f67465507baf3e3eefefbae7

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

MD5 87df7ce0e57ccfe26c5fe4b5c5d6f979
SHA1 5904a120a4df02e8625cf8202421dc757eaa6eeb
SHA256 e50a5f809fd1ca0e5773f8c707e053406b53716a928d2f78c6c825645ea331a1
SHA512 ec59b8d3912fae70242bd5bda31730a81e082f28ff85bcf8d8269260dc233a9ca141714d847a8e2860cb09c48914c81606a933e05c9cf6c2da81778ac1438d5c

C:\Users\Admin\AppData\Local\TempMPQWC.txt

MD5 3aa66717fe1890e4085403eb810d29b3
SHA1 d8f2d0ac14c84a58a54d09adbb68a3d72df92bed
SHA256 13699c0be9d2040018c11108589b2be7a2bf877aec3fecdd015e92f5d1054671
SHA512 6d44cd6fc744ee57c66f3905d463a3a6f4a9f21667d2c72fd50777aa56bb52d8632908558dc33c7d04ca56a052add1970b3caaaeb9d10fb08d3fa3edfad344b1

C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe

MD5 a8def4b05200185b59a93d42e165f858
SHA1 ca9cae57932c97c724afb65808f2c8bd7adca387
SHA256 46b1481a76f5d376158ab01aaf681847a38aac37b3030e02e046f5af3dddef46
SHA512 93c70f6a12e21f69a819475a0d465a1e44c2d079d55df785756aac7e52bf69cfb873b3c4a1bb32d7de4a13c4fc1dc5ab5fb81c03a65285a69474c1b5341eb2a5

C:\Users\Admin\AppData\Local\TempUJXFN.txt

MD5 5b7187ecd6398d75f46f2eca3fbcf074
SHA1 f92fc0f33830567906e6893c20a66e36ebe1d797
SHA256 d232b12818539833d1ba406d271601fbd78b61c0e50915595228586dc2a2e6a3
SHA512 a9daadc971328ccc826875a0b4bcf37a0f3aae40eaeede069fbf08e4ad3efb0083425610684499a70d721c01c1ddc0a7626e2cbaf9e0e1a7fedc63cc6c8afdb6

C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe

MD5 7a9081bcdb985be55b73862715ef5772
SHA1 aabb6363e9f40537e84b2dce934bdc2764da3ce1
SHA256 f539c48e3f79dc8f44e175d2d02c21afd689d4799b6ebdd0eadc9c7d9c9b3ccf
SHA512 ccc8e5a9cf7fba2dc7c49d715b76a55f7a7e816cd9b04a7ad223a162cf3d345597c859af8f5279b136ee82ee703451ec216a8209de19dc96b71af633addc583f

C:\Users\Admin\AppData\Local\TempLPQVC.txt

MD5 2934c1cd715b076e4de9967cce3f9b17
SHA1 fdbb5daa0e7a39fda2dcffb164215a3b0e74f955
SHA256 bb12a4465fe3c466fba0b4ffcb70c46241616110351d90d4d750b28702148ac2
SHA512 8ac735c8e6bf99d95fff5cd07bbef130a42d1bc4b4ece99f1413548e629a45563f6e16f6fa07574eb5d6dde60d1dd7f0208bf423b11359ab30ad529ede57fe42

C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

MD5 2db7d74dc776ab997cbd297bae34e46f
SHA1 570751cf0afcc0c818e11fced0c7c9a25b6f71f7
SHA256 ed8513034ec171cd6a328c1b6af67c9fabe8ec95d76625ac78955dcfba1a6e49
SHA512 9aa0ed1d9b86bc98219ba3b0c99efa1f8941a83805246638be6cf1455e0b632af13a3ac8a7f282dd25d1e3bf400d2625c00b624bd0ae0280b956f67c3780a8dd

C:\Users\Admin\AppData\Local\TempYXTTU.txt

MD5 b02893b7e1264e03427657ad7e8d60cc
SHA1 67a83d11cabb1a5b009643c45f8dd03f84b36b69
SHA256 b23e099f605d205a37e7d6817808f1fe52c00187c831f87488f66936efab9ac0
SHA512 17ee8dedf20937b83758dc7dff8fcb0d03468d724923870c49be71c25e5382e9521fd35b744d0481ea3920e1af36f851f60b46ce3b15f39a51adfa963152b187

C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

MD5 796f3e1a5516af61fd19718a18e89203
SHA1 7c9a0650a49a5d8d03fde8623ae0ed6dc4964339
SHA256 606356ec049f50c020ffa672fedaabbec13fff7a9eb932b5a805aef5af86fe17
SHA512 9d53600166c10729f798591525e59a126082f66b4c70aa645ec241536cf0b58e5e62927712669bbde9e61a6e979547c593fd50cfeacd0dafea9ceeed31890fe6

C:\Users\Admin\AppData\Local\TempADSXJ.txt

MD5 e8505431637028ceb2779f8bf990d7bf
SHA1 1827ff8626158e982611b8f53380f02266bb027c
SHA256 cd0722ed86358f34386e1d5bb74c109db375a417387927fa795d342d4051136c
SHA512 4357587b94e2d23300bae114509a7964e68805f6b3fc8f026d3db19a93e6a46b772c9bc1a711b6cdcb52ee33758e78e95c5012c2c120339f7734508f5beb9cb0

C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe

MD5 2217d85a853e5774d7a9af569454cb25
SHA1 3ca641de270a0cf35a4045f34f441a621d84195c
SHA256 82ffd6b80de8a0648d4104962e07d70ae134dc2454aca3c0d4c81c76e48c7a2f
SHA512 3877f43c76b874467b9c2853abcd84c94940b7e6588d35231998a0afde190c17ddd1a88726c70c3b9d0526073ae91e5461e5b19d07646c1b4aa19780353f75e5

C:\Users\Admin\AppData\Local\TempRNBMV.txt

MD5 0a66f3ef877543b735ac3975aac4f1d9
SHA1 1cb758fa73bc7310712b319ced995011c213a8fd
SHA256 d02abd7badf6a6feefd824e4d31afc5ca3ac90e520c25a33ac0e23bb2b099323
SHA512 941224ec57e97301c9406d3184babe326d4d1c4232127a7d4eaf26a173f17c68f08a9e82059148394376e09b0efb155cf42130bbe865d7f65bbc57d5c4b00057

C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe

MD5 e9e33575cd86b258e0201ab2d3be44e4
SHA1 3bdab4cbf3d6263696a0470964891336da2024bd
SHA256 8be60075706d3a441d3b42377f54ff2dcb9ca83000ab4d8dd19add740a4e3d15
SHA512 e715101d45df71e954ad4360893bd499028ddb598b949134abc809ce60c06fb3c52708920672c496757fc678dfcc3b1e7f8a76713f63fc33ae29b5f3ba9b6ce5

C:\Users\Admin\AppData\Local\TempFFYOJ.txt

MD5 f3719e263529fa662715cdd85fec8596
SHA1 6148a2364029aa9781f6f2d6143ad2b060483be5
SHA256 ee5e309ba64eb2c3b5f807c6b026a982ffee23b8bc50a9e3184b80e04275c9fc
SHA512 749de53bc273ea7004970b838725bf7c612d34254ed1ab6d5af5bb83518865a34ab97cb0a47a9804b60ba8a18c0fcdddc19f8e679f940ea04a2c72b747dc609f

C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

MD5 4ffc0035013511f9b0ce1b03c2ad2d49
SHA1 2142dcf2ab1758af505f3eabc6dc0a34e6f38f2e
SHA256 4be2776aed720479f939bd8db2894b3fd2a8954d52ebd8ed2ec4ae8d7d0f7085
SHA512 93f267cfc96c93d69998101373729b2904887295bf71ead2c8b4bcbe59bc696bdcf5174248a5ef0fed1ed644b2a17d2a14d0e914bbcbc4cc06e882b949b6fbd7

C:\Users\Admin\AppData\Local\TempKSFLQ.txt

MD5 b26c8cc3ca5f915507cdbd939df6cd98
SHA1 41df0368c5141d0135229e8b792c94bc18980b4f
SHA256 f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3
SHA512 57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

MD5 e0f9dd8d5154117681e0b2939cc6c3ff
SHA1 71764232e07d0dd55c44b4b8197daa80d3fda326
SHA256 172ee6d832c26b6b47bc2de0f6409e190b9a3570e7844930ca4f753a6912b06b
SHA512 7c99aea98b0e69f3b082c00dafd254ebae026ada7f7347206d1987be501d6fe2828df65538e695408c9da936dcf0009a4ef06945a99e32e3880b607c3da0d288

C:\Users\Admin\AppData\Local\TempOACFX.txt

MD5 5409b5fe067eff7e02a38c3ce47ade86
SHA1 206bd87521316ecad95022b5ffb09d19d19e28ee
SHA256 6bae98d721fdda2048e1b02261b9222fa249ce7f4c22f43ec4494af23b463414
SHA512 388916143217cf5e7542ea7ccaa2472f17ea3c237eab059831b7073e8cd6b827f1e88c0bc98603d94b553c532b334ebb0438f4b881b6abea8fa59770feefa4f3

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

MD5 6b08bfad03b4d985ea0b2a76212fb4ec
SHA1 38d688d3b46f80342e9ae08297c0a7eef16f919c
SHA256 9e54c0116517a2553e5334e8beb086e9fc745488090c40c7f81622de14e68126
SHA512 8149eb0315ce90f9844894527074550c68c9683e10dd2e042f6c96f76839d64b4db31db26cc919c4a081eed89fe68573ef76a35103cddc25872b08afda408a2a

C:\Users\Admin\AppData\Local\TempYXFGP.txt

MD5 534a5a9a08499c8112430066acd3f32f
SHA1 5e4b2ea4b3c026d710cd862cedc58e9a4ad3235e
SHA256 d7b2951ffac14cb21060566ccb4d395744b83685aadd1bd205355e119b68661c
SHA512 a8c6612fce49e11b06dfdd30d712ab912505bf3fa6e270accca1f3b823ea87917afe04dfe7d843b202303d47bcb4a3b7e98a209ee83c99f4276e89e56725bfdd

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

MD5 7470ff458389b6bac4842a5066a538ef
SHA1 8349c47748dbdc6a17ec8e2438adc9bb9a7834b2
SHA256 f65603f09a1461ed00f4585a791419edc7058317493cca961f41c1bbc672a70d
SHA512 c29a564f5df42e79c731686b4b7a7f5b7cef04dbeb3471d139c576eb6443cbb7461bbb9419b3de4de66ae630763f16eea0e6eda917b3bb62efb30b3c366fcd78

C:\Users\Admin\AppData\Local\TempIJSOC.txt

MD5 053b51eae04a6363b9e65a4032cc7a28
SHA1 23feb7c605b2844dc2fd81c3913a9f29e4729373
SHA256 a06777194667f0a0f210c26b5c9389bac9fcfdd76883de805d92aa5a05315b2f
SHA512 698597e9c0155dc5dec76f91de9a536c7f213b7c7383c6981b1804a899f9117943b16dbda3b0ecf531853332beab8a083431fcc44b251204692e12472f716ab2

C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe

MD5 72e34f84232ad3759734de2131cc87ed
SHA1 8f109f2396e23a8095d242f252dbbabd255b65df
SHA256 99c2f08a59f8026ea527e55cb599e0b6effec5bbebc5eca636e2b76a4472816e
SHA512 95b1fd82b9225df38b9512e58dadda0ff04fa3239c1542e784ad7a6e5544a4e27605283a3011bdc32960bc6ce4773d1d16df2bf5b62cdc986787994e78f51b2e

C:\Users\Admin\AppData\Local\TempNLPKS.txt

MD5 7e488893ead94784cbfdb3cad2be1267
SHA1 e179fa18b240c727b240a45d068e0eefb474c166
SHA256 4a63114693dfd3e67f87986e7bb37d64c885329c0817c3334b10ae87c5143cac
SHA512 2ecb16b534c6209b89d2f1cab3c7957d914228ac4c2bf9d3057150835c8b02638a25fa5350cc2d0059af153bffbf0743af9f08e0ded6418660079f0e9162ffa7

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

MD5 9691e005a8dd54141f6ec4fb0575c1b1
SHA1 7c3e5aadc7a920de2225c2f433b665bb5cdce619
SHA256 a45d50eac7b75ed52efbecec930415d1dd2a6573519017d5bc3699ec77591a3c
SHA512 a007618b87068f62f6d89aacd9e544ed016254ca1e7578bce44705aa94314fa29f888a5c16356bf59ca7da44197f1c987bbcf7c0ec576201a1cc828465a338c5

C:\Users\Admin\AppData\Local\TempENEYC.txt

MD5 450df8792ce97b3b149ee477a338f126
SHA1 5ed11369cc5067502ff2e23e0fba08508ac08e85
SHA256 5bcbd88e62ecbb95519094c7fe1966d29d68cdce5c2ad72fb3ff427b4b598624
SHA512 cb16108bc5c8dfc4e092b71b448505353b2a5bd103f436a88bb7d0705b61717a1a38eac618927d27e61f62af07facde2bafe77d616950c29477968debbf870b6

C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe

MD5 9aad5cbb881327a1df7259beccb7f5dd
SHA1 c441a3c6f05331944956fb661357fdbbf6e9c743
SHA256 3ac6c49944591d88a80ef75c50d2b0105eace4f9f2d3426aec69dd8e56784f64
SHA512 17a2b832c3f2e0da8e03400a0bde1b14ad9f568cb6614b8dab1e48b04f8dba12569948058a06e750acb34323a0f547cf39e53d3e5e251ecea882a04e6c1c3493

C:\Users\Admin\AppData\Local\TempKWSQU.txt

MD5 de91ea33ca4a8e1a874454fdfec5e312
SHA1 3af287b5230dde3d44b6f32286fa8725d94ee00f
SHA256 c349090f80247ec2a98b77cd05d50bfac2a05c22c29b8e3eb0d7dc256fe29f81
SHA512 187f3de5ed575f9a96bffc908eaaffd25cc5731647a02290f005558baa43a744a85cc5ed142b45fb69403ace9f4b17a82ad6f2dcd568a0e27e38a8b397a85992

C:\Users\Admin\AppData\Local\TempKLUQD.txt

MD5 6a401fac14448a283b090176a53a6b0a
SHA1 d154a2cb98ece0bbe8a6f2d73a905132a15235a3
SHA256 25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f
SHA512 4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887

C:\Users\Admin\AppData\Local\TempHPHBK.txt

MD5 8506c3afdc08f02c6faaf2a2db024105
SHA1 131df5fa44be3c51c24326e0a7c24e894b78a053
SHA256 0e56f8c609148994ddccfbef8ebc13b6453c83fcc1ed41638403b8c4d599ca37
SHA512 c13a347a4e2fd5936517a342a74f1019735c7bee46c2b74511a10d194a0bd452496ae3d536da233e957ddf9f2cb34e79ee425f2a4de2f13e6af1b70520b2ca5a

C:\Users\Admin\AppData\Local\TempSYEFC.txt

MD5 28c24a343f70d490fc8f69dbc2484456
SHA1 f68463620b1fd8d538c92ae77aeb8551ddf321a4
SHA256 1f0da84ecad4d62c31518eca826c46fec9900f135c059c5e69f7573ba4fa1fae
SHA512 1781ea0c79a8510c2ed3af903c73455f3499f8ccf8a9ceff262ecb1f016d2035f8738419c4938cbdefffe5b59b9d0ac9d37b927fae4773a19537144eac321a5b

C:\Users\Admin\AppData\Local\TempCUYTQ.txt

MD5 46f19fd0c708b38dcea1eaf6a92f0c50
SHA1 c48b7c70aba151004bd4bfecd6888c3a7bf628e4
SHA256 3ccc4288690f3ace49bfcfd1faaa011fc300f00cddedbba9004d1750e08fa966
SHA512 fe08992afbf445b47ab9c052c12bb75f6916b2ee6b28fa6af4668cec15afa0d484539f78ed01fa70a45084128e9401c1b216dd024afab0d70be8548be2bc7653

C:\Users\Admin\AppData\Local\TempACQML.txt

MD5 d31a68da3485c625bac4ed229893269d
SHA1 4ae2e3e3e724e2c9bb564ef2a79ac8951d0f9645
SHA256 009657391d332655c29c95bb7af06c3190ba1d35a0870ba5b827b72167096574
SHA512 c99256691cb2bdea9dca38d1b168bc36e8bd3e309b5d44e0be236372816ba3c2028c3cc1cb5c51c9110520b0cd76f8ca8ec57055199035fc13f32d228205c83f

C:\Users\Admin\AppData\Local\TempPNSFJ.txt

MD5 c0edc66b457ed702751323675f9e41c0
SHA1 2afca3bd12c044a43da495258b677b4f6dde20be
SHA256 ca31a05bbf0e08aec98dcad00e194198a3deec6bf2eb31d9d0f8b59aa1051281
SHA512 fba94087087be02529828d95455c3915d7f16e79ae715e754397b19bc12bf11cf0dfe1958411e35c76ec8ed015de29a9080a08f59231285b4c069be09f528069

C:\Users\Admin\AppData\Local\TempCUYTP.txt

MD5 08ea9b0793b821c5dd895aac5ca0e326
SHA1 b9eac1ef591128a43725fd1d4f525b797b2cc2df
SHA256 41c44fd2715d67ffa4cab875cf4dcd75ca4b38abb402c26fe7d89458a4581293
SHA512 b77ff1a7904295fe98ec0b5173f9f766da7fa24efee8a64f119e660b5739e8a50f8bb0b15da1385804dfa754d493c54d8487cf0a2efbe885ba961251cc813d64

memory/3816-762-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-763-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-768-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-769-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-771-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-772-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-773-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-775-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-776-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-777-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3816-778-0x0000000000400000-0x0000000000471000-memory.dmp