Malware Analysis Report

2025-05-28 17:56

Sample ID 250305-d7zg8axwgv
Target 70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff
SHA256 70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff

Threat Level: Known bad

The file 70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades

Blackshades payload

Blackshades family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 03:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 03:39

Reported

2025-03-05 03:42

Platform

win7-20240729-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDSR\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QRNLNDQYHSXIUFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXMNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIEYTHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCUYTPQDJQQBUUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKILXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIKFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWDDBJC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DRRFGBCXSFMHMJU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIOVGHAUBROYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMJURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYYNWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJSWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRKAKEYCFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CSOPLKXENXVFBMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBPFSOMRERTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIAGNWMSJRGQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGBCXRFMHLIUQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OACFQRMLNDQYHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GBCXRFMHMIUROSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXMWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EQRMLNDQYHSXHUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VMABWSNAWHXCHWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBLBWTSWKANJHXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVJJKFDKGWJQA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJNIQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAABVBSMAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGGSYPMRMTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEYEAVQDK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LRWIGKFMBYCUTBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UITJFERHVRPUGAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYDVTCCWLHPGEQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUSVGLQDAPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTYLBPKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSJOGXOCMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDAJBGVUIJEDFVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJABDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MYJIMDNTLCBEFTB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLGAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\REBQYQDFAAVQELF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AOWOCDXUPCYJEJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OTPDQBYEWVRSFKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFIDAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ABWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKBMOJHJNUDOTEQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNOJHKNUDPUEQBA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWTUGMTTEYXMVIH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVUKUNMOAEJXWI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NCMCXUTXLBOKIYX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
PID 2808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
PID 2848 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 2848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 2848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 2848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 2504 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
PID 2208 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 320 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 320 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 320 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
PID 2208 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
PID 2208 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
PID 2208 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
PID 1692 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe

"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBXPVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJABDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWBRKN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UITJFERHVRPUGAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPOAIA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MYJIMDNTLCBEFTB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIVWWB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QRNLNDQYHSXIUFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYPMRMTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVKKLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GBCXRFMHMIUROSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIVCTM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYYNWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBAYEW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKBMOJHJNUDOTEQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKYHSP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REBQYQDFAAVQELF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVRRFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXMNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWFRXO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOWOCDXUPCYJEJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSFERV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCUYTPQDJQQBUUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMQEHH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYDVTCCWLHPGEQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGXQTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CSOPLKXENXVFBMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBPFSOMRERTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNVKKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBCXRFMHLIUQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTPDQBYEWVRSFKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDGIRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTYLBPKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHUFEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACFQRMLNDQYHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYEWVS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNOJHKNUDPUEQBA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRPTOV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRRFGBCXSFMHMJU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVCYYS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWTUGMTTEYXMVIH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EQRMLNDQYHSXHUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUEPVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VMABWSNAWHXCHWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMMOJC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBLBWTSWKANJHXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJNIQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFIDAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ABWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNANPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NCMCXUTXLBOKIYX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVLYGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LRWIGKFMBYCUTBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQKPMX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDAJBGVUIJEDFVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIBDQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOWKKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMJURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe"

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempBXPVH.bat

MD5 dbd202a0a46f375b0cc9300a8a9896e0
SHA1 3eed14fb0f9ce2b361f53585ecd300637f8adac6
SHA256 3e5078dac7c18b9008153c65dd7d2beeca586d81ef3987a820ecc6358c5f0c8c
SHA512 a26ebdf65e36a2b6de8b911400072674f6efce1ada302fe084821e933b14ed809645a3435a469bcdf518548adc7abde0758f8144d5e1780ef71a40cdf85f0fb5

C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

MD5 349b9b2b48d503eb40362f7630674dea
SHA1 cf9885cb05527485d752acbb1e3c109e0c95151e
SHA256 f48e2dde3361c694d214fa604364d6ec1ca0e7e89c7e739a897024ec05b71d9d
SHA512 c66fd86c7325cce19e628fe7b2947e8cd447c4ef59f329d4acc6a7766cd2e864e2155c6de134880f8556e48ae490ad8c47611326e93462306678c7e24312c6ba

C:\Users\Admin\AppData\Local\TempWBRKN.bat

MD5 e59ce953f1cf4d1a3bf5be907c754838
SHA1 acdda153272a8111f5fb4872dad0e563ee80c181
SHA256 6c05963ab5063b128c64d7bcb01939148c9c0765e09e632f4dddd86a807809b5
SHA512 599238a6a9a462f6ac885dbe1921fc164fd7267a10378baaad6a67bb7a6096502c86a3641acf2f348a1764cbcc98339727aa29b4636a13075801c6d80ab59b0d

C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

MD5 ece19083d146eba21ea590ca916c10aa
SHA1 3fc6d63ffcb90f0a321bc97bbf8bcbf23f4faf93
SHA256 f5103eed05da68e0aa04daa8fc0a9f9c70d964f99d69631ecdd21daf84b80d74
SHA512 e42bdbcf9e9843d3178aa94f0f34d3d407e752f5140c9666bafa29aaac92a33745010281efbfdce2e1e228f1fad69d990b0e17ab1470fbb6417cec77adc872c4

C:\Users\Admin\AppData\Local\TempWWSST.bat

MD5 38a5fe573d1748ef132978d7d67998b8
SHA1 1d9107aae4c82cacccd0233998086f2e7f06a6c8
SHA256 daed0a467e7f95504773a6c6f4110e4c2d526e747e8cd3cc6296b007ded6a22b
SHA512 62459dd7e0b681ad8fc056394ca4e05791fc7c8ce5572253c031d89e3d8fe0a2da22791d894186509ad0a1f22af96ea35ec955eca91233e7fafaa1fe8a2078e4

\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

MD5 d3b2847087791a470efb45b620ff6082
SHA1 f9d50d7752a3191809227ce0314cf794fa8bddc1
SHA256 03312d1179a4c53766d85675ec7134084c339f809fef64d3ec2c491b5288aa2d
SHA512 03df6fecfbe6926cf378cd594f5166e5de0bb9840b30ea09e4a280d4727471be0fe9da612f05aeb32235c606519eceb00df969cfa4a429a2dfab183e2923fd90

C:\Users\Admin\AppData\Local\TempPOAIA.bat

MD5 bc872a38e3b3f4a9a0f0a0baabe7bb6b
SHA1 5f6f40c801516aa68407c077d67b2514c5eb0b21
SHA256 20af3177351967ecd1045641ad5885c241fbe9478c4b40dbb4d355b9a80ea110
SHA512 a9c835098e0b199a5d9656a28ff9085bec64e920f53b2ca64ad5b1e30d52abaf54026fa483c7de535a5bbc0f571c6e64ac061cde8f9a5b37af85dda813802e45

\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe

MD5 24613a99c5803bc99e06a108e7031072
SHA1 439253228669b47f04b2739d7ea9e583e0050533
SHA256 590c11fc43cfb6e282dce0ab052b57db344d7e91b1faefd85c70588f98144290
SHA512 491c078910628730de768effe144b7feb0fd1b674f53a876222d1dc75fa71bcaebb90d4ae2711b46afcdfec9568105deeecc5219252e6fd1091e2354b2efe9ab

C:\Users\Admin\AppData\Local\TempIVWWB.bat

MD5 e4c63f9b31fa4b9517901cbd255f43aa
SHA1 24e146a68bb0d65c8ce6cb5acc28a37a35b9be2a
SHA256 5fa218fe5f519b435e36f27e1dd522ff97cf1481b8055f9b61b0b5926b8650c5
SHA512 9e94f490d32b81d06690126e7efcc7a3c770bf1ccc991b1d221603c7ea071f0e24f58c6b00a5e12ac4588ca2f39524180bb13feb5a2dbe46114531dfab0b3dd8

\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe

MD5 445b14e12deb039520b4fe65e5f3945c
SHA1 be876d566e21069bca420bb3232cc548d4ce03bb
SHA256 50cd40fab2fe433f5240c8aa7204b4eb7850183710ed1ea1c80324e127b797c7
SHA512 f0ccd18d5f15207e610b9368e25a5cbe20c3969feb89950894c787cd42c05d2991206734dde8fe943e554368263ca91fee93a32a610bbe1ed1ed4fc47afd2ce3

C:\Users\Admin\AppData\Local\TempIJRNW.bat

MD5 d5811bd988972a3991bbf82f7b88d675
SHA1 c8c6a418f390f9e574aa8d3da830451c85fb022a
SHA256 537e0de448adb78c31b0cc3357f228d32c726ccd62bb6ca1d974b8f3b8d3a367
SHA512 5d1e6485262534ccbe3340bdcc12f4e3a86bcb26dfde1720c0a14c805b40e6e4e5748270aba15b9a6dddebf80845c26944ccf67f07bde0824e16e1700ef1938a

\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe

MD5 2b87c2af21ee84f54e48ee4d98beeede
SHA1 52b40c587bad2d9aae62990a3a06b765e773a6ca
SHA256 9a71c1189b3780e153273e5f470e43869ac98e7808ff110d35ed9ac57d3c7954
SHA512 972d8a3d5cb8fbac66fd9f8d9d4a85599b49d7095b147166b3cec00288ff25d6f28f595331aeaee7138b1f7a4a0da6b3599b5c8d7ad766736f306d314b459167

C:\Users\Admin\AppData\Local\TempABPYL.bat

MD5 8b3de0aee12e7aab69ea8fc2328da8ae
SHA1 cadb8b4d91dedf14e4d3a51f949df0f4d2d0902e
SHA256 582ad57e5218f1271f4a403a75e06036c5416a9d3916bda39622fd4e32735376
SHA512 f94c758a851b1415f352fc5ded462474aa64f4dbb0b14d2e83479ecd019e102d93ee748909bdd8024d85d97ecacfdf234cd802707b9d84d707a6548d297b8c06

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe

MD5 f1f9bdb7941d8138f0857694da4a6a8a
SHA1 21ee8bce1da432cd7a946eedff90fdde5adc6e9a
SHA256 431acdb6ce15c5efa9d3a3bb8f457d86e1c9f54b597cb7fd14323d9deb20f23a
SHA512 d528584b2a96c134f5d457552647ca4137ae3014e60d47e677f7f511ad6ff81e511657cc5e65f46c6bad8c7344e01cdb9d1fea60ff3cc32f8ec0969179b24601

C:\Users\Admin\AppData\Local\TempKTPCO.bat

MD5 e6971fc5ad2bb62beef1e7af5975375e
SHA1 28cc9cdf959d6949d98d965a0e5c6686fae0c421
SHA256 631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58
SHA512 8f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8

\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

MD5 30b2c680b72801f49c6d4bb39e16b550
SHA1 5aa72d3cc1b63e0129fe30388e0375fd5e665f37
SHA256 326ed876706df78abefc5b4078cbf39f557050d105099bc95859559eb97c7856
SHA512 c8b0b0410cf5e50d023f8054c302024c2c21a51a0ed9a1eb0333c39cbd52301e8a32a922cb161b64a2348c7752d328bcbc4821f30f6b9391622e9b96f69547fa

C:\Users\Admin\AppData\Local\TempVKKLT.bat

MD5 dc99d38bf1a45ef6f796f1cbce40895a
SHA1 6125baeb88e340f7438317be24d2811de3af0ad3
SHA256 45a1588ffa960e741615252a4e91dfed23194d3d23cbbf263d2b36538a927851
SHA512 4d9beec749fd3bc5d66b7b13f880d81ac7e085eac4f8b66437d510a0ce840d6b1573f0725d347f1701a92ff2be77a816366dfac8d04143eb2a275355720d294d

\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

MD5 c30645677d8198c5f5eb0063fc389e46
SHA1 564a23f5da1a6b70c2a5038199f2876eb139fd5c
SHA256 308ad25ebbe47da3503b9f12e2d04c32dbf11cc516dbdb59171c434e2d7f0fbe
SHA512 01669c35f187fa9845e1a7b1973e0e751049af297df379790a3d36ba0b960feb0de39622535acc86f1bc9563facacc14910a3b4e7fd6244772ee209c3606d453

C:\Users\Admin\AppData\Local\TempIVCTM.bat

MD5 5d1f99d7a63b2dfc0891a317cb2ed94b
SHA1 e862030f44f9350e2d588d2c81e61794ef708b4c
SHA256 3e0b854f0d5ffcaeec26322caad8563400276bf55f4683196d534c90903e81d8
SHA512 0e66fe5b1cc96e92e33ce0b14ea21be7254d7992589c6b72ce0eec5f1bd7a9e1ae7fb018b36d76eff86ab9e43ee9cc1eea26fb28757f461d4538f12343c936e8

\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

MD5 b54d063ee1641e6f873b8331b0d4c42d
SHA1 68d66f477a6e1e6c6fd41d178707eeb35533e09f
SHA256 796fca9560f4d4e60a1919ae19577cd66b5ff86522e079a9b92b1dfc1c28e382
SHA512 6ab1705ea0be8c84fa82a5a3ea69af14d9d5acc27177029cac49cefae3888118529a469fa4a37746a56d4f8c24be0522aed750ce9480fea9a99b30d9d9294f3f

C:\Users\Admin\AppData\Local\TempBAYEW.bat

MD5 8ca070e19a7e5ff3f782a25cce111316
SHA1 37ca4e654b17d53e009923605a12a4d42abcd0be
SHA256 0174594262b033702217a826669707ba03af06b88905067cf3f0134712301816
SHA512 c26de3c53120af0c619ca20a2de15606f13aaac57842901f1e169e1b6391f34756eb47ce99aa2a7f213e96bf65c80706f82ba8ef46b6d4d028df7c2c30da41fb

\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

MD5 3e5c651f5e206af4fd18fa0e1136d901
SHA1 959af18f12aca83815d2053452e1ab768e2da6c5
SHA256 dca13b3329a16e3cd99512f99027199588cde8577566ad7357e447450891008d
SHA512 2f7dbdae8017a6f26482e35a4dffd0388f62d2ebff1b1c852d16efd42f97cc59164b1168624c5b05c6b538ae759432811382132399a0c482e45254399ca29bbd

C:\Users\Admin\AppData\Local\TempKYHSP.bat

MD5 a7d85f41f2a6b6c501a50b4daf5228ea
SHA1 ce778cf12ae843328419cea294fc4d8bb8a2c959
SHA256 c2ff394978469078ee30a653e61d9e27dec60f35aacd9b736cd64a07798450ea
SHA512 dd963d5796f6b2a3aa4d5ff9683d4a6863ac568338debca3b376f86e1832df2b9e1f2db0d552d5bd372bf875903059d70cdcc9a14fabe6b74252373346cc1af3

\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

MD5 3333cb5d2578a35f07ffa3a0022bcbbc
SHA1 7de497fd49eced9147c9227b8a8a2412a90d823d
SHA256 b8f0ce9f34826f6fc1ca5755be31826de3ede29b495d2cf7b3672fc6f817ed06
SHA512 aa8b45f9277d6cc541106314f12c14faafb2d355d321e88a8b77e79733a44f46ff3ce4c4f9db026ce8985caac4b6b2b47ebd8d34a39c53935d65aaf6c66381ba

C:\Users\Admin\AppData\Local\TempVRRFO.bat

MD5 7b4429133f5c6e37c64297f81ec77670
SHA1 b56d1182c2e66f79b10c11a3d505d21d9c368e77
SHA256 549609b0e948251fdc0bc9c4e50c8b5088d611c3fe760c52a705a843fc9cff13
SHA512 e2e600c82b35ddbd10bb8b875771e85073ee7b3c9ca7dca8240747457c7b5ffe6a44ffbc71b8df0cd78eb9b42018a221cebc606e120a9cdf477aa6981ec89ce9

\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe

MD5 1e04449306af786a468f9a084ca9f67b
SHA1 7e8755ad7829597c4fe49ef371a2a848fefffb2b
SHA256 d896b2a53b63fc670d0a9f4ff1e9cd7d7ad23e85ee2a36a480d4d576b548f56f
SHA512 bfbabdd15b372de23ac6862e00b35fd0b2772a8740f6c7af0eb85877990e2b65ee6f5d3b6dcb27968c75f9db857c4631a34d93b599682bafae5ee132dd2cbc8f

C:\Users\Admin\AppData\Local\TempHPBIM.bat

MD5 f6d44b68f63d3ae08aadc68cd8350a51
SHA1 b11f704ebe67f93b5cd80bdf14cf1ea959428d35
SHA256 3da4aeef76de05645e9455edc27cb9fc1732f1ed2e6d31da04e1ec94ae29a380
SHA512 81f1d219e5c1dbc5bd2ae3c6d52535cd2d2e14c66d275c5ec9c698edcd94bf9194b845cb355abd733993bc9a040bd0391d3b9cccefbfe922bbee1f7b8a94f3c5

C:\Users\Admin\AppData\Local\TempWFRXO.bat

MD5 2e1f0ca09ff5644d6b8b0bed01a4b74c
SHA1 c82ba16b03e4c8981211a8792bf3a49ff53ea392
SHA256 02892931719b8c3267a5088f5ccd88c1fece602addf66c71659083f1740df0af
SHA512 70bb70f4ab7d680d182c01edf5079596eaf67015b83150d8bcd4f41e6a25de7d54615e1eef15fe6a10d2209e61f5790e43c441dae0c2b8908e5de1e54eb11825

C:\Users\Admin\AppData\Local\TempSFERV.bat

MD5 b47a76e985afc3c3a70c04bba856e402
SHA1 10bcf27d813d0259ecabe2090df20615a87ce2aa
SHA256 312adc628df00fd9894a64af2c4fb8ea679ba4262c70cdd6f0cdd0c52a9091c6
SHA512 4cdc2e0eb72b63a2d1ac18593639f46362f3aa212ed8dd0ebf7b1ac694170ddf836294d4eac0857ce7480c5df40534711139872824ced10630b1526d1c29c2b0

C:\Users\Admin\AppData\Local\TempMQEHH.bat

MD5 1cb553296fb6874dcf239b7331a27552
SHA1 b300e432359f8dc14c9c34aa1755f61f95335bf0
SHA256 594ff0321aae1425f81a83cd95cf56cdca80f2b3d4d5378dfc622989e00ba374
SHA512 81e2905254eae15a425cc6947e1c39eb241d68067d78aa6722b9896aef7a7d6829e3ffac2f344d42b4f573e0ed7e1b7d1701f42ec881bf5f3e6617c5686675de

C:\Users\Admin\AppData\Local\TempRCVVK.bat

MD5 53bfce173bee6cb46bf72cff1923b2ca
SHA1 ec898f8bc5e8dbffd4378b590d222a2628d3848f
SHA256 d8e5e08175f4b556c54390ec568b84be889cf08086594967bdc7b2072264286e
SHA512 89c5f8bc1de97c7bd6c1dea6830a11b7c7ce6d1a62ec991282ecfa2a57745b268d8df63b7256c94bd4065c0b25fc45e4d592760d6a82c235049466a164855739

C:\Users\Admin\AppData\Local\TempGXQTU.bat

MD5 16ab4942ebaad96c3214d0ea9fd30568
SHA1 e7d2df7c2923808d86a601dabec75acdae3a9319
SHA256 b726998abcc4461028d41e5e886e339f724e38ca5868a504fd51eb29d43fb174
SHA512 5ea92a645d350c6b6e7e7b1dfea2645c0269408dd103d4d22c22faaa29434c81c14c9c2167c7f3e83c3000acb76b13101b7c9cf4dfb83a88260578d6f378f3c6

C:\Users\Admin\AppData\Local\TempKLVQE.bat

MD5 a4678b79293bd9c72e141f97a921996b
SHA1 905d1d5d657c904fe155e662b3c3a9e1a0d5b2bf
SHA256 cdea462e7ddc862d1d5d40ed96691762cbcac0acd5a56b6bbb857404af05ccb0
SHA512 46b803a85712344f9c49c372f980793f62c8a3629e95a28363706566dbe592475f3fd9377c39570e4d1e87f2010ffb7807347ed772f7cd0f065bef6aecfeaf63

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 de69c25118df8838f32524d5b65053ba
SHA1 d79b8934dab391b2f85b02ec96a6cf696e23d29b
SHA256 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921
SHA512 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

C:\Users\Admin\AppData\Local\TempNVKKL.bat

MD5 6b8f2a80a4c755c5f9ef2d9cc2f02cb8
SHA1 b771a69c991f06dbbec48d0f2c0251562dd1e194
SHA256 0849f89feb845c828eecd47b062e6ccb274f856402734208823b18ed3b5a4c3a
SHA512 56c9dd10ea7407f4952d90a8afbfa2cb9c4879c95d6b009c37c81c0c3dbbefae2ff1c2eee8597aff637bb182232fa0cfc78eee1868a56ab4f5a73525c7885c97

C:\Users\Admin\AppData\Local\TempSDWWL.bat

MD5 8e6dd29af96be192fddb1affd72ee252
SHA1 cddc04991feafe0cedb2caa2a85d86b4a53f12b4
SHA256 ce620946150088fd8ced810ef6060be072901e7509eb8f9c3497eb91827ad527
SHA512 b28f72908c20edd185a2dfec59e2b70746ce3be568e72da84f0f88f9474805b2295bae3e634af9d6c59cea72629b3db14605b10e87a41bfaf36e82834351288d

C:\Users\Admin\AppData\Local\TempXUASW.bat

MD5 229e201e32ed237e4b91d88b742f33e7
SHA1 1165cc85b678748dc20ffb66d0cf88be9b29634d
SHA256 ce068c82ee0b8f3c0c0fb99dcb40ca6fef29bb89ea50b58807d23ab8ea4dd6d6
SHA512 155e32955d6216f0fed2867622a3bbbf83df4a8413e32fc49f00882402a8b0439b329237ee04cbbe5c2948b10bc5b87875c9b27319938de0d0afdcdeacd34392

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 cefdbdf3e03e35a03922a2739efb8950
SHA1 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7
SHA256 dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69
SHA512 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90

C:\Users\Admin\AppData\Local\TempDGIRN.bat

MD5 595674f8c2dd05631a17b5088ca7ba0f
SHA1 a8d9ba8de161a21018c3c5616076523f17de7dfb
SHA256 5fd3c88a8b2750e7640ba992ba8bc4b4960822a52c97e7336ce238e5f4cc85d6
SHA512 4c9f1b9e0c1e55afb06209059f7aceaa9ec82608f2bb011d63cb0268cc18d0218aaa36a3eb4ce3eb71ac0548e28b6bf319f492df72e1305d5d5dce624f3ab118

C:\Users\Admin\AppData\Local\TempVHHFN.bat

MD5 91d93254d9bbda49f381c23817b12b89
SHA1 e252fe94c4083760dfa62f9e9b6873199b86490f
SHA256 29090be470cc067faa2f02afffe453dd058841c7df2548d8ffb9ede5f8924a7f
SHA512 a8bcc742f907676952fa4bb8c953ef7f95f6c45d84f9b10d66671d8ecb538d3640ebb83f4c60071323de679894820cbde2c5f176c75d9c470feae373ca1a1c13

C:\Users\Admin\AppData\Local\TempHUFEI.bat

MD5 d167a03d6dd56673d92cafa5d589ed7a
SHA1 3dcd857ce064770758fa80f35b3f648277b44389
SHA256 5d325eaf8c6e6c29bfc248ce2cd439f2e648dbb921e018f08e2b91080807ff68
SHA512 873bcf5a77b2a7354e3fcd8927312e7da76863130ec5e57eae0eb12e3cd7d2903f8a536265bc3289a05fa1e27d2669b8c048097a214e1f4618fdb07732dc36f8

C:\Users\Admin\AppData\Local\TempYEWVS.bat

MD5 afe3ddd5177f0a738bbdf6e1a8c599cb
SHA1 b402baa529bd9e6f6cbb8b9e9c06e4f24cb91727
SHA256 24954e3317ae93fa3910cc0460f4c0e0815e99da7bc1e25ba85cc33d92a918aa
SHA512 5867f05a0f4c63f081bf135d0f73be37e59a097238ae0b944b972c043592263b2df47ab14cec3fcc4622d375a153c83722a1021ed1dbefaebfe9b0082ed9e5f8

C:\Users\Admin\AppData\Local\TempRPTOV.bat

MD5 bd8cbe07faca3865ba5ac9fba9c4c41b
SHA1 2a68f878ca44d8f72f971402552d207216fa20a6
SHA256 8914e84ec3565b9bf3832a928ba7ec2b168010068a827f5bf7fe8bb7bef476b4
SHA512 6bd98ea106b58975d2fd8c059a789b845639cb33a27b715dceb158532bebf7663f0d7ea8471798213c3676d1497f5f9ca60e1953dc2707a805dbdf74e9ef7aa7

C:\Users\Admin\AppData\Local\TempVCYYS.bat

MD5 edb22a0c94b3a83d6ea131ff143c1dc9
SHA1 f32f4d02de1cc5b07d0d4efeeccd95da57d31088
SHA256 457435fa47027cfff3e076d5bfec48101a110064eee2259537f0a87a89a81f09
SHA512 9c8cc84acb524a04442cfa00c69fccf9c5d900a79c3f6fd16e42e051c30ca289994ca01d97603ceebcb23d8d24da5fd9ff110acd5adf92f18bd2acc46dd86236

C:\Users\Admin\AppData\Local\TempLPQVC.bat

MD5 9b45b83b29c5dd3d1e26464125fd6c76
SHA1 63fdff7174cf9138222dd4f05bb1e9bccfca9e66
SHA256 3caa1b94f7f1bde5a662acfab254e989cf17cd383dfc7d04e16d9628343ee45b
SHA512 60872b0d77d5fdbb89ebe23218827e5d1d5e9a67cb6561aafb3d2a753faae6e6a5f8424efc9e10957eb1567c9173fd3cc38d0c03baf87d6b9da5774da82b97a5

C:\Users\Admin\AppData\Local\TempEIVWW.bat

MD5 ea1053b117a6c0006bd856329565b27f
SHA1 27ac999bb0dc06c976a5b4f1924847dd0d2e0920
SHA256 c0f193c31a8d8dda648d55891ad00fdb05741ff77ec21f2f5abddf4dddf2071b
SHA512 0aa0b515f084d1162f4d3bcdfdf07666ea908af9e75e70133359bd75471330a0cd0b47375a6d12b3cd566235fdd3548a310d7826909619e130e15c27ad3f4a5f

C:\Users\Admin\AppData\Local\TempGPBHM.bat

MD5 9e578c30d5abd782192c456c0842e749
SHA1 b6d0203ff08a568627ea690ad5762f1a4c333113
SHA256 c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a
SHA512 23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb

C:\Users\Admin\AppData\Local\TempUEPVM.bat

MD5 0e328d5f3c034e344ed81ee0c7646dcd
SHA1 b26283a7c0282f15fef15ac249d812d81d73959a
SHA256 a231ee4757ae9178031d39448654a49e45b54ce4a15821070933bc40f1b2f597
SHA512 1752aa74f8a60fdf699e95012ad70b0eeaa6c60b3f5ec976e69e4addb65e47c8e36c9158df8a4d0ff811219e4cef0eea00d877461381880a28413fe48cfa9e39

C:\Users\Admin\AppData\Local\TempMMOJC.bat

MD5 7913ed7e6fe6d03df55eaeaf71e339a7
SHA1 1053b780bc30cb14c289463b950ca587c96a18a3
SHA256 c5eb919cd1590c685d9bd28ed39a2d23806fb5a0123a4e4c22f09159306bed35
SHA512 57b96ba010b1d499286c124baf83196422ca7d1d8387061198237f0987b2c0127361f3a78a05cf130ef40e0b7ac400384d3de8c37a8d5b0afbdc4612dd373e56

C:\Users\Admin\AppData\Local\TempYWFGO.bat

MD5 7e3facbfd1f323f14d0e0b6b9304104c
SHA1 d49ee38f589393b64f173e6ad02671f9685dffce
SHA256 f5f44027a982db4a8a159b6d2961ae86be5a45153cbbba09bcb51bbce2745e5d
SHA512 6afc7b8927856ca58453f2e73bb1b792a0ad379c449ff9df62c0ca22563733f2681b39ff37b788688b021455187eb683ae9f5366b450b49aa9969f6635872d2b

C:\Users\Admin\AppData\Local\TempMNWSA.bat

MD5 911de8fdbf3d30e68a4e05a308822af0
SHA1 d03c42af04964467fbf9b0e979e0342c902f9b4e
SHA256 8ee66dc7c6d45b514a971dd255d350c426d7a190712deeb33c9b4620a87915ee
SHA512 806f41991043b5e0dcae977e1872c5588770aa85edb86f98d2788283def60aec7ab3624cbd8955347ed585a0ad0863f303081a929ea2f3f95c28e86e8c758b80

C:\Users\Admin\AppData\Local\TempSEMEH.bat

MD5 82a1d38f30636f75a8691f7efedea9e2
SHA1 0c89dd617e5282f0f5eead437d1162702cfaae89
SHA256 3669915fa72803f1807a919204c9021844fabef6813f3371401bda08e5154863
SHA512 3fa39a6753f34f03eea30518e7476441809432714515761fb8c001e868335dde706be8ea05448cef38fe35a378be03ecd664eac5d6cb6501e853f97668bf9938

C:\Users\Admin\AppData\Local\TempPWMKO.bat

MD5 c9bf84e720372540c21b65cb6be19304
SHA1 19bcaffd4f37704a8106d311b8ecf2cda389a5c2
SHA256 009ae9d879cf48e9730d02066205eebe79e409260ac27e1e2233f30b39d150b4
SHA512 895ffa791cec5d0cfe88d335cfadaaf57f95d22f1c3671762626dd397d3302e9b7ff5c45c28b68b36431b23a194c3e8bb78a43c82dddd9fb47dfbbb53fbce04d

C:\Users\Admin\AppData\Local\TempNANPK.bat

MD5 fd4a3bcd474ed19f3f73864f7f179e6e
SHA1 ac3f785176c306ec48b46ad308dc6d5be80d219f
SHA256 6e98661d6bd8b17cd3d1b367f0ad87cadc4345a448a44a239020aca52d9fe425
SHA512 94a62b2bd82edf4a15f8987ca1028029b5ac2bf9aca49d2f0ddc091b35cd38831fc6c0c5f70a562ff2750beecea27bcdc2a8c46d370e096c73e42538bb614382

C:\Users\Admin\AppData\Local\TempVLYGP.bat

MD5 eeca7a0bbcdd5dcddb806b64a25b3346
SHA1 fd1fe03a7130cbd404e439ecb32b7e5c23ecc69d
SHA256 01d87a3bf2d0899fd273ba870c44a3c499f1dfcae28d683bdde663ecc79bd958
SHA512 10af1ad21c1563b26f360c368db5a69c6960d9696a4cdd48a5e7becd75e8f07b3f1e139983901a98431dccc694f09448f40085969f57d02eafdf4abfc5823946

C:\Users\Admin\AppData\Local\TempQBUUJ.bat

MD5 c0b3385161f32248102b45fb6b269bfa
SHA1 065ce91871e5f9045ed3d0e5c53419666664374d
SHA256 65f6985545d77851dccd9e3b752aebf0d17eaa29b0490911a10eb2cb306ab4e3
SHA512 21d0dd3076c353efb738dd93aa6670f6dc1495e7bcef8277466a5684e3b1345230817a5c5830b5820137010d0b4b1ae2d9c5b6dbe6c2753d644792da79b6f911

C:\Users\Admin\AppData\Local\TempQKPMX.bat

MD5 b696683dc01767ae05abcbed59ae9437
SHA1 fdc4424f4b6b5677edd6963c7542a16f6afe12af
SHA256 9285103919e67baed2fbfb03d9001aec9fed9c5ce71dcff8d9ae4adf99604580
SHA512 cec464751b340c3d5d87190d1138868b6f3443c2267246ba4b3d4a39ab5e3ae0294c30f5a7e4d3667b604714f2e05fe7f74b9973318aad990ab0814268c34b9c

C:\Users\Admin\AppData\Local\TempIBDQM.bat

MD5 1e8813a92712fe490ba4002048c487cf
SHA1 41743664b2ac68b55cc34d6d9d93224c21bcc9f5
SHA256 b8effe0feaff70a9f1a251de4017611a9e5ab48d22ee4297a6a48d972101d898
SHA512 22999cdfb36cf286c378439456f35f38298d0dee487fe21265d63e190a5fd040623b9891e8c8a325742b420cfecfeb03a66e1fe75169707243bee435a3211aab

C:\Users\Admin\AppData\Local\TempXSSHQ.bat

MD5 7aaa96a2a2c936a6c7bba3d926ed037b
SHA1 ea7a4bd0fd1c1ad1a4af6c5ab4107cac01e1a0f5
SHA256 7971dceb449131e446c9cbb5bb5e004180b97e41a3395e85180f5bd9ce026ace
SHA512 5a14bfbc2697c0a8ca773ee17f1caa0cef1ab1bf2740b446e388d19bb42f1beb15f6ddbd69d0c023e753551601ee7f262876fe82f1b0374d48c8ee0ede7f6d9f

C:\Users\Admin\AppData\Local\TempOWKKL.bat

MD5 4578bdf21588c4ec22d6239c4ef47cdb
SHA1 c4ff0891e82a5c06a10c62568202fc5f12681679
SHA256 a39bb7ea785e6349eda9f0ef0ae59917c4d7417b848d7a0bbb8ab59ebca09362
SHA512 33b9ed10d4c2d63750852289f2d6f0336ef372175bcacb123f45fd2cd9fe99a521e969fa820479660265dd65e598137517f8049e601e0451312bab51490a2be8

memory/2792-1194-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1199-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1202-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1203-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1204-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1206-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1207-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 03:39

Reported

2025-03-05 03:42

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTNLNDIWVIQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEFBBWREMGLITQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGBAGCXSFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKTQLFAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLELLUQYPENAWVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ERHVRPUGAUWARKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULKAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWGNCBCXDTOBJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUNDNGFHYUVC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5092 set thread context of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4484 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4484 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1552 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 1552 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 1552 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 3568 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
PID 3568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
PID 3568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
PID 1932 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3476 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3476 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe
PID 1932 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe
PID 1932 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe
PID 1528 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4336 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4336 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
PID 1528 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
PID 1528 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
PID 4772 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 240 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 240 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
PID 4772 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
PID 4772 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
PID 652 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4520 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4520 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 652 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
PID 652 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
PID 652 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
PID 984 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4244 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4244 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 984 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
PID 984 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
PID 984 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
PID 1704 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe

"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQKDI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLELLUQYPENAWVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ERHVRPUGAUWARKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSNVJK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEFBBWREMGLITQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOWO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\TempQQKDI.txt

MD5 2deb03ec61f2a6aa1470065acb1f5154
SHA1 a17c83194bf954f1b1b89585194053724765aaa0
SHA256 3fa0598175454d5e04bd5576a9c90390b3a501a8845f3967fd5111240e4757b6
SHA512 f13135a6908a45d810b31138eb3e098d3c9cf0735b4ac990e4f7d0ab29215341fbe89fe9bc297bab0c80af609be8a6406ad57e6b8d1e4835ae3060df6a969b0b

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.txt

MD5 9604db6bdd38db96ab82acd553a306a6
SHA1 52cbd83458a48901011eb4fc2852c3329e0c38c6
SHA256 18fdb6602d9c55cfe952dff6e61284fb9d8f7fbd655303f8b2f97037454acfc0
SHA512 aaf1a446912b32636d00640dc27125fa69285f82df32cf7b6ca9441d21f9b31bd9d1d7b836056435eaa02acce8b14e979511dc648f9d8403101d7bdb5fd84064

C:\Users\Admin\AppData\Local\TempDHIRN.txt

MD5 662efbf888c6d75769e8c5c0dec1d01e
SHA1 3181e950587a5f94a137cf768dcd15f46c0772af
SHA256 b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736
SHA512 f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

MD5 52f706969e41cbfdf6e431f93fe6f7df
SHA1 7842ec638fdb719cfc8f97ba5e593915952877b9
SHA256 7f9ac1ffc8b5270cf732c60de6cd83f3c88978d01b0846b025b9266d3bcb417c
SHA512 e17c463afe39a76caec60678941a86aa1369b79ab9161451f9234efbeaa3a624b9952377d40c10bda2e40dfd3c139f41ca96c3e3f8dfc4e66a01dbdb01d93a7e

C:\Users\Admin\AppData\Local\TempMJSEK.txt

MD5 6bd4cea5aa9051a20af347be3e98efe3
SHA1 0788092c7784a7ae48b18a487e6e3c8e783754cd
SHA256 6a259affe02aa22b67fa7e0eab1fd63b3fb822eb2005e8291ffb741ae7553faa
SHA512 6ef5120ace1b1de18e6c02fb93a5d3abb31b971c1ad999d33909f0853e9e5b7704c10df20be0bf4e5e5e3826aaab702a51ec9159ec3cd76c9a6bc2729512f1c1

C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe

MD5 305abbdfbc38cf0c11a842b1be913891
SHA1 486b58af971d919ac9a2a8a6cf0410788bd2512b
SHA256 ba99f75cbafddb264471b922be3bdce4ce6ffd6cb345185a814f4992e4ac6e43
SHA512 2aa8ba4448482e2976b4ce9154651328409d29078833c31cce751cdd24727a2c6f3058a40c255acf889a21116bc9c1534b76f9139735f01882de18a073ba2602

C:\Users\Admin\AppData\Local\TempOXTAB.txt

MD5 4fe8289fa91e1f3d57a8b53e0e32c65d
SHA1 f22c17218370ccc4fe327f908ac4ad279d431881
SHA256 b9d3e38644635bfd55c8be80878d606ba15a972982522c05cb173b94dc2e0548
SHA512 ee0a6340a1f9f8f5664b9b2eda58b890dec1a4a4a70b3cfdeadc0617ccb5de3eb045c5306cc43967355e7823bae30ddd56ca07225335d0436ba0d81828fd16b3

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

MD5 11ba743065479d5b4f0dfa3f51394a94
SHA1 6d4755a0d1af80f27b7396d37d7835a8aa300eb3
SHA256 d7deb7668ff8c5c5dcd1eb83796c1995b16e194aa4adfda11356178b8cd570a6
SHA512 e477d99ffc2702718663d23173b42ae7ab991c1700709599f9c1b076f67a79b96be8ab7d9d422c90de8347d6d7f4f3860fa47fbee8c37abe436a4d8a318d6225

C:\Users\Admin\AppData\Local\TempVGSDC.txt

MD5 41f528d54b8436e45ba7c89a34f6a459
SHA1 4a52049cd8fd6d85aa811b17c3ce1e7d4f0c65a0
SHA256 163032580fb827c0538381a921cc851a05785b1392f06d7dc3071b05d0a97a77
SHA512 780e7019fbcb9fc563a9bab03ed65ba498a062c112e4dc54e00dfdc787e55d89474969d1e18c9cdc9fb6ded965e82208c3fb48256c969aea0e73fb10332090fc

C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe

MD5 9b39a106b4bca11a47d09ec35552f63b
SHA1 e17c98f371b8ae071b0cdc9d7afad286fc09fceb
SHA256 ccabf43b30120531236979978ad37e812a1d5f7c3188cac7f3c2b8a10fad6e97
SHA512 8fbb0df24917599da769d9d03ff287039e382758e73a977460eab2c536e31f2544700701d3940bde544db1d3b922752e7709ca1c67e37319ca351a1ca19b828d

C:\Users\Admin\AppData\Local\TempYWFGP.txt

MD5 129c6642394bb068ed6f37a1af2d42bb
SHA1 b9d56eb8992d9822eb449b889c1f2e98778f887c
SHA256 02139dc5b0f077086d33d26e77fcf1594db857caa9cef98ed1efd5ffdc03c176
SHA512 956c3e32cf8ea88996a32d5e0184f779f04148ee1624f9eaa1636e50c618dcde391d57dde93aa10c992cebd597e633d09cc4047918e866d76ce7228187a04c9b

C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe

MD5 263eddfb54ffa2fe6d050730c6deeb9f
SHA1 0f5b356cb6da09c6a8810bd8158d8e95e5deb342
SHA256 f9e6ebfdc5d69aff001d993ed28a2f2759d5cf40ae887e4d1b673923eb7564ae
SHA512 222137b95f70411ce10801fa9d096e50b3f93755f7d99a59dc9c4381bd6c5b680ea9639361e53244122547723e2bb969697f52c6f0625779f8b7d8243479f4da

C:\Users\Admin\AppData\Local\TempVHFJE.txt

MD5 9a0414306f49570c1a3daba50b7f6ed4
SHA1 3f75f0e817c0b8a10b1aa313dd3e018c032da9a2
SHA256 e9547f8817316bf3638ef7f267b063fb0333554c69bca2405cee471db5f1aba8
SHA512 a723373a2abb4a8b1512af8abe44813a080605e2453a98b664d5a6f72626415fe13562c0d5a4ef923cc177eed4eb9bbf08549afaef82f9027f8ec77c4fee8ca4

C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe

MD5 f516b0618ae70b54c2cabb3b30b80376
SHA1 a77f99bb7af9342b50ccab1b13ac3eaef473c142
SHA256 1f1102f761198aeb3af9277e6dd9dca984878782c73a2a3efa2b9305c4932b70
SHA512 459356fde034c9bb13f5e9f83d94b291eb191bc3b8b20abca1dfc7d782ca9d28e6c599c7afced1f1a519e682e7920ca767567eda035ded9c2174f6efc2104b30

C:\Users\Admin\AppData\Local\TempVBTXS.txt

MD5 7f243e4c5143fb2a90303d9a5a9d7b00
SHA1 313ad8dfcb833fad9fdefa6d1dd44e6cd8b8f0fc
SHA256 d9d22d43ae1a59a370035aa8ab3213f1d3c1bdbcc78f0e08fac719ae0928e0ac
SHA512 68d6308efe2f11b4640fdbfe7d5231b11ab4b2aad677916b72cd47146bef26aebd709b48543fa0ea8cb5ab6988b6550b51c0b91da29ac22eb15576e0a718426c

C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

MD5 81d0387101b6378db11b5ca5e92fb0a5
SHA1 8e4c71213fe7d8cd268d1ca3822596c82e351ddd
SHA256 93a2329f8843ea98c52270b094d787968a1213a12f558d19764ee90a6e348def
SHA512 7a08d1c2153d27195db353ae46d27ac682513eac7d4d01f81ccd04e75d844eb0aee76d5225ebf43f8e31567c2436597925bb341efb798f917c38a349fc3f9f94

C:\Users\Admin\AppData\Local\TempNWSAF.txt

MD5 d2c9f517eacbdcb07002fc7dfe68913e
SHA1 11d9e0ed93406182b36c3bbaaccbb5581028548b
SHA256 7c4eb66144fd1df19059cdf87e21af9fc03eb6519f7193c597d08dca68e4388a
SHA512 d5ab2b68ad518eb79a1425b99dd148cedbbc6d61aa804b58e1b4074a94e9713d73efe7eca9f006f8763859fe537b5d2d379b2194aaa2b60b7e4aee9bddbe3d5f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

MD5 cf218260048d72ec543ed51fd0a9c8db
SHA1 35d9314854c49193bc6a7a3bef1fe7673c20f558
SHA256 33baccca55afbcd6ba340815463ef07d5b961e6f73491b02b4f9ddca3af46cb9
SHA512 3724d7caf357286ef3e06a6dd95e15f83fa84ad8689cc626e70548f7b2c323d04619655fbed25ec25bd327962643df2c4f0c26387eb32785a39518b19a4543d6

C:\Users\Admin\AppData\Local\TempWWSST.txt

MD5 38a5fe573d1748ef132978d7d67998b8
SHA1 1d9107aae4c82cacccd0233998086f2e7f06a6c8
SHA256 daed0a467e7f95504773a6c6f4110e4c2d526e747e8cd3cc6296b007ded6a22b
SHA512 62459dd7e0b681ad8fc056394ca4e05791fc7c8ce5572253c031d89e3d8fe0a2da22791d894186509ad0a1f22af96ea35ec955eca91233e7fafaa1fe8a2078e4

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

MD5 eda7bb28fa6270b162d8101d0c1768bc
SHA1 81e01e3e61380af48b629c60ac7b932d5ca84a49
SHA256 809f81ba35a56aa961381b2ae249de7d358d97a97497bfcc5bd25d6ea700b15d
SHA512 37ac1059af98730774e3e565e986e1887bd8b3e9d0f1dab717bb90dba66a6e3302fffd5d3fd3ba427f6361d1e22a2bdf386fe13df0aa588de8b4fe014c18681d

C:\Users\Admin\AppData\Local\TempSNVJK.txt

MD5 7b4996e4f79b795abe0bcdc71a2f6b30
SHA1 598a2834125913743b842edb9baad652cce9a94d
SHA256 00df0c28ec3b2127735540302b090ef4d9c649a56c9c0e7204440b91c78b18f7
SHA512 336bfe36c88932be07ef7a8d08172213eb69fccb45b44b5c85a064660f7607c856db07140ef24ee533fb0882690a705cb06f8d4e92f0142fe482e9e2350ba088

C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe

MD5 b3df5771d565cb889eb7bc0192115928
SHA1 0c9406dee1a435a6c74436a02e86e06a4f22c3b9
SHA256 22727980dad0aed37f35c4360be79d1f534b1007d56e272af31374d2a3f6995d
SHA512 e6c8a95e3e5f0e301e3063925518b68fcbbee9910bb18a312a8bf1d69fdf136c77d9bdfcf97386de45a12783eb7b9e9a92d75c1bc440c339b2ac3496b2826f16

C:\Users\Admin\AppData\Local\TempKSOWO.txt

MD5 3069d65aebc4a6311f35bf6fecb9318e
SHA1 05ad42573e372ad28d1e51b36b56178dd04b0095
SHA256 88120590c89faa14fee09447c5becb5357179615edc5e7895905e252081f5c1e
SHA512 28dd8a69a396d6b33f7f8c675d8f8f21648c03d8a6de682f8f03ff888767d421c125597bac86681e79c8edccaa0b4c5a31f657ad4a017f89f73ebab041a321c5

C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe

MD5 bf6265df97eab4fc0f13472aabf36a18
SHA1 59dc67548fbf84559368a1d1e0422369f834be38
SHA256 07ed77b4cb41e9a8272c8c39d6f0db98dd009707ec0dbe0cb74e27a957d0e1d1
SHA512 b175ce70fa668b0efd3d4cb06da39ddda206e4836f81ffbbbee72ab6cb55c0e5f2f65ff99004a9d8ca6e7000290cea2ca8d429f55fbf98c05cc63812c3e9c282

C:\Users\Admin\AppData\Local\TempXMIRI.txt

MD5 8a3a36b14f9cd9d03e876bd1f2f17e1e
SHA1 4fd260f40555677f2a56769cd185a7d36a886dda
SHA256 672a516c3e7612b0716550c2548db41dbcb5e62d34838a0d272d2ef4747d62f8
SHA512 8da49854017d8244eb9de38f0f81b4e7989fa4be326f676d2ab8e9fce5733746dc1b9716485cb3b5e55fb01399f111a34eca56745c4c8bb5417c0366d4b95b8e

C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe

MD5 68e0e4e294d58733c18553bd45dd7cb1
SHA1 edbf540072de20211e52466f29355de34b0e33ff
SHA256 bebd077b8f662ceb2e7bf46518686c0bfd347575e2ab66a129fb9aa09e82049f
SHA512 e8ddd2c35bb065e8b132ddebfbb8c4209b541a59867b77bd7bf59261a093520b9482f77cc930e9dcd23626c7f3eeb6a928f95ce407ddc34d326d4bbb029415aa

C:\Users\Admin\AppData\Local\TempTFLQC.txt

MD5 2a203fa95c511f4fb3b42526e9c38269
SHA1 08fdb577504ba55a11d89dbda642ec864b792b51
SHA256 ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301
SHA512 c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

MD5 8da97cc0f668959861d7fe6fc5bf387d
SHA1 837752c767caa2c694d6708bac63937c037618e5
SHA256 da5fad3847d187cba83d945c67fe050da863b7dc000668f5f7eb931ed73b00cd
SHA512 0cee99748053616fc6ad1fab2a5b700d0a5f431c8a812b05285ba9d66be3d47ee71ec01de49bcfa4e8bb37032ec2e3aedaabbcad96b7c007820375f3fd04ba94

C:\Users\Admin\AppData\Local\TempGBIWE.txt

MD5 ab76ecc74323655ff4be1c0400dfad48
SHA1 44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2
SHA256 31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a
SHA512 cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

MD5 073037dd10f698980171567db0c43342
SHA1 987ede9a557812be1cb46a5fc6a506dedcdb836c
SHA256 c062c7639911b516aae02273cb0af10b76cc387821985d8f3d2b422605fb83e6
SHA512 0571441a8b6eaeed035feb30f6ec811eece7ce51bb5e248a19f19e373aaa6ce28e94c0037c8aefec4ddd5c013ca971f0f4017a325b1b1a79226c1f2d3d565d22

memory/4084-407-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-409-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-414-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-415-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-417-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-418-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-419-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-421-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-422-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-423-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-424-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-426-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-427-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4084-429-0x0000000000400000-0x0000000000471000-memory.dmp