Malware Analysis Report

2025-05-28 17:56

Sample ID 250305-elgkysylt2
Target 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1
SHA256 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1

Threat Level: Known bad

The file 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades

Blackshades family

Modifies firewall policy service

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 04:01

Reported

2025-03-05 04:04

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDEYAVPDKFKXGSY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDRMKPCPRMFIKTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASJGBUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRRFGBCXSFMHMIU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBROYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYVVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIXWKLHFHXKSBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHLYCMSKBACESAO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSDBFAITVQORGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAIC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDXWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVCDAIBGUUIJECF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAUQLUGVBFVWTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EXVEEXNIRIGRPOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDNWUEBLFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIWDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVNUJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVTRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRREGBBWRFMHLIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXLXIHLYCMSKBAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFQXNLPKSGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGBQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSJITQPTGKGEUSJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQVCDAJBGUUIJEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLPKSHIYAHIQMVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKWHGKXBLRYYJAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKTKUQLUFVAFUVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPFTOMRERTOHKMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMWUEALEYFVOST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSPYKQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBCIAFUTHIDCEUH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJCWBDUQQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHQNIXRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCQMKYPBORMFIJS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCIN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHENFKYAYMNIGJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRMCQXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCGHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWVDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBIMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJKVSQUPXLMFMMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYAYLNIGJYMTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDUQQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4116 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4232 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4232 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
PID 4872 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
PID 4872 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
PID 2156 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
PID 2156 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
PID 2156 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
PID 2644 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
PID 2644 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
PID 2644 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
PID 2256 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
PID 2256 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
PID 2256 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
PID 1148 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1148 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
PID 1148 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
PID 1148 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
PID 4060 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4060 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
PID 4060 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
PID 4060 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
PID 3300 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3300 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
PID 3300 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
PID 3300 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
PID 868 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe

"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBNVN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MCQMKYPBORMFIJS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJKVSQUPXLMFMMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRPTOV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRRFGBCXSFMHMIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTYF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDNWUEBLFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJGLG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLUGVBFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCGHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWVDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe

"C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDXWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLHFHXKSBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PDEYAVPDKFKXGSY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVIPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQVCDAJBGUUIJEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYAYLNIGJYMTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVTRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBKVTR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLPKSHIYAHIQMVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNHCYQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHLYCMSKBACESAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTCOTD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GHENFKYAYMNIGJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCDRNM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKWHGKXBLRYYJAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPJOLW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VBCIAFUTHIDCEUH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRREGBBWRFMHLIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGBQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHQNIXRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFJJDB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EXVEEXNIRIGRPOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCNTYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKTKUQLUFVAFUVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUIPKP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVCDAIBGUUIJECF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSPAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJLGCD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSJITQPTGKGEUSJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCKBWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSDBFAITVQORGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOWNH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDRMKPCPRMFIKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMWUEALEYFVOST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPFTOMRERTOHKMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe

"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe"

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempOBNVN.txt

MD5 24c2f0e1418cade946626c1e4c9d3db2
SHA1 260517f4ba53f1062f0e60840d1e25d804a3bcfd
SHA256 de23ce509ea458dc5a9341b808d6fc8ee77cd6dde856f4f7c34e105071ed7855
SHA512 72747ae22f5b3e47ea2028e0e8a94feef6dc18a4f10f2a6adb2bb53f8b33dc2580a6c18635c0c2302fee361a79c36631b36015dcddf762a3b7c97c387b7a809c

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.txt

MD5 2596faff5e611f3787be85229f2ce55e
SHA1 e519fdeb31a26eea4f5d8fd18e12cb34aebff837
SHA256 91ac8294e4ef0e3a990008de42f5f142b45fa620221f8f0ce3c7fb95662102de
SHA512 b3431e479a96c9d7322e1c49dc940d8b72bd0300d09c508bdf5b2bd125d79b265e369142b8ca684d4633630da6c564a25b8458a01341cc7959d358946ceff02b

C:\Users\Admin\AppData\Local\TempHIFOA.txt

MD5 65051c70fb370f0677d286ed2bb6bbc2
SHA1 fd7d7addbb9b886bb624ed5943299ac1b5736fee
SHA256 c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9
SHA512 fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145

C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

MD5 72716d493aff8a6997f6308fe5dbf9c1
SHA1 98d11ccee4c53f625eaf9f147c069be063085b03
SHA256 ed046ff939cd5398486299c0957329c3ae756c82b2e626861eced9fabda2436d
SHA512 b3850ae274c79db00bb6acf21ffcb0c4a06d35e6b2fa9367febbfa7b289d159b6ca73a698a27a8bcc50323486a80f977be6dc7ce3466b6041bacbc84cabe0185

C:\Users\Admin\AppData\Local\TempQQFOB.txt

MD5 5cc2ea5b9b6c892c60e123e88c6a99d0
SHA1 c998802db0b4c11a3d31a01909c2179a90cd0224
SHA256 5c6865a907c51e367723eb27fe16e1b9a429e3a91f39acd37efbbecf482cbc03
SHA512 6ff4955273f29c83537150ae6fd8ac53ed71ee96ab974774fa8b009284baf78efd17fa4d54cbc62cc91bd9ca5e7cf4e857b6860e6d85d162c330e0d0fc24a071

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe

MD5 379f89b7b5e01302a41b0fcd82ff3c7e
SHA1 a6ff514484d8c4f07382b93c44b9e12f0bc95c8e
SHA256 c33e1cc2735f2e0845edb1e3473511015c8264f55d3481c583827e36b29235cb
SHA512 8aa86be3b56a018619c3e488858cf2445eb1f95b2ed42b69a20129136831bd6987d9ce8fc7c7cfadf3bf9db082dee9caa05278f746508597b0d863fb935ce986

C:\Users\Admin\AppData\Local\TempRPTOV.txt

MD5 2ce4c6b9a237cf057b039930930825ca
SHA1 fdee448380062355e0481732343c1c855d63ec21
SHA256 d073fe00ea7f669a17ac134ee52dd92307f850ed14853d02b33e1cc6fe5a9073
SHA512 53dbd75b64da54e319636d87c7f2b5ddf87c26e29d18292ef831e7b5ea274aed8a58ca63737877575baede6950902bfc9a90de32ca6a3d8af269dcd2bfb06b99

C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe

MD5 f3700f5774af5f2dffaea7d768b78ae3
SHA1 5d3c6e193a78a038c5dcd2e431b2abb6ab79fe00
SHA256 8027d7e2325de2c56fea474fb534b5ed0e07d372e0db12c222e2cb507163681f
SHA512 d195ca57e920cb31396be49487430be5924a13a7f50cede002f49b733a1f85ed8026ccf645efb945d44f3c28366b12014218a80db2b6db15a12b58a4c5dc472d

C:\Users\Admin\AppData\Local\TempTEDHY.txt

MD5 7f0b527f7baf38b696050eda03a7dbd0
SHA1 09550435888ff4507d342f553820e71bc5cfbd9f
SHA256 33222eb27238da3553e43f9ede57fbd5a6a2e5b482522adbf820a7a35877f66d
SHA512 a26143eb0054adbe029547d6b6db46c00cdc9376c39217a2090fbce798a86d24021940db491031fb92b845512bef54c059657dcd5971a44b6a3c41d2ce14fabb

C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

MD5 254ca3140cc2a4d23a4a08c025204c5b
SHA1 1549a3c1b95988497cf287c8cc850acc02e1a250
SHA256 ad23a23149e77f9fb1a850b6d7131657c53e1a19da5daf3fd0251f48a28c3fce
SHA512 9be996a97bbbf06268d7986d72fc9ba02607effa049e6454ec07009a49f71ca4bd26965767197cf3689e3b87329191c2b7a4fad026721356e04561a178366ec3

C:\Users\Admin\AppData\Local\TempPSTYF.txt

MD5 9b433bc15d3d296e8a7a971b6b81193b
SHA1 137eff257f036962f818b60de1265298ff0cf0f2
SHA256 e6f45e547628956b5902eabe852adc97a82153b19f0daf7895288668d7bb6374
SHA512 3189a044189a99d9bdc57faad32900c68a8bd5ee71ef05e86a2627601ff19dfba13cd938f196a3f7e65fd8b84a95f192addfb2860b0907c4f7cd13b408e541b5

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe

MD5 1086ef81abe16e09fb53cd8e6fe38497
SHA1 54314e3b630aeb595acc84cb2aaafc313448ecf5
SHA256 3eeb487e2e021bb83ff7137091db0e4d2d0135a60b18c4a7e3aee29ae6f638d5
SHA512 cef6926a5bc76cd306fbb3cc3d971f54327fcc2ce7080d25fe342975c8dbd46ecb139fd90d885205eacc4b4a93d62e35899765c03d4fccedb4bb4f794185e552

C:\Users\Admin\AppData\Local\TempXJGLG.txt

MD5 f6c6a403a39749222bb69c6861d6e00e
SHA1 929cdf17c595d7dd4ae3dcc73744d40fb0916469
SHA256 fa980b6510eb003301bbbbf3041d09df1c00ece88db792be56ef83183710eb4c
SHA512 9244c30fdf053377ce4133f14e9d1f794f01121a13e62551cf80f90f2dddf884b2713466cb235cd1cad2cee1fde843df5b9a5499aef76ad61c2c20db81f0f6fa

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

MD5 21f9b0e9d18b20e73279f97d9e937686
SHA1 007df101c6346e0fba2d2a0c933e1844c52b1941
SHA256 0b12802d6f29ef8934d07f4b54e3071658662e058e6816b50e9fd703fff8efb7
SHA512 c9aa0877b1624018e3c6907dbe79c17275c318584415e938797ff425db6e7daf95b22cc9a3abaa4b64828b1487b331f8e787e5f9b721f0c315d1c7dbb116a86b

C:\Users\Admin\AppData\Local\TempUQYPE.txt

MD5 5a4384ad153eee40e71481f1b84e2979
SHA1 c4f6eaf1a1a7e034ead8fb98d9f946ae66547733
SHA256 e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935
SHA512 68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

MD5 9796752d843ba9a10a216d2e8ac83cfd
SHA1 4d12cd3225f93e6575cad6652c72d2318b3df8bd
SHA256 afded2176daad044c5924bfb3e48244efeb7ffdd5bf5c44c0992316e38624ce9
SHA512 c6230ced3b3ddd2242d81287dfe4cc828cbfb469d1dffa34a65c14fb841ca3a29bb2fa192ed12471794f6998120cd1d77d712e322b1977b3bf4e659470229998

C:\Users\Admin\AppData\Local\TempKNOYU.txt

MD5 11ba06449b0fed6f98191316260722e7
SHA1 7954fbe57520cb3d858059ccd373e28c3a87b5d0
SHA256 5b2bbe6fa1d404c9835ed1bac8aae3c9d0118c0cc9b6e3a70ad625a14d4478e0
SHA512 1c9bca04351ee2a84beb0c2b52440b36e20985798401d4c6de3c22b8a846120f4ce7b339893dea64b2a4d10b966a52cc64cd7dc14eac41f1c9cf84d0800f85b4

C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe

MD5 35bd19438f50112ee844de62ad902832
SHA1 0919c7609230dfce3012d85d71ba992a9d28b727
SHA256 37b061456652acc76ec89f65c8f61ab3868f029fcc9b60d9c88458eedbe4d92c
SHA512 2bc956147f72fa03eb1c5ec1ea041af90e42db9de7cd88a27f8846f54cd893fbbe3f59bbda020582890dbd218598b538f752d324a4c1eccc370d6250a03d0226

C:\Users\Admin\AppData\Local\TempPPYAT.txt

MD5 ba03c24769ee4df2b3348900a5eef3b0
SHA1 72602242abef0ee01aa7e6a2f66af2c3d50b5238
SHA256 547f261efc13275bb26c77cd9cf03ec474403c7141bb83f787d00adb95100117
SHA512 a02ad29aeadc37fdcb71cde132039404cd302d55eda8b4b7b07dc8074a33f13e8d5560fc66502638aefe9ebd589c506c4569e8f24e2e48653e780f21576a077c

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

MD5 7aafe35f1ea898228b02d999a20877ac
SHA1 d7a78eebcedcdc3a779e2385c26d60e9ea86d086
SHA256 89dd5d30247aac16ee3d5483e60e6eb4e7cbf38914f099c050cb629a79860dc0
SHA512 2b611dd9501728e30db02a3bce17199701a3a9b6393b5b4908f45ca47c3ca072fdba78de047dd0d7a526db136d9a40cfaa741e3008983fb05e698d8e91aa3c88

C:\Users\Admin\AppData\Local\TempUFYYN.txt

MD5 455fc777ca670028aa6a797ef4e9c060
SHA1 00e9fe86b46dc414762245344bfa569348f78ac8
SHA256 1489bc1f65cf47a89842490e0d8aba5b0d5331bfee8fb5114a7bb66794487ca6
SHA512 b759a9f0971b583d8dc90d0bb11c6a3005f5cebabedf17227f09488ffb2d9615870263aba19d9629fd4b51a8b9b2a0aaa4c15c5b1dc4c57d8435412b013e4fd0

C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

MD5 3aaa21100972c76fe394285fafae4cfa
SHA1 040f0c5306e43f961fa021c9f7844883dabc291f
SHA256 6c5bd498dd37ab4a8e4d211dc00f1d59bf94cbaa0a7d42d9ab4f7b9035e82823
SHA512 4316e8d20bb14e6968b1be0846775e0f6fe5accda749d4b502034efb7a308179efd7470e851112c71d363f2e01b4889a0f3513ea6d7a26edf36c28b545c94c42

C:\Users\Admin\AppData\Local\TempUGMRD.txt

MD5 1ec7e3ccc363d8da29003f6ca9f20bcb
SHA1 0f0f489d7aa81ef3940691225309146a6831f60c
SHA256 abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c
SHA512 bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

MD5 0ab766575a4aea45c529f8f07d1e030e
SHA1 1a22c7fd89e1331392798093755587fb4f239229
SHA256 3225d35d3bf440aa1844b94318b473d283b183be4b622201e09cb31e44ac348b
SHA512 5d1e616005f51576cd77446f7c9982abd2336d4638618f3775ea90033715cb2abc0741ef84b551b6b34216b33ac543cb66895e22c2e8f915ad24d184f25facc2

C:\Users\Admin\AppData\Local\TempGUCQP.txt

MD5 a05bc5c948181b8882b7b95448172f1e
SHA1 9dcd6a7078ad15bd61db8a84bbf43688fb27742b
SHA256 42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226
SHA512 24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

MD5 4b1dcac05ab6080808ff94a24208fcb5
SHA1 4e9603b920feeb6452538306fc8faf740c39a0b9
SHA256 0b04c7f54fa1a608a8bd582f27b3fbd1eee88570e86ed025196fb146c7e535d4
SHA512 99ea3a1418859e7822e958b6f7adc73ab884728d38feabe7706573302f2e5a85b73d5d80bb1d24c6b493251a6e4b68c7ce752f55eab836881364a14e917fc36d

C:\Users\Admin\AppData\Local\TempRCVVK.txt

MD5 1b8a00edd0fc407d3403cb505dbd5f65
SHA1 01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2
SHA256 e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a
SHA512 b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a

C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe

MD5 38a118dae986ecef7cbb8ccbda1f3602
SHA1 58efbd026ba1292e4a1ed5f84dc37ef9ed5cc3d3
SHA256 93a4fb5acb602d2982e8df1a7686a17fa70fb5466eaec3ba4fc8d912285217c1
SHA512 6e1a5e5d545329405b794f3efe7090a6c22451c5534121e4694deef3266f1ee67d68daff5276beedf093ab6c9ec6a28f16f20b64381eb53c97786d242d9550ee

C:\Users\Admin\AppData\Local\TempIRNVM.txt

MD5 fbf8beaf48fdc011e243d8595f2140f4
SHA1 92bc32a451b9666446a343abf3389a9653dee951
SHA256 cb6b58412c832a730e896acd16f40bc0679312df5c467bfdf5e10c66495aea49
SHA512 286d70c6b86c59d8fbf3e56bce71c36c7db06b77168b5842499065573c65f684c18f895301cf0d0210dbe801369df91c636d6e2cf31fc89e1c4c35f8d8642bb7

C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe

MD5 c1149ca1be9f8bf14e89755c7aa4e0a8
SHA1 45155035d8d9be4cc558f771aa833e3a1322803d
SHA256 17d4501ca0a6d9c07895edc6e96e22b4114f8aa702521af658b67be337c72d40
SHA512 963792ac651f8e6b9e17fea2809848046b6e2d0918eae8fd6cb020024834d6a68db827b2c436856a5cc425d7bddff7a3c8aebc1932617d14a191985149767ee8

C:\Users\Admin\AppData\Local\TempUKIMH.txt

MD5 f345c4741d0081aa0932ad7f5845f759
SHA1 d9144eb1df0ddb1070de557dc04da0b28e1633bc
SHA256 59ae30069cad5e80ca7e9a8dc55b36753cab62d2f0b1c9f6a43df50f56e842b5
SHA512 6207c4c517053b2d19e05a55ee8bbce09fb78f749caed525c22c996de014766ba114139628b2263c66bab73626793f7705df0d4342a8d9cd70f9b0f1e059b221

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe

MD5 8b2a491ffeb5a9d68e20a6240d70a7da
SHA1 d9ccc987caecd143df63a7fff8dde465d3edcdce
SHA256 f33298ebeb7e97e78a5e4b4e1e4116df4caec4fe1af58580affd6bfc26f81018
SHA512 9ef61fa05731e787c831890a87e2b43b1deda8e125f4967d6efd74d2f306f3cfc221ec01b3eb2ad495c58ef02af64687f4a6127fb075e48ae2f4a11d025d512a

C:\Users\Admin\AppData\Local\TempKTFLQ.txt

MD5 d55e6f40d7cd30b45c4d53f24c07ffa0
SHA1 858e175f6baa0cd28d08af0fa4a81323378c5444
SHA256 e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763
SHA512 90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

MD5 1962ee9e3658539b99bbcbe820705634
SHA1 ce7e9e8a2b31df31d1eda8b8311ed33b2d728470
SHA256 74b68d5e7b07039255c69b7c90258ef4d29ea065db279783d8614bfcc3503b63
SHA512 77881f39cbda8a4b64ff69a8ac25cb02276bfdf919113cf87f5bf4c1da64d83b8aa645e81fcdb09fbe0c3a4862320b1acfd4b9a658d84bb19006f45846505237

C:\Users\Admin\AppData\Local\TempYGOFD.txt

MD5 1c8a1be9bc3ebb31b2592214152bb854
SHA1 ad9dc2375b15466336615991e8f93396679cd5c7
SHA256 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb
SHA512 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

MD5 61cf4e9e636ecc1700fac983bc6e307f
SHA1 c68ac3e52d6d76275b905d516707488a3bd5a8f1
SHA256 b3e6bfa503e2fb7b16dbd64c0bfc308c7f5d2604c9798b89af03469640f294c7
SHA512 f261259c168a7d664f470b42f8a24709103f3ca5a7e1bf33a92dc31e7b4b1fe6eadd45b2b7f64087219ac98b21bc522387c51db72b99bdbc16270612f5867021

C:\Users\Admin\AppData\Local\TempRCVVK.txt

MD5 ff63d8e96cd28976f42345b2809c73e1
SHA1 e5b172e153c6373f1c4c65550f6b037c2a07577c
SHA256 9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768
SHA512 9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

MD5 2c9c316db12cbd05c960c32493372144
SHA1 2f363dfa79e857d6008267fd26b3610ccf8e3877
SHA256 b06305086554590b99f423848c61e217145136ea4ec2cda573659f7518dea43d
SHA512 5cf1a187744173de06c97cd4b728bcc4b55566de6feace95d2ab9d7a1df997fc9367fd3befa3dd6675b7605832a7c58278b52039dee4edc9d70535508feaa074

C:\Users\Admin\AppData\Local\TempCWAMY.txt

MD5 4d4091459af74a77721c38b55804957a
SHA1 ff472eaa805892be07006d056f1eb01a3885cac6
SHA256 1fadc6c62b8682e1c2cea26e8fbf0287892ea7e2499684b121a97e2203fa9c18
SHA512 cd8a39643eb396eb0dba86fd004682d14226ca6ddb18540e2958d51b4199a2729a7836e082ef41ace4d8a04b28b9a2531b68d14b0f9de23f03281772531f664c

C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe

MD5 88043ff594126647c9aac5c39de5ff11
SHA1 dee230d1c6701772ea8f806c46fccc26d2cf090e
SHA256 828f39cb952fbfade4363d8d2d0189f81dd7476a36b05f82060cc8f1e2f6bd0e
SHA512 8d5fbeb0bf921611d0f8f2525bf8299605600272547b1038bdbe709b0abcc48347e5cb02226457c2f59c70c739966d8dd72ab603322dce6b5c3eb69e6bc73db6

C:\Users\Admin\AppData\Local\TempLTKFO.txt

MD5 600de9ba6410731f1dab1b1209f9b7cb
SHA1 95eaa59fe43e255ec9f6ed03fcefbdd8d8e3bf26
SHA256 00a1f7d9e97d7dfffba22410abdf3fc13ba7c996208474f55ca7240af930b4e7
SHA512 f2525d858df80b87dbc1ea4ccedec63a054e4ec7ea68506d02fcc122d9bd4c4c5724afaf00df867f8d3e68e6bb101bbd29208e439b2969a810ed00e49d793ac9

C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe

MD5 040bd162c23091c5e13a2b2c536cb46c
SHA1 27a07199eba9df1f6bbce77bee4279972a495514
SHA256 1b8d0e4cc8bfc32237e597d4d4d0178bc7ad2b6a7eb265ec3e8d7ce907fa7bf4
SHA512 a2867ff2f612131b78765487355456cffc40f059b1967b26a0dc215b2eec74d24d1d9994415796817aa3a0e7674596dcb61e9d5946e1f4f8d75b90b79f204c51

C:\Users\Admin\AppData\Local\TempXNIRI.txt

MD5 48811a19fe9dc5d9707922daf1c24028
SHA1 db22aa5f235045892c7f194e14ed8963063cd6c7
SHA256 ea8257645737bef1a0996db3d647f6b045090e52790ded3a7f6e0e1cf024e400
SHA512 d46885c8bcb7642bee9a1c8e0ab905620a92a1f9942a886c7f10dfbbee70caae950e026d72ab42cc9d78d9466a328f43c520984e5e3d140a9ca79d1acc821193

C:\Users\Admin\AppData\Local\TempGYXTU.txt

MD5 15f356bf716202506bde9dc0a1b921c2
SHA1 b0eb51d47e256c9b5a4513758d86412366986f29
SHA256 ed37a3e08259934e790ca1a78068a0d3295371cef6ed81749173552ed42e1983
SHA512 32dc9603e864597514149d9fe1a84f79992d5a4b8a5d7cbe89cb4a5b5b5c7409798333ccef12906f54694dc262a22b7cd73a32453ec4cb47c29e935139ec42c8

C:\Users\Admin\AppData\Local\TempXGGPK.txt

MD5 92012f0668bee46ff4f22de0c512ebc9
SHA1 eaadb3aec6c416ad3f2a7db8020f518d0c24b843
SHA256 0a5ae9f443a61cdf8fb5c0deb1a7e66e4a8ab5005cd3c5323b571ef2cafab802
SHA512 139caad4d91981febb0d282c354f977dd4f591986d01863a60c32aeb694794836caf422796526b15b93350d51d73ce339fbdfda85d31d586a8a10c7bdd32992a

C:\Users\Admin\AppData\Local\TempHGTAX.txt

MD5 96b45457d58b0a74d454f7773168579e
SHA1 69f165ce112b526cbc2bb99cfca76b3878f5bc3d
SHA256 44ad5611744904355d8f42e7698c2cc0405c8a37f8b43879d93b21a0134f0f69
SHA512 950cce5090dcff6e5c24b8f161c4aa083a7a8d1f5a94bdae1cb7f475c13023f0ec6d7ef1bda94ab9145f4fb41e94364d07869d2d30925d4639fcb7b49a3373c3

C:\Users\Admin\AppData\Local\TempBOWCU.txt

MD5 87cc50695f15c2f63b4666c97e17c811
SHA1 a3a256a7638a40dfa5957b9e0075c2166face646
SHA256 ce1b528777903638c3d1d54e431f4401ec3cb9373d6df0fc2cb627eafaac01b8
SHA512 61b1158f880c6e4043883c26d0e65fea323d2bcd341158d8df51ba578e8b9f7a2cad067c6af5d5cff5ad95d96a26d6ab353d5ee642f6d76a9f1edad62bbfd687

C:\Users\Admin\AppData\Local\TempPMQLT.txt

MD5 025b440da23deb540aa314393303485b
SHA1 c24514626fafeed0bad536ba03d38b19c84ada58
SHA256 33fce00989bf24be4ef7dd57feb556d230c9889a771eec337e2a4b7a85c0b238
SHA512 ee500cad17f4ecf03ce05eaebbd0e9870676a6e50773875e7f615d6681ba7c788f782f6f6a957c22e456da9f26af8a0c40467d7fef21b49f8f732f0c2bc93506

C:\Users\Admin\AppData\Local\TempFVIPK.txt

MD5 583ea3fc5095dfdaaf7618dc30bbab46
SHA1 08b45396a4b04e5f69dedc41b718c50ec2de085b
SHA256 9d5968081bc1649ef7a65ef14893cbbfcefcd2d6b2522a386702f47bb7accbfb
SHA512 2816ac5c7d645ccbd5983d2d5aec4ffb84c8be95633e3f56104071714500f4d8c83690235c3c0cd380023a5e397425190bd2cbf29eededf5d418cd658d933312

C:\Users\Admin\AppData\Local\TempOXTAA.txt

MD5 a858f377e50658245042676e63af142f
SHA1 f4c80ab055d83e351fd43cbebd87f1c82a9294d4
SHA256 62255c76c20b3ceae60e02ba072747a318a65dccf75d4b2d80745ea800680e69
SHA512 72135514fc9d45ab7f22dfc3960ec81986419026a36de46242e4a906b92c01dee652342bb11e0ac8f8a823ab4f1e0d8e10d70cd2c2388a6a000ce8774359451a

C:\Users\Admin\AppData\Local\TempSDPAX.txt

MD5 01828693093ff77f5747295d62c209ff
SHA1 185f2ab8d95dc3560551dcce5f8de1d1ec079672
SHA256 ff2c0dd6b807ad417a34d9ae9382878859bf85d5f68517f23d3e4da0487dd8dd
SHA512 f061d8d712ea0f6958d4418f3f3e57cfaeac04b76702439558cc6ba218085d2fc45946ddc54b62b9e34524676c80b92453f67a581ada73203534ab6fb01ae439

C:\Users\Admin\AppData\Local\TempESAON.txt

MD5 a001473333022899c9dacafdade0e104
SHA1 b880e4a9a640f72a935155f658d3192b739f2c11
SHA256 9cb662c00791ea13303bdf95abf1d94e901997c261cf3daf3cf84c305eb0985a
SHA512 fecded9fc51f17d40e4decaa45127bae6ed2f89da57c31b9a04fbae20da576a858deb39995f57c5e7f514c635d678742de456c157e4e705db0e82119d5e19bf7

C:\Users\Admin\AppData\Local\TempBEFPL.txt

MD5 987c8458662eeab733267717194dab10
SHA1 7dd9830cd4baaef90b3c205db35756383fbca135
SHA256 129efeb13fe3eb79c0d5c886dd20022d15df42ab0c95f79d4f09c26cbdccbe19
SHA512 b83d2df29028f61fd70719311acae4ca08fba183cfec0ca56f4954865f1bbbe7512b6406d92a47eb236b10f4d1b1c54c8131eb3bb5cc2e898892814fc174f0d4

C:\Users\Admin\AppData\Local\TempBKVTR.txt

MD5 e96e321e0d958fefc515bce0eee69efa
SHA1 572020c477b6360c7d8962c73cdbe7395d502a00
SHA256 f8529a8728fe98d79b99baeebd66cb44e8c13f7a0263d822746d04d7874fc1c7
SHA512 d5ef1fb7bd1d01caaa944007892ad3e8e7900d55e38a6460252913ccf8bd033d9bbc1212190853717bc248f5a8fe6cc4a1d20402523c7fd6a6132ebca8c787c5

C:\Users\Admin\AppData\Local\TempWIGKF.txt

MD5 e5ce57e5d30e26845277d501a8c1311f
SHA1 7000a2c08a8b046d6d781967692733156a2aff16
SHA256 6e226e0033a8817c210108feaaae68b2b0ddbbc60e66151efcea4d19ad3d98df
SHA512 af1ca4eac827acbf4f5ed0edf2b781dbe4aed93ec308117fb6328241df795e5f7698ab9e6a82fdb66982d9a6e033ed8788b69240000027a21477bcbfebb11073

C:\Users\Admin\AppData\Local\TempMJRDK.txt

MD5 469f3e5ea5e8cd2c141fab98f2f64e1c
SHA1 b515a918878ae4e5e292acd4b871388bc445161e
SHA256 b058ef8d671332bb18372495bcc723fdd18cfa6f7353d9c16ca997caa2df44e9
SHA512 2f86365055577c89259b0340e93a9c88856955c1fc7f1f3b177e2feba6442905f27438414a0f230123bd16f7e299805e39940c8b4eb5e2c3fc73a936af17c219

C:\Users\Admin\AppData\Local\TempNHCYQ.txt

MD5 6d37932234587cc7795c130d52abd31b
SHA1 79b14567c8ca7857d93bf85810e2bd401423ea07
SHA256 5db4a4e46432fbdc79298a88154ceafa8e0755a382e62739008f70f68868049d
SHA512 c1bb43359eb4fd425f9b5bac8744f7e4178b8108c27f14aededf26eded3d82e043d5fedf08123bd2c0c6e33c01a7aff13fb0b344306d36539dafa1caaa86feb4

C:\Users\Admin\AppData\Local\TempGBIWE.txt

MD5 9d8a73676ceac800fa001ece1f4e52f3
SHA1 789fff73252bda26653a511337e96d9121f836b7
SHA256 aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51
SHA512 b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

C:\Users\Admin\AppData\Local\TempKXFOF.txt

MD5 f5e32640b80a435dead33fee40e71f4c
SHA1 e43db0656ee9805498e1bb9f416440adb48a4717
SHA256 89e0d74c0f0a3411e1758fce5992828b2bfeabf24c228a7d04cb3b678760667e
SHA512 37f5ef386f4cb358cbcb2f4a98e3524e53fd262968679059d00365aff0a1ef73fc0e3e693c131ebf79c1c7d21b6c7d12aeaf2d7f5d15ad303d2db585972cb0e3

C:\Users\Admin\AppData\Local\TempTCOTD.txt

MD5 58ee66fa6b26b84a2b2723f98441bbf3
SHA1 05c879e35afc11162776a7dae2e378bf7f0cc794
SHA256 94e0e21080675e26120d7dc5e254759277bcd31ad3470846d04b9b93cdaad7af
SHA512 de51ce998642657b32d6745c3d154ee36a9c5a4240dd0ef55ffd09e3d593fe118a3d0188b2de2af38286e5b07d065318560e35757a580e0cca82b146fe77543c

C:\Users\Admin\AppData\Local\TempCDRNM.txt

MD5 bf2c1572765208029d1140dc018927e0
SHA1 3328c95270b5502797cdd266aeef728bb058f318
SHA256 506d32539093f4e3ff009ef517d883026fee6b0f787cc3eab6bf879ff4ead966
SHA512 900a47cd898993f98331fe4ffb24742f84c85769aa0718863f27240bb36406527e1930ffc4a50ac23a08ae4806b7683d7fa7e0ffb50ab0198f1c5dd4b1441419

C:\Users\Admin\AppData\Local\TempFXWST.txt

MD5 f5dddc8c8195b915447e8eca984daf4a
SHA1 92ac8e13c3544047b426c6a188f1e272801f7f73
SHA256 b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4
SHA512 f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

C:\Users\Admin\AppData\Local\TempPJOLW.txt

MD5 3739c9378a95d73cccd808ad93026048
SHA1 2efc0143c6c84413774e112f8dbfb2233a98cb1c
SHA256 10912fa52b1c76c9f47e788d10fba9a20461a9d52437c78cd6b201b27b4e94f1
SHA512 c28defca28d615c7e55fdbe04dcb661a7ec2ff3efe1a027ae3cd4622d39cf5a5ee53253feb97b1e4d223a55af4b30b37415b21290a3b7d4a4bddef09885d0d0b

C:\Users\Admin\AppData\Local\TempUFEIV.txt

MD5 5ff073d27058d42b4e1a233167dd3a3d
SHA1 abf063edcb6c19d997dd4e414118415e81ea4447
SHA256 591bd8e593ca7f6d04bec230dae035b525f78d62f2b9835df05bda8ae23a141c
SHA512 e49b7c255947cafcc7258ca2b178b89c543366e39a605694041d31b032f475381617bddd5facd06c12b092e47768ab9443c2a309055bf546898dfdb36018e0be

C:\Users\Admin\AppData\Local\TempPYPEN.txt

MD5 3c86f9fca6e72f3487041385d17af02f
SHA1 1d2933c86ad80c352b05bef3bd23315aa866d364
SHA256 61d8dc5504e877a049a72beadca2329646138a0a3fe296a57d4c4ce8fc2e1b70
SHA512 88c6b3ca0518f7158920d474b10bd35414fc715d8bdca0271f98246cf45015adfc5da84994fbf070767c35d5adbcfc2a8fac09b6947b9b4501c71dff4a711373

C:\Users\Admin\AppData\Local\TempQBUUJ.txt

MD5 a92f22d6aeebba42c05729c0c7188c08
SHA1 0de2b31be037959418e09bd24a547bba663e5fbe
SHA256 a75a1c5499d9c5d310706d6f0f239247e0eb87c3a09adf045d8514034a81bfad
SHA512 8334a9f1a511194751060865501a1e4c8bd24c625a4251b2ebed829b4e88da66b69af1857786a2fac53075e5774662c1689113e0c370c74a160e21e7b306f35e

C:\Users\Admin\AppData\Local\TempAHHQM.txt

MD5 bfaa2fa051ecdee4bd335049a464d9a3
SHA1 dc06ad549275eeb7f81ec592b04b1e9b0e5a9c86
SHA256 6585e73a303c780ae67170b23512ffe6e1c4f52e3ea969efad5687ec7d785292
SHA512 024deaa1dbbd3923a970364708c7a6522e2226d42c2fa88d7095594be8270d0b6a8ad6888710647f78b84aa3c9fb3052c80dfa731d5a170bb419392763647d54

C:\Users\Admin\AppData\Local\TempGAOXK.txt

MD5 55eac6291ede42a90de5207804c0e0ec
SHA1 f53972b85dfc194f41acf4fec1ac1ae71f8d63f9
SHA256 40b95e7cd44d32cf66e2a6add1cbd09310d05a51d59d88e9dc656ee90602efae
SHA512 d041313443f64f4571a67fda74352f256e85cd7c2d343f4171c4eecaac9c468eca9dbc427ddb8005da088bae2d6b888908245a5fa520b4ee92167a2f0819e3dc

C:\Users\Admin\AppData\Local\TempQOSNV.txt

MD5 502091e88d4f9bd9c7adcbc8ad6eac18
SHA1 72a0dab360fce3de25db13635a0710d5e1baf763
SHA256 76eba63d23fe3ad22863c047f30213acd8b1488b91c492ba92f5fe838f7f20b6
SHA512 4d0b0d9122202ae510dccd1fe85998de6780972e1418886972135391774dcaac7ff990bafc6806f64564fe5e186425a6509ab46fe951a6d782160686618b01b6

C:\Users\Admin\AppData\Local\TempUGMRD.txt

MD5 82a35feb9ca1f14e6f8be79a1b859f20
SHA1 e138c816dc24146d24d4581069ddec79b8f7cf7e
SHA256 48c8032b57d27959fe6006f9f554c6e7deaaae09ca44d10740cf4a5f028e1c8e
SHA512 8e0319b5833a2b70833a94c2432525549ff45de4bb43e8c93d23f179c29ff3e751498069f667495d29275c48406b2df81a06bb68f5eb767f96bf59cb6d3bec2a

C:\Users\Admin\AppData\Local\TempHIFOA.txt

MD5 0ad59275a022c5e20e87ee3b1a5005a0
SHA1 3f71e6923ba2404a0aa4c59827701abfa89af383
SHA256 dc2f20de3ae28bf281fb113fb03b1e76b81bd7addf0f5f76be20cfff0e3d419e
SHA512 175201b62f9302dec4f9a597f0bd94209ce1bc41fb6c694cab3edd53459aac5ec0d411a2a1ac9fb7df4e252cc5971e11906592264d2ca7a2c0cc60367dff1b08

C:\Users\Admin\AppData\Local\TempSDXWL.txt

MD5 1a3da698ee8fa36e10bff6662c71beca
SHA1 6ef93721e781a68c788b0f3adf5c402e66b49f00
SHA256 02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a
SHA512 61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

C:\Users\Admin\AppData\Local\TempLIRDJ.txt

MD5 0ad6c9500e0217c6a48554d553396c1f
SHA1 ba19a344bcef4b2edb43ff807dd4aec698822639
SHA256 819a70bd41db67deebfb277a07da2ea0319aae00f012a4cf28d2a713ee2c7d3d
SHA512 91378178711b44ff33de321b82a02a58ae4e73bc2cd3288b0b0f370f5cca6e4633fe5c67c21e9b6e340dbae03c2483cd5c093b641e29c8d2c6dd988bbb9fa488

C:\Users\Admin\AppData\Local\TempQBUUJ.txt

MD5 373e3e79d33ab24a63920df75aadedac
SHA1 025ca3368b01e37d1e2f466a1612d6be164af035
SHA256 559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52
SHA512 33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8

C:\Users\Admin\AppData\Local\TempRSPYK.txt

MD5 8d400655fc3fcd5eae2405c6a57a1dd4
SHA1 c14b761e8d12819c11b794d04b7c094ef0456f7d
SHA256 e178ebbd43a7d8fa3cee06a73308c755c8cc2dd2a71c68de2c7c31db32d403ea
SHA512 d6ce992e91d330bb7a70c5398447229deca4014274cb0b9acb2e55f2373658a5ec00f82b115905b776ae1cc9b6ba2ad8b43164fd3f6db362e724c42d04089ffd

C:\Users\Admin\AppData\Local\TempFJJDB.txt

MD5 9207fe76b388c0905d7a4918eb992b03
SHA1 b6a86f0bfb7e2a6038f7791e3d6d325a4adf368f
SHA256 5b5ee4acd07ad0c45152cd82eb10907b16409c1270aa664097f3b48d643f2b90
SHA512 c9fd91bc389b96dcc70765ce80361a1fcc2daa56a7bab4427e38be41000163510514840d7f74df413c36c878ecbc3012c38b5ec60fc49d5a4ae42f7b433a6932

C:\Users\Admin\AppData\Local\TempCNTYK.txt

MD5 475731ebdf5491f601dba41d5133c888
SHA1 5deec8772334d6e1a1b9b0c9da089f645b3850b7
SHA256 d5e46bead89bfd2ca30f3a5f57089d6756aec8ab4c965d19a48d610dfc738a34
SHA512 d24965a896102abe6f28034561316b493d0608e7cf8ff5fa2831f2c449bf5bdfdf5a47e2aae4e0bb9015d8aa293976a07116d2ab1831239d046ca8eabcdd77da

C:\Users\Admin\AppData\Local\TempUIPKP.txt

MD5 8131020d25feaf121296f4d7d56a01fa
SHA1 3ff923604cbe9be3ea09f7d74c235d3a9bf110fa
SHA256 0a38597aa86cf23ea920315044bd38e93469a86365e906780f5c146ea3c2b5d8
SHA512 d567db0d8f7559f26cebb4a2f885c99b6041d62949fafec7cee1fb9ba2f4892d26a4020578824ae1784f7db5362252e2f4278712ee7f44a72dd381b29d61979c

C:\Users\Admin\AppData\Local\TempOPYUA.txt

MD5 fd57fa28b96aa63b9bf7237817711272
SHA1 a3c675fcf77412ecebcd072c7c29836170b3e2d5
SHA256 94ed8c09695dd7503351259ff03f581948c810b7c1bbe4c9068a1e455bf345b5
SHA512 0daf00af6a649da5d4c3c4541c2cbf4a96c13898b720eb2b4089dcbc24ed9b42e9cccbd9195278bd4e4759bae2ad7656f530dea64d2d844226c4211d3f75d2f9

C:\Users\Admin\AppData\Local\TempJLGCD.txt

MD5 f637d8b13ec271b6d272523d5015a3eb
SHA1 bbf29700ebed4f822b1664aaedb96ea6f3af2265
SHA256 34d45d4fb598ea5d45283194a05525559c32ee10d0a40781dbbabe66305b94e2
SHA512 634e930da8bcbe13e94ca07820cb9b5bffa959cf778f57c91a5afe1599f82ff882ec388c8b6c026714a758667b9bbea1811cdc692b5ec043b09bde0549259c7a

C:\Users\Admin\AppData\Local\TempESAON.txt

MD5 711994a7f79a8dd38a8c5f0fd82752b1
SHA1 519f32ec2c2deb669ab58cd937f8aabe1e15a3f4
SHA256 026a44b024801bdcb33f53ba18bcef6763fc11edb924980dd4353a1f8130dafa
SHA512 7d2b4a5ab3a6e7cfc9361febc92b382454e678b0e899c1990ff46f18a88e04cae461d121096e8823364e2ab0f99f4c7fdd2eb59c3b5f39775c29f9deceb341dd

C:\Users\Admin\AppData\Local\TempCKBWL.txt

MD5 84fc039c54cc69d4b22281a3bd8277a7
SHA1 9a84b182f92b014b5ded116b51de0656a2c653fa
SHA256 2a96c7a5878b14d18aff5081b15ae31d2798f2899320f9e9ec5b14f94125d7af
SHA512 a6ed04f2d6048a98a661a90074329f3ee531139c1d9965b6c224bbf0ba9ba2c1888e9396b2ef41abd8a4484ee9ddbd7c4666ecb05ced314663c584f9bbfcf120

C:\Users\Admin\AppData\Local\TempLHQHE.txt

MD5 f1a04c73db54f6b1409726d80a78eed0
SHA1 88a4b47f4f23b86b4051d5afefe50e68a4fab40c
SHA256 0d8841ccb39580507b12ab2654db7fb0e4ca6f8ffaf1d2f1af6e1e9e205439cc
SHA512 da60fdc98ccd3616448e6e6967a134f418fda4a2afee558f1dee509727ca14073db16ff76463db02dbd6eb97de27af0a3f2ae33136c8d01d8ecf1695f5009f3f

C:\Users\Admin\AppData\Local\TempCOWNH.txt

MD5 4ff67c7ad8f7cb3a5150d20f0441fd19
SHA1 dd5fd9ef937a200488b6a900dd4c1d0dce70d1db
SHA256 72fd430a0a705e3b8f97bbaa7eaf486a3ddaee4ec3719185d00d35ce0e645a01
SHA512 c01120fe1b945870b92cce5113cc86e3047ab948bd2b9f55a694a73f1232cf00f7aaa3f5647b36cc09bf2dfb9a503e89e4f633941fb858ec8ac4e1f11ec3e8c3

C:\Users\Admin\AppData\Local\TempYFGDL.txt

MD5 1da058b5cbde769209a6288b96ef384a
SHA1 f4930bedd81d64cdcbccab1130af611000cb4f80
SHA256 a68442151fc450c31bd67906143522eb3fab7a073fef876c294eb233caca5764
SHA512 1866eee9c77921b70a4f68996d57256f23595cb28c57f023548116d80afa1711440ffe33f2706e3012de0614cb704c003826926d6dc92a69c21ef3a28d5f357e

C:\Users\Admin\AppData\Local\TempREBQY.txt

MD5 2b3e0ce2e138841aea19559aa1ee6ed1
SHA1 36730e6fb159d61a7ce53287aa4370f351fe83ac
SHA256 94fe3c16fd77bdd02fb54596230d39b586d849e61f2816cb22f13d6751996854
SHA512 a24ad2aafaf32862f31dfd0e4748164c179722afa78034ea6013b355bca4e9e22df53812d1bfca95862e2d88876787fbcc1f9362a6b8467d26a92b5fe2b2ff7d

C:\Users\Admin\AppData\Local\TempJSNWN.txt

MD5 2b26c884ede435aec0ef937c2946e464
SHA1 aed29a08df61ebe0ebcc075c5bb66b48847fb040
SHA256 953e2072ff24fe7a62f3c10d1e69973b30b7ca2dceb528c52b7b7fd2dee25e59
SHA512 ad1c4d9b4938328e5771abb5f50eb9df89bba7864c4d21ef57a4cc89e330fd31a3925059551cd7fd82b1c0b462731ee7e9bf4d46ee0edf268ce45f7cbd6004c5

memory/2904-1650-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2904-1651-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2904-1656-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2904-1657-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2904-1659-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 04:01

Reported

2025-03-05 04:04

Platform

win7-20241010-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSJWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTVHNUUFYANWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUABHETSGHDBDYT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYNWJI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCDAJBGVUIJFDFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQVBCAIAFUTHIEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFDTRIHKFBCLHVU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UHLHFVTKJLHDENJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RXNLPKSHIYAHHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 816 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
PID 816 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
PID 816 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
PID 816 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
PID 3028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
PID 3028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
PID 3028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
PID 2772 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
PID 2772 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
PID 2772 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
PID 2772 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
PID 1136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1136 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
PID 1136 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
PID 1136 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
PID 1136 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
PID 2252 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2252 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2252 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2252 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe

"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWIQI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UHLHFVTKJLHDENJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIWDTM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYANWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUMAJV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RXNLPKSHIYAHHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIQKPM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCDAJBGVUIJFDFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEUHPJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCAIAFUTHIEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCLHVU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGOGAJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFDTRIHKFBCLHVU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGOINK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PUABHETSGHDBDYT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPUBC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSJWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempMDYBN.bat

MD5 56e62a5261bbb9ce37e157e5fceec40e
SHA1 4103106c6409939c1fd12cf35abe3ed28da06548
SHA256 448934e2951d7cc4e4444d9209fb88d131faf2c1755a0cce3e9577107e46b2fc
SHA512 860aef0aa30a9db4958069deb123e78e9893041b09bc260c0d833d28c5768cf1bbc39298448baff55a88fec9bf63e4a28b0f68b4d2d02e13c92a749cc49654ba

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

MD5 a4bc60b2edeb8fd437b89ea4f85bfafc
SHA1 0da4a6ab94348a2316f9925ce23f804af2099400
SHA256 599f468b1630bfb1f17034e5978390466d59b2bfd277e2458a57e8def2c2763b
SHA512 48423900efdb99b87ce8e7bd911567868cadd22539326bab9fa78b81c7d0331bbf18e192b7de15e1f048afd2a30cdf8fd9c5703ef9d24ea1fec664c6f69e3b68

C:\Users\Admin\AppData\Local\TempXWIQI.bat

MD5 4b7bc7b3abf2679d6f571f7b703398f6
SHA1 b3361bdd0816710b4384e96962fc246749a2e743
SHA256 29a0b1eb97a4373a336fee28d7036c61625a8bb4ba6fc9cd7f1058ec5e793c24
SHA512 2e2e5ae863dfeb8a891830ad0e8ee35c7a195047100b16785400e37ee7868047620b7d17c6699ff983c04d96733584ff137ed8f413219f9e353b5f5b24ac8829

\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

MD5 7bb49f75b6660b66862e7beccd8cfb9a
SHA1 c9885157db7d5025756f038933732accd1507a04
SHA256 a6e5d2759811c07129666f663e782aa8f5cad7d94b04251385329994b64c76c9
SHA512 dbba51d1a1d8161b3ce4463d518a7133f5b4a6ff2c0dea3c2be1d5347aaddffd966cdf4bb16fbebb51a50d923a186565e176409bf344ae5a6d52f2e26262d106

C:\Users\Admin\AppData\Local\TempIWDTM.bat

MD5 7fe370d59da451691de97d72e1472222
SHA1 bc7e8443e5f501fb7e50e75592d87d98d48cc99f
SHA256 47664deac2a316be349e5efb72fa9f129d3ea70e6dba1066f9b8345d921a3747
SHA512 b52fa7c1927eddec513b3cb7097d547a0feb507e5a8ec6547083e4601abac714bfbf820c2eb38b7f2e1f6d49da59b0474915a9e313af310717384a02f71d4e24

\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe

MD5 3aed41880a85678454f071ae995c8f5d
SHA1 577c4d3c3c44c8e2d1e1ea18c9d04f7add0e813f
SHA256 6ebbeb5147674182d821eb45a2ad87389d9eb7e920ea4c3965abc8d732ff7e9d
SHA512 d3143699cee7605dc4a5e8bb0a14a4a2d946614299bd85d308a0eb13002612cb25024fa8875d30af5823168a972924a520fe68a015779952f7e1c0842adb9b16

C:\Users\Admin\AppData\Local\TempUMAJV.bat

MD5 7439353d31c70df02f64cdc035298ca3
SHA1 b9685b6b456d50c0721f4e62c42199fb2926d79c
SHA256 2cc151bfcc3b54be65d0b149ccb72a7f38a28375d6a894f6d7b93a35398d9e00
SHA512 5d36b623231de6ef0645aa6741021aae4aa2fb7d03bc59732adf104a2773ee3e69d867b6bb2cda00b74003e5cc2491028bb1ad6a57701e4f28462aa3aa7c62fe

\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe

MD5 5b65b29417553baf4e976925770e700e
SHA1 ef33b9f0c437dc45772162becf735df287c5c64e
SHA256 b0afbc666e147f06c1b436581d1727e0602be6219e3e99255ff16b98084de6c3
SHA512 89571b29b45ad6745628513613c80b8913e5d934326c29fa962777d65ca7fa6dfab595e6145edcfe8392a5c33b360181bd4e9dd09fa34d5709de5969d45f5c03

C:\Users\Admin\AppData\Local\TempDHYUV.bat

MD5 e13f314830c35740302e2988e38038ed
SHA1 25ae4d4027f1d379c14175ed5431ae564c074ec4
SHA256 5a2491d3063b42a11f0fc9fd9dd345e475c6de25bd0e3ac44f6e2cbd0435dd86
SHA512 15eb39f7a5845955431d921816f979af697e1d637f3feb68cd2d811bb833bec0e99eeb032833d187f517270d6331d14c44bb0686ce7cdc26953f1626915b2d17

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

MD5 381b239c932d48942b47f1e4b3ea6b06
SHA1 4cca950f0b21c7b33f79c8f77cf947404a8992fe
SHA256 4050a05d3c9817269f7708e110b06a37f4a0631f02e37cbe6dfd503ae2b05cb9
SHA512 eba09931f71d593a452af3552440fd4a93a8b3d47d4a7cb906ae19849a71395e108b80d51ade68b67c221ea588e5bc3ac403e7a7c3f1bb28cb2964785d6332e2

C:\Users\Admin\AppData\Local\TempIQKPM.bat

MD5 f3215b76593a1894e5edd5c1c2515fc8
SHA1 87b29a6a8aa5d8921204495707055b6e7d6c4ea9
SHA256 416b48bac5678aea5a8fd357feae17a8ed365eb8b54e70df138642ebd1553144
SHA512 a2aaf9cb0794b1f5524dbf1f558b0f593cfeeab84f397ba670ba7e4319a3216db4a514c067f3dac58b1eb75767f58560408eb87095025e2e2432c87b77e71a0e

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

MD5 b64194c217222a7ca06370bdf11dcae5
SHA1 97eb6f40380f81cd90f74a753e353a7c7cf6406b
SHA256 f58a96b923aaa51c27f95d1fe125e772d68c67ed99a03298ac2fdfb9f4517195
SHA512 ca8ec64b8928a341d1ddc8e01793ffa1fa832349246086ff1baf24569f3d47d01747c5d94e6fa261bb5ac85629ddd3397d426917718aaf2aa7177432c47adb47

C:\Users\Admin\AppData\Local\TempMWRFC.bat

MD5 262a690383101b6d14fcf1d0035fcd22
SHA1 8598f6acc2d04374c8d94d6078fd8659c69b3f6d
SHA256 87ebc880c05ffe5dc9060d56b13f5e711373281f53e9e5fc2cc441bbab7c7f99
SHA512 9754dcad33af28e5b2fa337085fc2d0b4c2d200566773f41c1c2c24a93605bd2e622b29e44c88c4862a6bbbfb4c21546ffe7f17363f4a60e595c22b202f2d477

\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe

MD5 a55a9bda426b42b250db4e80daf728c2
SHA1 a1464fc2974590caad76eb27130b3c9a9f8c3033
SHA256 610144466b81a8f62e17bf60992d155d4e5e6bde24d19cf6fa99bfd9f4b5c085
SHA512 72461dba7b2ab98b25c8bbbcbcfc906d1ab2b10f7ffd21306ce62fd9a5973f73d7636eeef98b019810c550c23d413e157af30c078c5f8bc46e6ad897926b5568

C:\Users\Admin\AppData\Local\TempEUHPJ.bat

MD5 8906192e2704307f41c53839d8ffb47f
SHA1 3d1d811e339cb09209b25a1c947b8d132832ebb4
SHA256 4419766c59bf9527d61ea35deeeb0b2e7aeb0f72a87892b6d04eef1d9b18049b
SHA512 d205217a4abafc89aee5ed77dbbbba141a980b1c28aa978784b424a1809e4bdcef0ae3e8a8588c3f3a79c4706f926777c1a8fd1f50d7a504fad776eb659db077

\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

MD5 306553145b664c72013f09d20630225b
SHA1 f4135c086caa5b46c223fc78d54f7c511ca35958
SHA256 6599550d1fd11d7be2be42ccf3caf5d5d71564f0b01111867c68ea6814402d40
SHA512 5b54283f798eeaed6b807fbb5e693dc4c004b9646a43df2b3eb977510bf02c34e9ab5e6a6bdd4970712ef35b8b628fe5c6da8006299ef02ccc296941fad5c768

C:\Users\Admin\AppData\Local\TempVGSDC.bat

MD5 fe328125766781fae9680412f03ae7d0
SHA1 c2deb156fb0ba41db7649045818b1a9ca0593e9e
SHA256 9fefbc395dc92a415c6c807d1eb0050c78c6c17bcb450326c0e441550e2c8fdc
SHA512 0e660c44614ba8224eecca39273cb980c9786e11ccb63b5a6ae4910bc24f063a42a201ddaf080ab1148da7636b8fbaab5201fa2eeee14ef82978af2490eec2d6

\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

MD5 54b345136339d140cd8d1ffa41f17d4c
SHA1 e0d1011ca825e3fca682938e82ede96625fe35bc
SHA256 f73db7bc05524dda6d9ec74deca536043a5b6dae404b65431ba731a07f99db7b
SHA512 6510114abe47342ef9d3749fa4bc4784dd58787b48bb2a2332dd5c97cfd3459b62c52f39ee403879ba03d540bb663297ea44fb01605ce5b48a99dbd2984e51e0

C:\Users\Admin\AppData\Local\TempXIGKF.bat

MD5 7ac1fabc9df638590705057fcfb35843
SHA1 713852ced0fe693801d29d556f4945ce46712ebe
SHA256 ef520fbaa273cc23c26e024e90e9aa9168b4f8968c42a14f802b7d1048f5fccd
SHA512 f523462b0075a98e2bc697cc4c2b06192466148f8fc3f8cd3d0d55a32df5153d0307eba4c59236e8c4ba016b36683a57b1c990f130e52518c01093cd8cff6c71

\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

MD5 cf79cce44ef072452a7867bb920a595e
SHA1 442b914aadefd50a55ff4517548e50779746ad14
SHA256 47f1d263e83540857a51388cd0c5a55e0e9772b06f8fa8d6fda4b084e0bbca1b
SHA512 98b13f452370eeb603020f12002af50f9676889ca461d083ac7181b5925c95dc56ca45c6fb8bd9ee0c8c0c141112df6f3373e04f46c226ff2c66f3a56b7e2d75

C:\Users\Admin\AppData\Local\TempCLHVU.bat

MD5 296acaf38f1112b3b57011ec45757f14
SHA1 af100448f9f10b0f918cc1bc805ca868af1573c3
SHA256 8d4d127d35f6dcfc835a060d8fd313e8dfe259f63c461d7fb6f39fead194e5c2
SHA512 52eb42f77f7c192217d93ec643a237d08acaaad07d84950cb98f429b0d80f42d194e0d1678eba09de69271a7634a9d7107020df7f9d42c91b9c63288bb21240e

C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe

MD5 c76083791bf3f55520671c3c4c698619
SHA1 313dd997afeed5874344eb5ba0962d80f933236c
SHA256 daa1e5031f6e4e98d3bdfb3d4e07faebeb95f1bc0be123d8fc239bb023863fa3
SHA512 588921b9a9a57c739a2ccdd3ba2fd90f1d1df70ef5f71dc5ac2df0bc722d33e43fbc6035cf47f0df84f62a8d44396850e66755ccc8366e65f2547adf2c2d6129

C:\Users\Admin\AppData\Local\TempIGKFM.bat

MD5 259fcf2d77cd48c375b929493d9e95d0
SHA1 ae081b27b04fa7248d5a76d5a71b4cf3abb748cf
SHA256 03d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253
SHA512 daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa

\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

MD5 cccaa800697277d5bbee58e759de5ce9
SHA1 693ca50de693e54c84711db2a63a3772702fa8ff
SHA256 6ff2da474dec88793548b902bb474baad88cad7ae84012a6a5f50ab927c0b92a
SHA512 97a277d91c36dbcd1cced1f618f0c89853db30bb0880ce382e54e3c1dcf790fed8c3f8587e3dddcb6a0b6bebc91982cac555c950742b6af6064d559cbebbb2b9

C:\Users\Admin\AppData\Local\TempGOGAJ.bat

MD5 00a1aab76be53cc31bc46547536ce0b4
SHA1 e470a4805a7225a254c33b920d2279909558e524
SHA256 c1f64ee2489a51a9fb8f0d52f1fe843cc8f8e6641d167e4bac724cb970c35de7
SHA512 b71318c4e0022eed6683766dbecff358dbf8db16569632b8284c2ebc5d5b67319374cac939be5e25281a1c53181bb583b85cdd122fc6ffdaa0c55c580214489a

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

MD5 25b5751c2d793598d4c8d9f1a4facdcd
SHA1 e8fd5fe05011c3e04251e963a0431996d21fb24c
SHA256 04b833f0884fb69ac0ff95abd2a156e25e331c85bdf471314495fa361d65812b
SHA512 c411f4cf17962a8ec3491888dfa5e488505b0e29f1717439b846da464bdffc68d3633d2cfc42b93e7e3390ed6cbb4f60b03512ede3bd9e8433db2071bbe53c85

C:\Users\Admin\AppData\Local\TempKTPCA.bat

MD5 e6971fc5ad2bb62beef1e7af5975375e
SHA1 28cc9cdf959d6949d98d965a0e5c6686fae0c421
SHA256 631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58
SHA512 8f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8

C:\Users\Admin\AppData\Local\TempGOINK.bat

MD5 66cb8e84ac9e70eb9c5461f1df9fbd49
SHA1 ae2074b6c5565d02c05aba6752b4a3f2288f8f13
SHA256 03b34ef5801e82a5f39a733a9862cfc378f5246115e37246ae7c2d955c82a387
SHA512 6f4667b820f01aae418f6b28c324fcf21e8176908b3d8e05f36616bab914b3bd29fb7dc85504ce5e2c6cac3f1f1f0b8221a6232ac0e05209daceb7f2c82d16a6

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 1ec7e3ccc363d8da29003f6ca9f20bcb
SHA1 0f0f489d7aa81ef3940691225309146a6831f60c
SHA256 abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c
SHA512 bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

C:\Users\Admin\AppData\Local\TempMVREB.bat

MD5 6edac9d3462022d02e120279da89ddaf
SHA1 f278c52733191d69d88dbe1df8b6a02a93ba3fea
SHA256 22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc
SHA512 ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b

C:\Users\Admin\AppData\Local\TempSTYEF.bat

MD5 e504d0c45a4a9b32ff935364e8dfe1f0
SHA1 5bbc93f6ed0dc1ae5fb35802c9c6037862b5e442
SHA256 95ca150dd41cadf95c3b7de18442c2e6d0332331a7fdb263a69ae43f50525c00
SHA512 56a76f9af3d60d6a0f1b4a3ebf6e5e00f36694bde6c836bdf43b271702c85a73aa99037cd042568acbf7fa8a50abf73bd1590843fa469ad201cb1cc140eb25e9

C:\Users\Admin\AppData\Local\TempOPUBC.bat

MD5 4c4d019560d9fc027ebb29c920f78fef
SHA1 638fea69835acacd2105f6463785ebf08cc19ed8
SHA256 b566f27e1772a74b1b53c7b97e17b040c53109e5a75a3272a3f8b94c20edcf43
SHA512 692f991138ba390079445c42fca536bec82c76dacff046f8b455b173c504d04c3ed939eff36432506f88eda464e73561d2246f5e298e2324a5dfff6f70a36147

C:\Users\Admin\AppData\Local\TempKYGUT.bat

MD5 1c95cf0a551ea20f4178aae177d34802
SHA1 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a
SHA256 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48
SHA512 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

C:\Users\Admin\AppData\Local\TempEIJSO.bat

MD5 ce316d102fe17369fb900df03386151d
SHA1 8bab2bd5df4620f24b14caeaecddbc6bba4ce07d
SHA256 c502884dc7a51d0501e9a4a09c9d1e53cc78d826c4fd7d4d57971ccc381da2f8
SHA512 0b64df1de5c1c846f0f0a1297eed4fb5ba0e1c096f106ae220a2082f33fb653195afd09d702e7b11db7f6260bf631d00091ac044ebb6a4158714f494c8786576

C:\Users\Admin\AppData\Local\TempVCTMR.bat

MD5 5566146a4b2e398cf04636ebeddd1886
SHA1 cb43f0a532d335a4b29784df4b4502d0fbd9f793
SHA256 e2a4d7333071126742ab4b180059cad2f7e7539566b84e397765b000b86f2cd6
SHA512 a8d1a401f690f4fc15a1ede5cce84aa4d332b7f6c1c61a601b303f10a7a3a932e30372e975f5c5d2bdddbfa52791979ac373f1371c128f71603ee2ac0c7390fa

memory/2480-594-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-599-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-600-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-602-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-603-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-604-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-607-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-610-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2480-611-0x0000000000400000-0x0000000000471000-memory.dmp