Malware Analysis Report

2025-05-28 17:56

Sample ID 250308-2zl4xstnw3
Target e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA256 e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Threat Level: Known bad

The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades

Blackshades family

Modifies firewall policy service

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win7-20240729-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UCPPBJASKGBRKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDUOCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLJRDJO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQGUQOTFSVQJMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EJYAXLMIGIYLTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXTOCXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJTPKTEUETURBMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOTABGDSSFHCACX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQOQGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNTLCCEFTBPOAJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQCGLYKSKTPKUFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMHGMIYLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETYRHRLJMYBHUU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBBHAE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUGEIWXKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
PID 2824 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
PID 2824 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
PID 2824 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
PID 2604 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
PID 2604 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
PID 2604 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
PID 2604 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
PID 340 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
PID 340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
PID 340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
PID 340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
PID 2008 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 2008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 2008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 2008 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 2212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSAFDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQOTFSVQJMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOTABGDSSFHCACX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe

"C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJYAXLMIGIYLTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQOQGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLCCEFTBPOAJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAEUVS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQCGLYKSKTPKUFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempACQLL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUGEIWXKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXKLIR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UCPPBJASKGBRKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXJHLG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJTPKTEUETURBMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKXFTS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"

C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempSAFDR.bat

MD5 c541ca326e9cab14239fa381d2add0c1
SHA1 e4327cbc1daa11a505e095a583a276100d1f88e0
SHA256 570a3efb6c12a7a2465549e466754bf40a6f15ac8e4e8dd39d5ddd19d7e3b0ca
SHA512 214b9b135eff188df2c1a60277ca46575bda48642069126b6318dd27cfd28274b4631bc2e87f727520f7123be19a5e03391935be5e6e2fe84243e975df20d4cc

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

MD5 b711b37fe1827d094f49245996fb6586
SHA1 f18cce62ba76149d0212f74818cba48753a8cabf
SHA256 91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf
SHA512 9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6

C:\Users\Admin\AppData\Local\TempSGNIM.bat

MD5 c7e6cfe4c4dab03ab6a54ac46e1efca8
SHA1 2d481e8da8f75b4631227922ac95cfee543c14f6
SHA256 b4e3f4b47b9ca54f8f5c46b04160c59fc6dc9eda3cc4ca82e63d69553d89459c
SHA512 634f9120980313a0a67f88d4806b07339f9472b350db202ecfbbe345fbd724c41efdb3aba14787f6d8fc7ab95cb7cdfe6a9952ca7821e98c73a7d7b74c3941fb

\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe

MD5 76a130096fc769350712dc7a1cc65687
SHA1 cadd7187f3a55a2ff9a4108a03e4f108b7b38e70
SHA256 df813dabee17f0bf49d2402d71dc4a09836b7dcf2e08ed22e5113cf15de39a8b
SHA512 42af491b53a90b963015f5b8c56d5ed2106e6018962bc4584b2f00ef6516c6f7d085ebc7e60e1d9a61366ed273495dc14b245c5dbafb53cacf329f33b0ae3f2d

C:\Users\Admin\AppData\Local\TempSDPAX.bat

MD5 8844eeb126afca7fa25f6f14477b1a72
SHA1 072ffd238a85c812a89a89a92a6fb96687ba837d
SHA256 7d3ef7b49800d1008c33d74501dbedfbefb92de774f2c5a3d7980f401b6c9eef
SHA512 9916ecf047f120dbb20877aa2f889b6453b306643a0e4e9634696d897338eaf63b6e11959f06992b3a5208c5daf84589e7f14daf35f668fd5d8cb545d887b58b

\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe

MD5 aa76f6250780e72832a01b73d0cf060a
SHA1 7bfbb53388255ef1d442eb56e1123ab0df98b3b6
SHA256 ef80ec09d68e01466a3d273a96575018acc57833a6d84f176554a76c0e3743d7
SHA512 8a65bb252be6f49ecd3f0dc68210e1ff538518ec818cb26b62446327fc93aefa5faa8da14221f6e231f1572fc1e606c253aef063b29e2f9c7f6224e351539d2d

C:\Users\Admin\AppData\Local\TempWLXIH.bat

MD5 9e6a09d1b6789e118c5221700b64948b
SHA1 29602221dbaae443b3d986d775f17f4ad4c48d46
SHA256 d27cb363bcf91dc7e2665ad18be66222c4118112f72ac1803755adcc941b2725
SHA512 0a12facd0d1de1664f345a19af20632837763ef7e6b4760cb0ea7b08c95690c9eff85b2839c669303f27564b1a27ef06ebed8d4290ac7c56b2c7d30abb0802a9

\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

MD5 f5d293580fd8f57ca5b931c6d0915aa1
SHA1 f8aee0b6910026c576c3cf75688b4a1b40e9ec99
SHA256 ae487d212c4c6de9f33ecf6dc3f90ba3e67d2cad0848839a737b8d11e964fa95
SHA512 5544a8918033402c606eb4bb6fcae6436dbf86112a8478e29133560eae53e922d38785ed6c0b19855005481a648466887307db25dbb9bc23802bd3e3f3913642

C:\Users\Admin\AppData\Local\TempJSOWN.bat

MD5 d39cccc913240baa6efa209416c54650
SHA1 a80a7efbabf2efeb182cf64e9f19153c475cf2b1
SHA256 305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545
SHA512 c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5

\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

MD5 38038ab30bb1cfad50b17114cf3bf353
SHA1 ea8eb9a9cb2d2787e9f18d154e99681f6fcfa14d
SHA256 44c4bc2fd899570af1832f6c4607bf931d245f732ff883de2dc2f782e9a16a5b
SHA512 58f594d88d8e8ff5088c427018ee80a131798a9670fb1b53473b8c84c7ea354a4a37146e44954a2f6f7cefd665b97bd0bbb0f8a613e7ba4890368ea1cb3f71aa

C:\Users\Admin\AppData\Local\TempNLPKS.bat

MD5 ff1096bdb764d5e5ffa3853c6f8d10fd
SHA1 d7563e6018e800da0f64153cfe8e2e08f19abc36
SHA256 552658e30429ce40cd19d44609910307c5fdffb2b508ec40f15f87c1fe013e6a
SHA512 8249d1ed3d93707c76efe96a1a9e894ac806673f19e5f68112f7cfc1f555c3c3e6f2ee7bd726e6b857b15e8a571cb65d5de0f580530324de2cf7cf8fcce386d7

\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe

MD5 d1c03e0a4148395cf59bc81e793a3b63
SHA1 36b74528726c5170102a7617f89923d7f815a373
SHA256 5bdc61d57307fed50ac097dc45f78f4acacc0bbca00f6e0c99aa5344d508ae6a
SHA512 9e1c5a399a12b97b32c710bf90748d7b889f9ddd6cf5ab54696e46513ffdeb8b8bb4d7c725ac6c16b2654bef445323ad997a36191bdbca3e8b9ad4c2e9d21b80

C:\Users\Admin\AppData\Local\TempESYKG.bat

MD5 cf19074d3946734560f4b830120b1980
SHA1 afe4272b7e414b84e4c48cc84094a4689110f999
SHA256 ffb98d0b4bfb3d89942ac3d8bead9f59cd323947a0da72323e5bfc6891e604ec
SHA512 8f2ce9819c08fdfe637f832104af54802b71dac5ec185113e285298ccaf123d934ddf84ee7ffa3829253056ec7ed68bb0957d5971be260eb6007540b98838fc8

\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

MD5 53e43faf440a57ec7e2c5cd816f67e0b
SHA1 9c2aed4715aa3090eb9ddec13ae5167878fe673f
SHA256 8aeede5f2a1020457d2ae26aa7666061c143483fa24b0d160b6ce187adf83d87
SHA512 39d9a2ea41f3c01f71485607370ba6f1dd2ffb50140176a35ffa2b7fef39a8e91791980b891f0684dc4586f1897318a7b39012b83d67ad046ab59f3ccf611d9e

C:\Users\Admin\AppData\Local\TempNLPKS.bat

MD5 3d8d60c4d48e5cea304780e7de64b91d
SHA1 71bbda9893833549aacd60c69b9c102d16500cbe
SHA256 b33ee359035ad5092c99a826c6bfae75e74c95f1eb6edde6b69f1057a35cdd62
SHA512 3e91aa7fe8832f7a9c92f64c60a56d3ece677650e35158c9d1a805067b2a9c5d33539eb1105c1149cdb998f2416c0633eb4ad55e14490a4df12e6daef01ea1a3

\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe

MD5 d6a6795605aff8bbcaeda4a1dafd0314
SHA1 9f482f6fb143920d9493b86d20cdbb72793d260e
SHA256 d0b70b313f2ef600c0e4a72637fe3c7e2a3a18ba9a337fd41608e15e9c85e71d
SHA512 8090527a05e1700e800591ec97f7e479d2a420fe4e5f7425a630ed6e15b4eca12b818fade6e034963135fba7442631d834de9994329e10aafa350261bea7564f

C:\Users\Admin\AppData\Local\TempAHVDR.bat

MD5 b322b260bc7c43ddb07a39c989a405db
SHA1 de69c53a1e9258e7e1bcdd0507556094bce84765
SHA256 24c0c16d249f7d34a6b0c43b6a4788ec6ecb5182cfdc7c4c59784393411f6e7f
SHA512 a4704ea88b9e0a96f0c6863e834af7daa01279ed541228721f137bbed5f59c415eca7c11fe6ce97d22ee18b2ab49f477337aed7ff6ed5897aa214b6afaba72ea

\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

MD5 d5d174bfe80168a990e14bc3a2fa9073
SHA1 6db5b8e9e7827f8dc6a8836f0ff96dc707215920
SHA256 9eab405103bb56061d78784680b0e55ef3611c5975d05745c43a8559d3eff311
SHA512 978698aa765457d040b47ae0c320dcbcc2f65fe7f380822c9a77ea8487cc04d89acce7747f3855a14f4ea8c82945feb0d41f7810f7660080123470b8230fd220

C:\Users\Admin\AppData\Local\TempQYBUU.bat

MD5 e2fde989efdfa9c12af7ee59baa74dfd
SHA1 496290188649323aeb029f1cf8f70cae43d00d99
SHA256 f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2
SHA512 6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

MD5 414ba6d6e8ae340056ae5899d209668f
SHA1 c0cc0f07595db4ef13eba4159527f99389309158
SHA256 089f5efe8b722d8de13b927055b18d8986c22794202579774bafe25146403302
SHA512 17ede3781e487534753ee8ef66803ee2027cc17d45e4006efc2647beaf89c802851189b037f311187d988c2eea1eca2d2fed7fdeda0932ce0466a02969e89f87

C:\Users\Admin\AppData\Local\TempAEUVS.bat

MD5 9b8950a8d2bc44b20c8555984b0fee86
SHA1 5b90fc89e089f39f4f46195eb7395e9924eb7289
SHA256 1664f35e7f04db5ca4158768ea6fe08e153f32b2320d3ff54864351e30fa99fd
SHA512 0254a17c49b2b010018972df13bd67aedbc0355332fb1f91dc9dd6e6a33f94d3ac1facb2eab0ad177987c2f326fa523358ffe448dfaef0b2de2f0870093f07ca

\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe

MD5 bc91f4641dcdabf6399d002212ca52e8
SHA1 e1c26000acc3b94f1b16fb2ecdadc766f90884be
SHA256 8b6a7887cf1f04b76215537e23ccd1c340f44a65b719ae2ff49e2b7f7d78f7d5
SHA512 8d152682ec42fb1fd4e36f1c8989bea2300b55ced073936606ac52b64060ee286893431126d33235f5c946ff1b127bd34f92b2bd27bdbbc63d8f27ccb5a262db

C:\Users\Admin\AppData\Local\TempBHVDR.bat

MD5 b8382e28e36c2f79e4c6aabc88e01934
SHA1 4e0d6b24e341d2c38e2043978ff08d6a962a765f
SHA256 4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129
SHA512 d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65

\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

MD5 11b1e9a6fc566d31850400087536a27c
SHA1 5d12db7bbc9865ca32e54e3ae9432a9a33d4acf3
SHA256 b4b3517031bbb90afdacc36de850820668e242e88ca6fefea963f64ac0d08b23
SHA512 878f39c108c30dfaae3c65dfa1a92a97e44fe1ffa88931b5cacb360f69f6e7e8d5bf0a77a4a4e32665bd12a5dfa68da9ebd9dc4516aeb0d0bf422d8c3155f041

C:\Users\Admin\AppData\Local\TempACQLL.bat

MD5 e914726db013849135a3df270ea01fe1
SHA1 f7ed91af109707b20d461db51899f12a08493601
SHA256 001c411f3a5a19e9475e3cb644d4f0a905c57a27aad76c26a204436e269c8e2c
SHA512 541ffd82cbe7796b307f0aea75f6ed52c4e6bcc85e562cd2cbb91cc8b6ab5fb2edcdceae98e86d68dab110f55984c94dedfe0524ca5babaffd01f54262d8f889

\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe

MD5 366907e90cf59a2bec35f2b2be683631
SHA1 6e8705fe82b2454f160b86d178b1f194d2034134
SHA256 8323f573e3aadca9f62bfdb4569ddf295ef07eb494526110b2b65ea21e793357
SHA512 79fcf94af645a599f32b2fc4bc9c700b752ebb7245217f59a77080f42b00fde714d5f0c26fa93362987da8d3c066913f89496f62bca23506b15b5143798f5983

C:\Users\Admin\AppData\Local\TempWIOTF.bat

MD5 fdce57b6b98e201e03df95e0ad110d92
SHA1 20d68760a99ba37d163926c3ab2e0695e8fbe592
SHA256 c4ec711aea998303f686d537c3318c6214b9761b2c9ac39cf43e98ee4c24da8f
SHA512 bf0cf7db9e0a9c23cf9492408f993a18c13804074e318e348677c92133948280ae274e4012209b744fe1c449b4a84d8c85ff266f643640dc953652e224163eb4

C:\Users\Admin\AppData\Local\TempXKLIR.bat

MD5 d809c53a4dd225a669f8fabff704fa04
SHA1 62a666433aece79e30f34ab35b5ad4a98dc5ef89
SHA256 e6116444e247226193adc0cdc220015a1ff36c8b07a435e72e48fc7e7cd27842
SHA512 e64e2a0084422d2d7f2fb35db9c42a01d40ce8934c37b8b8f0aa239f7e2846cbe78c6c34bb5a463b0b15f82c9f6a5e6e39abeaf45efd02c35c27c6caed2b8d27

C:\Users\Admin\AppData\Local\TempSQUPX.bat

MD5 233641eac719ddd5cf2761f64e75aad9
SHA1 0d8aca9fdc3454d7137cf3f603b645aa4bc286ee
SHA256 3c9d793f5675ba25e754d1cb5a56811cccb610d16d58181d10e2deedab4e5c03
SHA512 9bbe40aec69451757fd6a04884b6df2defeb2319d265030a4da7f50bb45063f7ad2a86c048466cb59b0f0deb715b31cf1a9f89dc7d171d93412a1b298ea7b8a3

C:\Users\Admin\AppData\Local\TempGUCQP.bat

MD5 a05bc5c948181b8882b7b95448172f1e
SHA1 9dcd6a7078ad15bd61db8a84bbf43688fb27742b
SHA256 42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226
SHA512 24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a

C:\Users\Admin\AppData\Local\TempXJHLG.bat

MD5 7625fe0e989a8bb599d145b6483418dc
SHA1 20a35acebe2f17ef4c51bea383e7a64647742307
SHA256 2a834cf9b1b3b911f5066bb0a235cb39932c91fc755247925653434158af2e05
SHA512 a6a2f26ace1143252fb85611c5916fe570dfd305295e69db80607aad58e2405b63bb3bcf4f2bfc487da40a418042c543e172926ecd6cb5538171019e2dc2447e

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 87e6dda0e31203e87c351d11011a0020
SHA1 876ecf8c33da30448557a82401f32f1bd56fec7d
SHA256 4abcf181eaceb32b5111d062d95f4fa9893f37a5be5caa03caf42d5bc1c2e1ff
SHA512 d53f49e1d0ee687bffb9f29bffc36ec242e31665daf1ddff836d1f41ad49216b0876d65e9a6133da5d2c4fcdf6ce4d357b480b9d99ae098b1822e6bcb0bdd206

C:\Users\Admin\AppData\Local\TempKXFTS.bat

MD5 85842b09d2dea6667cbd548ebd2c2f39
SHA1 4a6bbfb6ada10a281cd14a93715cbd68fecf37b8
SHA256 6fdf41a5560410dbc0042c77162b6bd350cd664aaa17d4aee2f5017612c939ba
SHA512 d9ed6d2d98c9fd790028e4aa53df353d7c0feacef9b867598b2f989f3ca4cefae3503e0d0d23a1b44d56c781150a1582ca722a470f2c6eefd2b6b17105aebd88

memory/1576-546-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-551-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-552-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-554-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-555-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-556-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-558-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-559-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1576-564-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXOOMUGNR\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMAMYVASWROPCHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOTMCCEGUCQPBJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPDAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBIC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQALRWIGKFNBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJCIPYABOULTIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQTIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKYFOXVGCNGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IITQOSNVJKDKKTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARLGBGVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGELVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXUFBMFGWPTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXOOMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYPNRMTIJBIJRNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUKIMHPDFXVEEYN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EJOBNVNACWSNBWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLBOVF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBACXSFNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MOJHKNUDPTEQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJHKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJJVRPTOWLMELMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IECSYQHHJEABKYG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIUROSNVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYAKQXXIBDQMLGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACERNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCFHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRDBFYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMSJRFQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCRREGBBWRFMGLI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OACFQRMLNDQYHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NRWDEBKCHVVJKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VXJPWWHABPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLVPNQBGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 3580 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
PID 2020 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
PID 2020 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
PID 4572 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4072 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4072 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4572 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
PID 4572 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
PID 4572 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
PID 3944 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 424 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 424 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 424 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
PID 3944 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
PID 3944 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
PID 3500 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 996 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 996 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
PID 3500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
PID 3500 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
PID 4448 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5044 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
PID 4448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
PID 4448 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
PID 4792 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
PID 4792 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
PID 4792 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
PID 1028 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 1028 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 1028 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
PID 3580 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPVHD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYAKQXXIBDQMLGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACERNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCFHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCVTCC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQALRWIGKFNBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVOTFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VXJPWWHABPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUGNS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMAMYVASWROPCHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EOTMCCEGUCQPBJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQTIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNCLWU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SYPNRMTIJBIJRNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKYFOXVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRIGS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OUKIMHPDFXVEEYN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHUFEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACFQRMLNDQYHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJQA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRWDEBKCHVVJKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXODMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IITQOSNVJKDKKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDHXY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJOBNVNACWSNBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROSNVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYQFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MJJVRPTOWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MOJHKNUDPTEQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFNF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHHJEABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FCRREGBBWRFMGLI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGGEMF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe"

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempWPVHD.txt

MD5 a6a356d2b4b9efad0d586fddb722c933
SHA1 74344d6d5a10b3e4327f842986d7569f51876cb9
SHA256 51495415978b6e5f0323a4b75728c8e02f939aeb082d866706e6ebdbc49fa96b
SHA512 1e81d7a4b10b1f14ca9dd093aba9c19eb3e22a7a5c0d796c3f81da59dcf60057e4d2f2fc66c875db2e3b4305d680db8e264c8549a225fd9c89114ca3a5481b6c

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.txt

MD5 31a9cc8bd44061295e2fe392d4f137d0
SHA1 f63e884f48bbd4eb0607c56858a7dcda4eed92cc
SHA256 63b2edd29111c36468df478bdef3cec9a42ce41bdd9ea8c8668adbf77573f296
SHA512 93df33a96f498f884865e6ae6a22f04670645c918035903ca67bcf472e4da53a3bfeba9ecbf75c9a113ee28f478139a2e276b49311fa8788a7d1c4db573d3631

C:\Users\Admin\AppData\Local\TempXQWIE.txt

MD5 743691743d8e8df93eddfe8efa698259
SHA1 ed6f1e361eb6586cb10372f7b879921251b28751
SHA256 290a8ba0b49cfd1556a9322ac6d0ce8dc22ba6046dfcf5043642be1c5c6c704b
SHA512 a3e1f5526b531df6a1d0f7c42c854eb5dcd1dd0f50c9ac19b0ecdd7cb123ffcee8c5eae729bb4bbc39066324fb15c366278a151bedc62b7bf1472fc2d0a88348

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

MD5 c6df6fc41a24891ed5a63aa11b670994
SHA1 10969489fbc303e273c9602f09ba9daa8d903c12
SHA256 122c8f16638dff602c445545ae05aaeb29d734b67c7a1f76233dcfdbeab212f5
SHA512 5babf20c1f4122ffd742f1a7d4088861a09c3e32ddf01574e6270ba93ad26c48d372f52ab1ffc0da560087c41cdc287d8ae75e51ab25952bc37f207801f9b57e

C:\Users\Admin\AppData\Local\TempAHVDQ.txt

MD5 e5fea69fd378f24cd1e7dc48ceb8289b
SHA1 40726f47bb9fdd955834922939ddf3f5404583b9
SHA256 5399625df7343f1ac173b24c626b96e7ea6eb480c6745331fcdf5b1b14901b09
SHA512 ca258556151b7f69d0a0368418469edae5092593d2a3a5833e380f91e66d8bf688626a12b40d68bbd8bb9e783b64d6126fab2ac614efc3c0bcd5f424a3d29a2b

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe

MD5 34455b2aa3f4b9d1aecc25433007bbb4
SHA1 d69227e7fdf4f8418726dae6f20b3e2a9a5ff340
SHA256 d3e4e29a28fbb7a2a5dcd6ba0bda4d01cda5e42871b2f0636464e4798da31bf1
SHA512 31facdd33df3d90e492963292727dfb2206979ec5d624972bd20ba45c8a92d698a1ebcb14d0233397168e5460863818fae31814a3d2a9b70e4b88932e377cb15

C:\Users\Admin\AppData\Local\TempLTKFO.txt

MD5 3e754df7e64a9ec957e2a556e1f5747a
SHA1 cf8dcc90da533279b0e57f0ddfc8df475be032b5
SHA256 8c5de31afed06c70ef24683520aebc07506b62556530d2f441e29e1089e6d599
SHA512 597a30f19d670397e21068524210b687db3f000b1c9223d24620f7894e75d41daec1af471d02eb0039601253f5918612979c0fea88d852aa64633ef24b481e97

C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe

MD5 58c2e813aaba995c7447b6287d38d1d9
SHA1 020286bff3792a6514c2fdc62047c8fd56d76684
SHA256 f9fdbf33aa61771380190ab5c05b24f84fc2e24b7e40b357d7c3d439f142e3a9
SHA512 ec2ec18fef0d64311f28a9e477506a512cbff01bca3ac9e9fcdc7d3399d74367d7c3efeed31de38d212b3c1ee3fe3e320a80f2d120c889e50a144cac439e6a29

C:\Users\Admin\AppData\Local\TempCVTCC.txt

MD5 275174313a2b433bea4412f51746c984
SHA1 0eebf035c90c4e225cf33705775a9c5fb5cbc211
SHA256 1feb545981a83465d1f2c20a7da63705bf9b372db4fb3cc0760467322cd5504f
SHA512 16db370572f3579761721ffa45abace7f5d7554785288fd8d1e9a127654c5e6e97f8621dafe5e056785b96e3ab6245bbd680e2836ecb2e4a8b4a708e54924c93

C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe

MD5 4254e7afec41b6f772749a93f3886488
SHA1 a128c6c126996815df9b17210c8f7829e36f5568
SHA256 b43ed12bca8b88702d193154bc212fd65d6d1d690f56186f85cc11a616266f21
SHA512 bbadb530ad5c7ecdcbf0057e076a7c6b31d26bfa3c053bfa40d4fe32a34738cb211bfde22897f024f9bf7b74d0b0e9509e3909bbea8b25f70ea0e65dcb353747

C:\Users\Admin\AppData\Local\TempVOTFC.txt

MD5 d4c2c187ecbe9866d91d5713a6cf9d69
SHA1 fb7b54083ec1a6301b8090735d56364a219e650f
SHA256 38463578efd244d5249be95d62b57a76498e5fa5979d7bcae9eecc25c0fc6b0d
SHA512 f737cba3fb69a16cf6f703fd064b2236a59e3c6b0d86914baab286bfb1e31fb715a6b5d374b7672ed9ecb73e4a7283d37858af987b9bec7afba0f3e6c54b3588

C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe

MD5 cea8d8e5d79baaea0c3544d3973507b4
SHA1 80037c51c7a7dca5fc936d4bafb70587f89adab7
SHA256 b7b02cb12f7893f648861ccab767466c8b05406dff77764f72e282cb927dc3ea
SHA512 85c193f804885eb5dd413a8ae9c6938f52ea84888c88c8999d6a5350d602ce08b485274443fbb688e2a3d6fcd22e2de839559e9f16bb793658ad85be566a27c6

C:\Users\Admin\AppData\Local\TempJWHGK.txt

MD5 cd7b73ecdab64dfabaa705c8175aa245
SHA1 f28fb8fca424755a0dbd828c77c6d0e583b9fdbf
SHA256 3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e
SHA512 bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

MD5 42820b246781a5d1185926be7af0c834
SHA1 f68a4984b55cf3287838161e9065528888f8529a
SHA256 e1c7cab1b30be0002eafaa2a9d036832ec753040f7bdd424241a8f6362d0179b
SHA512 baec6b25b014b91c42bc292491cba67f68d8c7fa1effa154571c3f3886ce3e79c9d8b9c507cbb45f5e91ea4bbccfc056a90205fd71888ebb1392d7b73a4314b0

C:\Users\Admin\AppData\Local\TempMUGNS.txt

MD5 11ad762658723fe1b07038c8e4abc9b0
SHA1 6b1230f97f32cc96cb804b5f8f298db5256d61b6
SHA256 50785427907723a9a882eb1d1445f49c12aa49c2c91ebbd6ff09907d535b6a72
SHA512 772ec9d8d6caa163e5d2b1aeffc90df81ea74a513117b85389d5e880e257de1cc6405817cf340474a71e4d9fdab3a005610e563b37586add9416a5cf4575da88

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe

MD5 de5863f5e64687eed5db5abc95ff3919
SHA1 230428f0f5d27fefacee7b2a4a83cb1a51916a55
SHA256 538d4230c1c09e13c6c1687112ab44706f605a9d42bec833646a9cdc9038eec3
SHA512 a8e141b4c69df2bcbacc81b4f05a6b74c45792e8919fe4c1b6f61811654dddaf398f94018be83dbd1c139484c3498b126c04db3ac7837488d51587d927671033

C:\Users\Admin\AppData\Local\TempPXATT.txt

MD5 c04a1800909a8333e71fc197ff071d9d
SHA1 12305c72700402a3574bdce6bab13accf4c3520e
SHA256 9fd133e75523e0545c523bcaa549d63c7b0a0c061da1020cebcf05bcbd9c825f
SHA512 eda4a8f1c4c00b6a813678e8cbda76ef6fba0365089216aaa81938db677029e618901709b7d63993a48cca9be5d4accdb9a892d431d7a96739291e10560e4c7a

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

MD5 f5ddaa57dac5012400e359f798ceb80d
SHA1 65e31cb1cdf7d319ecb1916610ff0512f2e4bc31
SHA256 3e90354adf3e621dd7a7cabd5424e60789479d6ac6f3e4c5d81fc0ef72b60616
SHA512 58c3fbec09389f370a22512bed07c5d2cdde18c62ec1d1974001530285e3cdbc1eab5d20266a568e6ea0c08295edd5a5a0a506cae584ccfb2a2468819789c70b

C:\Users\Admin\AppData\Local\TempESYKG.txt

MD5 69608039a9100b66344d0e27f28327a8
SHA1 3fbf0948e290149ffb90b21d9e3a401258de0d9a
SHA256 1cae5fe5857a1de42e0423f499784d1f1d501cb7a5a91c479b51c73650e6eea0
SHA512 4a363a1c576361a358d4a878099c99d905ffd54806868f8fbbea3edd1d7982afe4f71de32435deb901ad36d1ec145c6d949f0498dad5d3d6cfcc1a551bd3b0ab

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

MD5 7927853e448a6800ba402fb33e9f0514
SHA1 8f6bbb34fed42cc12fa8a22765906de342145821
SHA256 2a1113d2e115340111dd8d51ab360e83aea9d28cb378f9093b2a26b2a47efa92
SHA512 2775bdbbd61b469c9c7490def83f3c4902998ac5cdfe500d8d7c59231f7506d76d3ec12f8747078fb41c1412713d16fe26aaa37d7bff2c6a55e84aefd2333394

C:\Users\Admin\AppData\Local\TempDYBNK.txt

MD5 9b43f1e53278510e2b5775bc17f3827d
SHA1 a0f267cb87243f5c90671be07e6af69093dfedca
SHA256 35f64b5dc8c76cd13d69761f7af1983305a31b1289a2ff0275f206b83dee395d
SHA512 555d924197b1c4b0aa9807149454ca383f6bbddc39806b28b1538c2ee7252e594180912c1dd0368b6089ef7dba2c8cf49281391a3964a247464ed1bcdec83402

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

MD5 b2a80fbde54954056e4e4a4d000bb83e
SHA1 940bae9219f24585c900991568826c62dbeb74a0
SHA256 2d4d7dfa2daa2cccfdd66a2444ed3586717c50fae985a7d39bdb6b2e6b255758
SHA512 acb65c8a8d4fa3a041d37471ef142381fa7bf600718c33b29d84a87e261bb852ef8345fddd8479aac2b8cd3c5c02088889431e873b849cdc0ad4c70375bcb6bc

C:\Users\Admin\AppData\Local\TempNCLWU.txt

MD5 5ef664327d98f54123692599492aaf28
SHA1 526ce8210feaf0ecce7d4bd510287fdd8236abed
SHA256 25fb1541225d23d003873be0bd315f6568caa114d1b2e26aabcca6479afa1fa0
SHA512 f3a91a5b033967b52b3755f34976e5226408810fddc432a31a6eef0b6032d1f087ff86be4ab927fbd4b299bc13caebe4de7513805b8e8377dc351a60ac70988f

C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe

MD5 8272076e6637cc46fcf4140869dce5aa
SHA1 6397b18cb531469b675c340226e84f246f045d11
SHA256 3bdb3dc8a095acf5942a20d0c387129c361e935e1ee9eea0f3f04d317ca221f0
SHA512 b4405f8f74b310323aae67c339248c68c1fc827272e57c220d108488f187d063bac069050924746bfeadf1cf3653e3f6b27ce0c6957d4260904912ab13eea2a6

C:\Users\Admin\AppData\Local\TempGBIWE.txt

MD5 9d8a73676ceac800fa001ece1f4e52f3
SHA1 789fff73252bda26653a511337e96d9121f836b7
SHA256 aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51
SHA512 b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

MD5 492e51bf04a52ef6965ba29d8e9dd3cc
SHA1 ed24cc7906b8af9ae9b650a6495d754d39f94779
SHA256 f6282b1101ef2d15f0ff169b4feb4fa2b9d0ce8107429614fe542866932fc6a9
SHA512 51992f082f6d559f94b7fad0daeb340c8c20580bc2894df2461f1590255360bde795f6eb554548987b7110791e794db55645f7db203765a38252fb10cd696fba

C:\Users\Admin\AppData\Local\TempTOWKL.txt

MD5 b71c01ed84b9c66ee2975a5fe4ca198d
SHA1 dc47384dfe9dfd2b9cdd5a1ea315acc21f928bdc
SHA256 fa4dfcac5b1e69c83a7d52ecefb1c5a31905782df3c0f0005d8dccad4c0818a1
SHA512 353f5282d2fccc0babdc7321ffb5fa9b44a479351ba1de7f1784439ec5bb2dec6fc5eb1f5d51e609e054e0e93800d5a6673d882ebf527a918752837e4ade8897

C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

MD5 9c378d88187969c61c24a1bc8fbc0825
SHA1 078fefb723decd58a0ce844a8be85f422abd8557
SHA256 82969ceaac95fd5ae043c8e61d33176fd74b54c0d9c4933901f37cf403b11d14
SHA512 f1e5dff967cc3e05be1aa308179ba901c6d665ed494434d3a1de79d6a38f0b7dfed70d179a4eb94ce08bcd56fe6663a6863898769b9d74daf8f7dde7184d8b2f

C:\Users\Admin\AppData\Local\TempUGHEN.txt

MD5 b317d9a4bda7ec2fdef220e86c280304
SHA1 586b2e3290b4f5ee43497f276e0947a58c5c2e95
SHA256 907f30592d821d1840375f7edab3ddf81e588a04016d6f784b898e84828d2db2
SHA512 09ec2b91e554a5e76865a644916894cc6002f118f1d51f3916fd40d614be15e142533835deb3959398dcfbe6fabec0dcdabaac95ad99a7e50ec9859738a39a48

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

MD5 60f0ba980005f6385ff059faf715e155
SHA1 b8505070ac45bc6cd752f9d07ef32d77c63c0b85
SHA256 2b37f36f1849cc9d40c38828a297d75a0baecec21a356a8a2300e46859c07a98
SHA512 3c0a68faceafd17e83f1a27ca61249a08397c513d8d1fe9c9bdd58fd35ef0011fce4c0b1b8c85bdd888248bb7e31131e0004bec8829bfbc36eeab395fdd89f47

C:\Users\Admin\AppData\Local\TempJRIGS.txt

MD5 64d0c25d229ee11d34007aca9e0a800f
SHA1 546a8ccc6d36f93efd41ab04b2d7063fc2864072
SHA256 5f04f7e88481707ccdb5e17f4fab5d9389edc620d1e86da98b30897c05bfd50f
SHA512 fa96fad4fafa3c3618559d62ec42d46fa3bba62c7fbb27d85dacb83997a3f7bff35a175c234013d635fa006fc49ed99cb014c954ef3e9c4f732c68d2ff3dd7ef

C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

MD5 a656d174799616a0178a322c2905c601
SHA1 ccc18da9bc257507434e07d0e8756dc4ab8e92ae
SHA256 f1da973b54d7cf1dafdd5a2cf19e9c76eb97b5752856dba491d0b11c24f088dc
SHA512 d1a5c42ecc2c136d58deb8809056b932b2ec6195a4b7eef65c75f2f860c223d4df1f181281f4b2c981e403db979d8b0aec58989c068ac0b6b91dcf3cceb61732

C:\Users\Admin\AppData\Local\TempFYYNW.txt

MD5 55ae9eaf6bbf34f43d2b174ad6d75110
SHA1 5d828ffea60910fd94a9955fbaf2d31f9deeccfe
SHA256 5e8f4b6191f88b6e94835de40dadc0eb7543bb512cba996049bc01d1fd73359a
SHA512 2aea0961f2890f47b695ad363b7be7414c87a27c7669708f57d32184b42b64a48e9427901a7581db444cc0816313b544c9f36b48b133c1a14ca398c056ba4119

C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe

MD5 0578981329cb94acb48a9835a8648b47
SHA1 8db28bb31226908d10ca04b2ac3f782ccdd1ee3d
SHA256 a7c9f2f4f0e31f0a374b9ff3e80a5b022cd852830c9db95a9aaf902b87cf6b9a
SHA512 7a6e52c948aaefbdc967836cb2ad80afdd34653f1544197850d3ea2c24a74ae6317dbc6cdb2b797f9cb9f550bab30e2f13692008344d11241e5288da8701201c

C:\Users\Admin\AppData\Local\TempKTPCO.txt

MD5 e19b90bfba2c69d2c21ac3776c877917
SHA1 85d70a13fc6e4842be8e175522d24be6bd879a9e
SHA256 f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5
SHA512 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

MD5 e402251fd8d810ed2fd3cb263ebaa166
SHA1 77c8f396b7a2467ae592193e6a7179c981475b36
SHA256 32994c7b08617921a56ca26f25f2d7b5474854490852a7d91e3b26e8ccfdd904
SHA512 06ac0516c545004cf8480d58cb2739778e5969d5336e6b01deefaadc2f002ae5ea2d9fa8fe8cb59b7431506395a75a389203b16ff4a4791d340a9aa474fc26e4

C:\Users\Admin\AppData\Local\TempHUFEI.txt

MD5 d167a03d6dd56673d92cafa5d589ed7a
SHA1 3dcd857ce064770758fa80f35b3f648277b44389
SHA256 5d325eaf8c6e6c29bfc248ce2cd439f2e648dbb921e018f08e2b91080807ff68
SHA512 873bcf5a77b2a7354e3fcd8927312e7da76863130ec5e57eae0eb12e3cd7d2903f8a536265bc3289a05fa1e27d2669b8c048097a214e1f4618fdb07732dc36f8

C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

MD5 62737afafc03e339d0a031d85b681944
SHA1 c39542135425657c04b65b62a3df74262081efcf
SHA256 f065f9b13465174e5f29cfeeebce5f79a8be009ed611f2827fcefbc03fb12cbf
SHA512 7c3e8994b0ed9da76a8779ff0989c47553c2c1cfaadc63067c7830b4fed22c9526e14c19681470dd290d34593f7168ad77b1c51fa17febd9aeb20862e82e57a2

C:\Users\Admin\AppData\Local\TempGWJQA.txt

MD5 ff00f653cca12ff89c1093f4c4474057
SHA1 61de0079c2342226a77b8ae63b3134b67e30bc55
SHA256 8b8d3faa6fcf447f05567e088de707146c7198280d2cfba32c7bc0a29c257727
SHA512 20ec421758ffb87a796b6c8a8f7da9a521c4f1002293cd432d4a36de44284fe31065e630e6422af7dadaa0a9bd2244b941dac9b820d5cddbb51e0c120ccc0fde

C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

MD5 4b7c6007dacacf8dd419c71d9b4c6670
SHA1 16faab63288f3a7dd116045c5f091cfc08928139
SHA256 9fda86995a6adc5858b951062ddd5f77e4f32ef552eff79d5ad5f933529bcfdd
SHA512 ae5b101ab94722ac837c85302ed7408acc70b4810d51806845a1274d1850d015995b83587adb542564bce1b2698bc479a2f24696afb70182aab9edad86c1c91f

C:\Users\Admin\AppData\Local\TempXGGPL.txt

MD5 4733ad9fb4d445ce8b49c8b002dde71e
SHA1 8d4b4d589d282443c98be543edfa3f434918f8b4
SHA256 7664fa4d5f995ccecba9e4533425e6d9721d4b9904dfdb5fa8f8548400afb435
SHA512 b54d22b7fc7643d666e22bad1e9823c925cab1082d822bae8602b9b6bde1425cd11ee4c8dc22bd3c3d1645f8b32656ffbab2ac547c50f2b692128dd3261e12e5

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

MD5 2a7525d96b56c65ef19228c717bd67ff
SHA1 68b5650a18baae2c059a1e8256db24a47ad722f0
SHA256 3a74fe0351eaeb2d89e96ec0ae9019fbe8000e8a855da9f2fcf60bcbd131b762
SHA512 6bec9ea28cce2fa52c4acc91f8ee081bea45cac68b092a67236f4765967d86bcef28371d291084e65d9a4ee866cdf1ca41a9651660ef8188ffad02e5063647d7

C:\Users\Admin\AppData\Local\TempXODMY.txt

MD5 2532dcbac1e834e1e1ba52c75085adee
SHA1 bae15f077e4b3c0946605dcb8f0c02bd2a01e1de
SHA256 32ff5f70924f75a8b5469bb91ab121e0e882fcf752708bd9b0d6cd52e4c18c1f
SHA512 9706d09abf6dab11b48c323e5a6679d66b51dd1ec1645d045a9eecd922900382520c4e70d4570bf23af68d792115c6f1135daaba193a62a046d7438731dcb7f0

C:\Users\Admin\AppData\Local\TempXDHXY.txt

MD5 db21fcaad3f7817206eb7a5ab13b967e
SHA1 8767af79dadac7280b9d65d26f27b0c4fa4e7d5b
SHA256 209d81c873b175be359c27db3bd5dd27738a41bc2e0feb133a7a8dac001787a7
SHA512 fdbf17805815cda30cf9048111e58b2d096157ddc3fd339d2a67fa657d747b3f78cb8be28c9c5218f3217b5b42d964a16a3986269d50ca4ab4aa15b6061855f1

C:\Users\Admin\AppData\Local\TempLIQDJ.txt

MD5 957ad5dbaa44ac91d5d250272d2a94e1
SHA1 d6c101bb30848098ab9c181fbbc422278ab6f6e3
SHA256 64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582
SHA512 052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857

C:\Users\Admin\AppData\Local\TempDXBNK.txt

MD5 2f8d9f8f839cefaf6e793c822df4b87c
SHA1 f12d7e789a19dc007186bbe483fc8244f76f6409
SHA256 894c1f0c748825d255dc02505fbc207346d341ffcaa0716bf777fc9d5f66b2e5
SHA512 7aafcc9c63587e06c1e1f28b1a809457f5921840b009b69d8c36107386f39a0a492bb13a5ab3b56416686f79cc33fb4f20a16c711670a3c568fe50f4b2712ecb

C:\Users\Admin\AppData\Local\TempYXTTU.txt

MD5 980956a3fe5fe8ddda8de7c1fe0fd3cf
SHA1 e9e6968fd02fdce967b5654748d3661c2ea51542
SHA256 8c013a7f3be51959e476fd7d7c15a4fbe3ac3a594b4ed14642d3c1fff110a1c2
SHA512 9dced64dae35c0c80e8da9b4461783d0e952df65d6c876c251bbd29c42bd34b0708a20da46efbde91f1e9fce943828afad4d0ba5bce414aba215bfa93507db7d

C:\Users\Admin\AppData\Local\TempNWSAF.txt

MD5 1a15ba0942c96ad946befe1a84299150
SHA1 81cb5052e3dfbfccfce36ebe614cda1163f72d99
SHA256 00f4acfc005e1e8dd5cd682d989afe03f1e7ea57a57fada424cf43a6d33920b9
SHA512 e9833508ee354ba75bbf490d6cc67783a27f8da1acd56d42045d81257d29057f350bc5f98943caec0ca5d8cb1b9697ee782c6795316c38fa309227e866bf6268

C:\Users\Admin\AppData\Local\TempPYPEM.txt

MD5 e6348f4c811ee47c64701c4854ced368
SHA1 68ffe06a37d8f3204a521ec7b3357fb1b5cbb15d
SHA256 37575df12f3a31ef0ef92193c5f6e95d5693c23605f8d469c1990f11be89c6b3
SHA512 7a94944804c638197d435f2dbb392b8f9fec1edc40352ab6ea1a04a55cb8f1570dc13b31014d3ccb5ddd18a9de9ea626d9d6a4857a4414f417a3c4e462ff400e

C:\Users\Admin\AppData\Local\TempNOXTA.txt

MD5 2f639433a90ffd80f88b06472aaee1ca
SHA1 dd95f3059098502e98cb1f11ac51b756c509fb67
SHA256 1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866
SHA512 24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4

C:\Users\Admin\AppData\Local\TempXGGPL.txt

MD5 8596d03e05bc1bf684fe5378480b07f7
SHA1 a95b91da45c2bb6b394f5eeab3460a94c21f736e
SHA256 7f351ffb826c3a4571de9b839701b2fa4a950f06c9a8fa95f70c6b434ee5bd80
SHA512 689d156e1b5042a895cad83e84d6d3f17f20d732aa2225bbe96eb555974ea0a9a3c683e13cc4fa415b082149d002818e8318e28db13c2d0c191d1d25dad11c59

C:\Users\Admin\AppData\Local\TempGAOXK.txt

MD5 598c7a777f5f0a84cc669b3a7f8b600a
SHA1 2de190e40ca2e0371431d3ac32fcb09e0de43e73
SHA256 35097cc0642644b48962b699c8449c6e4a7e7b3f8aa84004c406cf5a729f2153
SHA512 40daadec0a15451ee14053983a19ea3428c213eb2bc5c8028fa29409041c68a0a28e46507815923bf0d6e4649720de9c192c0876577e1244df2974d6ee286de1

C:\Users\Admin\AppData\Local\TempQYQFN.txt

MD5 36cd1200fc8bc37dcabde2335c93e89e
SHA1 b89c3f37aa79580e28d070e39731a9aab936b22e
SHA256 cbe722f95bea66b473aacf60f1c3be929686dad96de85290e15759b16f835fb0
SHA512 b6f9555594b1b4940c922a7ba786c4ca7e1e62a47062d48e375f8608b35c1fcbda471f2db921035f40ca601975bda7655bea913e50b3bff909895b26d9ab4272

C:\Users\Admin\AppData\Local\TempEWVSS.txt

MD5 393d3bbac3e0801b7c7ad74ef52aec45
SHA1 8d592a375f8e568d475226aa524889ae9c7cf0b1
SHA256 6a386293abcb8f980e7215c56efb83b1c8752d6a6ca8cdbe06816534ff236605
SHA512 4d76a25d169c51025af3d6013259a07e697f6312745d254ba5e47f46f77f63fe49b20eec5ed731b7b1d3630379429c8701935fb28436a4d3514fa54b5582e838

C:\Users\Admin\AppData\Local\TempKLUQE.txt

MD5 68603a3bf33b1371944acc84fda0d5c3
SHA1 8a5cc76d43e8854a064902a694058a4f0139da4d
SHA256 0c380579cfffe81c26242eeac446dbbaa5cf10bffe6c9ad0517dce461f07c4d3
SHA512 d3db01ba305d3cba257fd53ee0d087f639a723587311a2df6938e96dbfb070ddb3404794b2b029b87ed388604cd6239509de1824bb1ce5b12d3eac45e294355f

C:\Users\Admin\AppData\Local\TempUTFNF.txt

MD5 b2b70af0804fbd3d7253b7cccabaaa3d
SHA1 b27bbc932aaa03195e624ee98e325e2a4bb69a81
SHA256 f3381ec12229252b26164bf595d7ac29e812cb97ad072cd1d74534d1c6f7e24a
SHA512 078f158ba5ecc7792eca6e9ff6bb281d122c17a9311a92ada8a6bcdb44f62ab14c3ab287e278b2766f0be305a69caf71f26b6a7e0367a756093699bd91fcfabb

C:\Users\Admin\AppData\Local\TempKTPCO.txt

MD5 6924cd32a0a33db2140009298b4b812a
SHA1 6442a9818093e0fb37b9af856fccd6ccaf8a5737
SHA256 aded1d2932822ab8a791a717911af196bcf7715493bbea38730a9c3e64efba9f
SHA512 1761311e8094f56c790d3c2cce5b52d6a9e2410766c596d189e3d9d0a16135ffa36ddc609364fbc1de751497759da17feb2c2ff18c5a47527a4c13190f9fcf4a

C:\Users\Admin\AppData\Local\TempBEFPK.txt

MD5 5d5193981fbb091f2db96343213a1540
SHA1 ff915d08eb74f807c0f4025cb9328452915d57b4
SHA256 0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611
SHA512 22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

C:\Users\Admin\AppData\Local\TempTQOSN.txt

MD5 bc86c0446fdb1df8d67a42771c206cb6
SHA1 dbde23577c1b83d30d0f2f112d91e9cae31db673
SHA256 b773cbc680bc134b180039e7542e759164cd211588c6e2710a678c736a46db0f
SHA512 b898f9925bef5b75561ef873600e498d85c46fc53270abb11e5d516207caf066921232fa812630e9dca489a37d50d389864d3e18689d78c4d3a5028e08d16733

C:\Users\Admin\AppData\Local\TempGGEMF.txt

MD5 f6d84f48ffef89e54d20d7a0efb4dbbe
SHA1 6d8779f55eff63cf837b88cd38fe5b82b898eb6d
SHA256 d8a7b021bfc52f0396fb8a2eb1f2f4b9b4fd13ac81a66a0436062fcce4a27c21
SHA512 5ef6f47946907fdcdf5a1d6c794692b7f283ec24906ebaa886caee01aed9a026768fc2fe59b476615bb30ee78e5ca8743a16546d7f44962073cdfbf05c0487e9

memory/3580-1002-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1003-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1008-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1009-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1011-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1012-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1013-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1014-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3580-1016-0x0000000000400000-0x0000000000471000-memory.dmp