Malware Analysis Report

2025-05-28 17:56

Sample ID 250308-2zl4xstwhw
Target e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA256 e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Threat Level: Known bad

The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades family

Blackshades payload

Blackshades

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win7-20240903-en

Max time kernel

147s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMAMYVATXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFDIVWJOWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAQROWIP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONAIRYJFAQJKTWY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSLBLFYDFWSTA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGPBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCMRYKAACESAONH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRSPXKQVGEIDLWB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSWKANJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WJLGEGWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYNSXEFCKDHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPAQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYRHRLJLYBGUT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BOFSOMRDRTOHKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJASKGBRKLUYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOTMCMGEHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAVQDKFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRMLRNDQYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHCVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMLYFPYWGDNHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKYAFO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHVUGOFXPLGWPBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGTWARKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUTHIECEUHPJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVANDRNKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UWMGELULQIQEOFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UCQPBJBSKGBRLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYDUPCKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTRAL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
PID 2516 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
PID 2876 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2308 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2308 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2308 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
PID 2876 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
PID 2876 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
PID 2876 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
PID 2760 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 2760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 2760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 2760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 1404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
PID 1404 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
PID 1404 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
PID 1404 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
PID 2344 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
PID 2344 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
PID 2344 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
PID 2344 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
PID 2080 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRNKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCXQWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMRYKAACESAONH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGTWARKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOKXWJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYTRAA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRSPXKQVGEIDLWB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVRFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMAMYVATXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFDIVWJOWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

"C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLGPGE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe

"C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFYAN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXJGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQEBPY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BOFSOMRDRTOHKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGEJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKANJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRUVHI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QQMLYFPYWGDNHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONAIRYJFAQJKTWY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJASKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYLMJR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UCQPBJBSKGBRLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWTTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEGWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPAQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAQQOW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUGOFXPLGWPBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUTHIECEUHPJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe"

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempKTPCO.bat

MD5 824bcda855a5c1779b5c35f09764b0f8
SHA1 7a4587cad864334b7bb2447fc3b19bb88ca5814a
SHA256 0952fbbef3fd5cd352854d62d984c43a75e090b2485c4c191dc8c2e857df6b93
SHA512 285edfd0bdfa0b32400c1d0e733284f70899659f8e40321b3bfcd2b1343e7dcd17555ae8aac9af015ce2add12019ec16f9d63c9e066efdbfbf992b25c997c5cc

\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe

MD5 c7b83a2a421cc8be4bacad9472693fc0
SHA1 6e39a776876335639baafb84c926480fc88ec144
SHA256 527f6ed59d93244fef356195451d28c39e8413c590aa303ad99918b2ba078907
SHA512 3e51e7650103df02268a2764a345c709af9b6a0ccd3f4509b6ec1af1e9d3ba145dc352d6644407913c39979b797f49679d89c3cbab16e519103cf05072cc086e

C:\Users\Admin\AppData\Local\TempBEFPL.bat

MD5 06d296f775cca1756baeea0ea8c19981
SHA1 c44d01cc012cfc820decc11d1130bd7735d7e304
SHA256 0492b900c330872577dec7707c8b3b2c38406dd6b9ae943734b43e356d4f8e9d
SHA512 9a93e9bddf001eda01cacc3af995a069d686b0cf1b530062ec47cb3bc38b44b205335bc4e3929b31fe2fd84482152b800c83964fb3edb0e40854a71223025d88

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe

MD5 e49983939fd80e2a8245f55a11de3258
SHA1 8ad950b6da7d14af520525b966c51c10e122be4e
SHA256 5c0ead4b0f6c391ef7b0c37c060bf33a72b43eba729fe380780896d2d8b18fca
SHA512 0d90aa3f3452492ca3595126f7165adcb745aaafd68f313c53b8001878ea0edfc391fd810956341f5c08facc2ccdfcf851b5e9bc5df2921dde2a5d39a89b94f6

C:\Users\Admin\AppData\Local\TempCXQWI.bat

MD5 60040991629efa0a6b89bf48f54e5e33
SHA1 156b15affd14cebf74b6f52a9c6460a3c9d0fc24
SHA256 58519c9bd52f13af5b34c37e933e700051297aad4aa304e697eafe97daf21a9f
SHA512 a591057de9e7655d2804cd19dff6386548a5cc31fae6394145091bf54df84b36bda80fe10a751620a13443a9a2dc2adedec6727930ec2cb1749b8360aeeebbb2

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

MD5 9ff9eb746520d3d526b6ec025ad8a528
SHA1 974bcb7fb3c064d1d1aefeb8254b7fb69af05aa8
SHA256 3d850fbc9731c81dbfebd95b429467f32be5397ca1aa7f9cd7e6ab42fa7d146f
SHA512 31fec7d2b18934a4673442b6ad094adc90f1519ebf44a09ce72dfc8968095071470936b5db9454b6c33754ebc7361a903d18dcf7e9f3dc8425d7cbec5ca45686

C:\Users\Admin\AppData\Local\TempOXTAB.bat

MD5 67fcc8cc31fc01ef4ad32664320e90b9
SHA1 5ebf97f60988904a6ae7041f6611e5165aca94b1
SHA256 5c141959b2f85dc7b44f20d615826e50ab785b422390471520e132dc2b88a428
SHA512 a51dba79e39be19c875925f3baea17887d24a5ea51c4d5ec964dca589f955ec3d827a2f13f03ed2b2e5b6f551a0d5b0960b412d5fc337f217d3e5f1826dfa11b

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

MD5 db89f61ceb20f99d0c99ee113a6d6c62
SHA1 46c22215da9b78d99f113368ffeb8b05c31153d2
SHA256 d1ef56251bea89e9b650efe9f62abbcf18a894625ec03dd857bbe88f4940317d
SHA512 58ac31167e4ecf9104c8878bf8555b2c788abffa946822272554b13ca2ea30002b4d293e6e13f88b7a2a5de14acbe5b8c199c4b5a71262fd4f05d2e92741974d

C:\Users\Admin\AppData\Local\TempYXTTU.bat

MD5 980956a3fe5fe8ddda8de7c1fe0fd3cf
SHA1 e9e6968fd02fdce967b5654748d3661c2ea51542
SHA256 8c013a7f3be51959e476fd7d7c15a4fbe3ac3a594b4ed14642d3c1fff110a1c2
SHA512 9dced64dae35c0c80e8da9b4461783d0e952df65d6c876c251bbd29c42bd34b0708a20da46efbde91f1e9fce943828afad4d0ba5bce414aba215bfa93507db7d

\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

MD5 5ffb48ec50bbad401ccd040ecf621255
SHA1 33eba7484384e1c588a723fd9b2e958bac21452a
SHA256 a6739fb3d45b4278281b7e54327479b2517f594dcd43b2af4b7d1775b6d899ee
SHA512 1ab3ea7e1b799d4126b5edde62857983843d3e20e874b41bb9ad9e2cf3b67eb501975fe9ddace0e160ab4ef280537035cf969c0f6ec30b87bdf47d55eda866d9

C:\Users\Admin\AppData\Local\TempOKXWJ.bat

MD5 0610d47178c0b5bef82b8a326205b2f9
SHA1 08071e9d9a791440330289fd0c5e028f87361cdd
SHA256 3c85b25e5ac929f398b2a503d7fc0d7937c20e2d0f2deab7a91afc388b108310
SHA512 e8d34087a0341ac1885208db75ad1cf4603cd9b339fcd2d22568d08f51cd41ee8c02faea7b587cb97716935b961f79e8759519854cb7ac0a77698964e0163bd9

\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

MD5 374063cb2dd7a373c1bb73fb38fed327
SHA1 4c21e1bfe9110d47f950117ca6d4d5777059e0fa
SHA256 cf2d01456f471565fb6dda5c7750d3c813ea37671dd0f29ef17aa6014e9a6aa5
SHA512 3852014244ea4f9efb6625c59a00fb166da67e1754278d62843b4d4744c6680ea82ab9b4a27f23640f4a79432f7a0a21b314f0dcf4f3fa7780aaa233d573766a

C:\Users\Admin\AppData\Local\TempYTRAA.bat

MD5 5cf0d14b63b7d16194a0d56e4381c9cb
SHA1 d5dbd40881bd015abb0655ded58060bf72fcb4d1
SHA256 befb076430c0fcda49bb8f801138bfb2f4f11fce51f9788fa46d50486f06203d
SHA512 515b1b5d6a4c05db0cc3ed8ec5927d31d9e1807b5e6d5aeddf4fa8ab3f9551083c8ad2adff2b2032fb1aac52c98a578d0364628b14f0f7e9bd9f05aef7715196

\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

MD5 bf8eb92107348e92ce8204e62267cebe
SHA1 de5383a4071b973c570b6562de3482b590e8ae76
SHA256 58cfabbcc7c536cd0c8b1cb0c44a0b91488c8b82126e5b2442e4786137ccd6a9
SHA512 35b2dc3f5e344025a49136adad3e0320b6cb990c3fb43254994992fa0c8ec9e4e87108664aebe55e01c43d207c27393ea0bdf24a6e7e490f2df8bf0dac641ffa

C:\Users\Admin\AppData\Local\TempMVRFC.bat

MD5 5d51186b0c695bd0bfcef3b0ada8be70
SHA1 c9282525e5c0594b0f68704d3f95a7aa9c967597
SHA256 b4de230656c06e08efbb232d4eb34a45cfd632f0164be479998b378becc80e8c
SHA512 f71bd231afc6f3259deeee28f3bec584c3f76e4d3f35ec8340af2b56507db9bdd09e121d10fc87d6771aeea278ae53a288f1ec41cfdb532c7a891bdf38080615

\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe

MD5 a2c1dd968287e89b1e9049a228c65f43
SHA1 0b627bed1042595bd2f6ad9dcadb0ee7a18f9225
SHA256 11ac141228c2dc14f5760fc7fd6e3411d20a1357450850042b41ca4a07aec84b
SHA512 6a0f26768f69cbe1e4c6eb7cdd1dacf7f489f289d30e47ea601e48f9b4b63e70a5f88f863dbd0d379ec9d113e6f3bb7bd65c5971422ab6837051fec49c1d2919

C:\Users\Admin\AppData\Local\TempFXWST.bat

MD5 f5dddc8c8195b915447e8eca984daf4a
SHA1 92ac8e13c3544047b426c6a188f1e272801f7f73
SHA256 b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4
SHA512 f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

MD5 9986460d1609bb50876ef9b53310cf46
SHA1 80c9df2c772fb7f969b86d24ea32ea39e88c0aeb
SHA256 952a3d00326086176507731a7090c7ab8f384c80291b1e1a3b49ec39de1b3e88
SHA512 9c2c2e3b0628c3c3a852619a5ae0a6c61fb395a58f40ae2c6aa5f0c5c7534165a244634be641d0110469867b02545506741bfd01faf7ab577940ef095f32ef22

C:\Users\Admin\AppData\Local\TempOPYAT.bat

MD5 2b4ffd7ea29a7d291f88a002a00b2924
SHA1 cae342ccf738dc45ca7669b83afe01887893360f
SHA256 7037aa8423c57a149854cce2ff715fdf48d974122f62798ec6a94b0e978dc3d4
SHA512 33ffdf6ff441bf3e0f13cb1762a698b3fa4d450399a96eeebbd576ef9885fdae4c956c6dca7eccf04c7ed8b003e9e1d3657fc1dea86d7202828c932424624dcc

\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

MD5 82aceb4ccafbb1efd56b7522e22695fd
SHA1 29ad865b37ecff13047033d1d6b97092104067d5
SHA256 295d9a1b4350fed9892ffafc564b0bdc64b12da130a8757573835246520c0b84
SHA512 4943cb9d1a4355fbdef77d2203729de6d6c4a55dd7188e08faf029be29661e767b5c70d049415dcb5a2482ebf7a01a58656b68bffe485c31c391028a85c9c163

C:\Users\Admin\AppData\Local\TempQBUUJ.bat

MD5 c872ef42f00e73a0319a155ea74d0e15
SHA1 7410c08d0e874446ecc7eff67abe22578e496d92
SHA256 356cb8a3f03f52001f593dab167201e1a906ff4a524164aff93eef9501a28f3f
SHA512 7646ff930bb06bcac5b5ba579e465a8b4f02809ec81df59655a17c03c30e81ad3c57be8573efa8cd45a3b005816775b5d78470e337ae6d5a953cdf263a4c4bbb

\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

MD5 6667c9bd9a0598b215a29fe14f4acce4
SHA1 384a435245e6202b4d50ed91cc0bd0467aae5a67
SHA256 00ef64d070d000ebcc853c7383c4a52f742ccee89b65cbe8bc2ce16fa3f48c9e
SHA512 de71479506a99d951f61c62397b726357c1f82111d9e71cea8f2755375e3c44571ef954fbdd1f835b94042978465a18601c5734a2bbf542a5ac48e72e036a10b

C:\Users\Admin\AppData\Local\TempBPYLK.bat

MD5 fd1d13bda944b76d047292d1506c4e35
SHA1 ef3550d5cb21aa824c48f67a30c5d89c4d537d77
SHA256 a5597a65241fc492acc732e99bf4f506184b0097adc2ea3db800882d34aefed3
SHA512 302391e10ce0433a050284241d478cc1adbf4d6d1191af2866e789d7e71278cc67d48c0671ab63d46f179de70af8fb66111cc59f475452cff0faa8e7a8d00457

\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

MD5 ac20b5b1744c20d5a26d3382d7262975
SHA1 97b1f0e1b4b2daf3156062a359689a6ce6c1b61f
SHA256 671fd3f8afb3dbe3a4aa04b68664ff68ec953743d0acdb8b5bf03d93dd59ea6a
SHA512 719a48cb9ab814a78b50d44c360f5611d71b4bda96911911089aa320cdce2576ea1541013fba93d3c1be9a058c20b697e45d10c9a80d83fe23b99306103aef7a

C:\Users\Admin\AppData\Local\TempXIGKF.bat

MD5 c19a26b98002090a180fb332b32db76a
SHA1 29aa660be043cb923e3918761dfe141326daf60c
SHA256 79f2ddd25316c414e1b27ef9feb998d1ec8220e2e27b67ea98dec4cca626eca9
SHA512 cc5c4530df3c0e36510e438eb9c9ae4fdff28c36fa194de9259de2bf720be3508666858ffb6b30e16bab30b5e072ada016039b869750a33b88073ebb07263ca9

\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

MD5 9bec2b5cb37772fab15229c48f6ac02c
SHA1 ad5579667cec89fa4701a61e71bc12c6f26bfd99
SHA256 609c8deb1da39e747d3ef48086023c22d2a5bf199e52063d5d399c08b96b6101
SHA512 3e7a90252595e778eebc889ac43c3cb4f2ec3ac79cb5dda46808382fc729f47d2b5daf71df483216d82e04a20d2268ea2c686f7bdb5ab4effa25cc13bfd8a08a

C:\Users\Admin\AppData\Local\TempUQQFO.bat

MD5 f298269d59afbe4f480fff06148a81fa
SHA1 2e98dad6d4711855e640bb626e8e59e8c52e901b
SHA256 85dcc0ab7cca7ee9ae5b790e2dcea09edfac85a469a99f33183b195256349c0f
SHA512 5090fe8f060af6fcf738292dab6f49b25ecbf0460a3b63a3542403d91501be7068fbb6788c65b1bea45318dfaa27f2586abac006170fca782e8877ee3954286b

C:\Users\Admin\AppData\Local\TempXGGPL.bat

MD5 73d09bb55e140368f9494677b120c41e
SHA1 1e7f26699f36aa9e3bfecf62e39a566c6005f5d1
SHA256 3afc85474bf15cde25f95b7c1587590d8ee24a2765ca15131da34a40c3b2d3bf
SHA512 ad4aecdda96e6ad1719c966def5391f5a0e1964633f21cd200cefd3b7b2aed28d968ea72ba94c1ccc7fb6bb6a145097cee9a7d0f69257710513a3fc854b7be7f

C:\Users\Admin\AppData\Local\TempLGPGE.bat

MD5 b0636b5a484d942d1477c49e0b735d8d
SHA1 2871ac01d4df783200865e39170489a096f8d9f6
SHA256 b8f3faf19c88193998220f98b3be87e48c560b6a77f08f375b6a41f357ea772a
SHA512 96df53a3ccfea43f36765dd5c5046339213d19dab1e16a11e019d560a6923bf564da64c16270dd39b5ead28fce52ceb67d43e08fc0512d85b690dae7ef73a0de

C:\Users\Admin\AppData\Local\TempUFYAN.bat

MD5 10e58ac500f28d3bd87a6b66ad6b337a
SHA1 c88155419d3fa93423c816a6ab34e355c7be02d3
SHA256 f4073b688587e96e1eef3fafc77db30f70aba207a4c2636f5183e4f3609b4994
SHA512 b8b96bfc26895cc16a0756d73e8651eed5bd8b4cc8de19603619692ed46d58c3f8dfb42edac606c51b803cc8c38322d5356de8df370924a043be53ccdb2acea3

C:\Users\Admin\AppData\Local\TempXJGKF.bat

MD5 271339213f855c3ed4631e6c3895d70d
SHA1 da2e346a03afe50f27bc7fd7e8f64853be0a0de0
SHA256 5c7944d9ea1f7eb95cb93f77662d264e1460311bbfa8c3d2d3d060aba60deeaf
SHA512 cfaa38976ccbddb2096363ddfd6c8e278df4b00ccfab74f1c6e9e2fe695a9d451fdc80cf67aecb533a7d2344b4e9b3eabb13d3c6f62b82aa64c42ebda3b66d6c

C:\Users\Admin\AppData\Local\TempBPYLK.bat

MD5 b92f29720eab1ff33db22b97c2782f15
SHA1 0ff6e778d817a7c3f71c422089e60fc5ceb91d47
SHA256 4f46515c7b989cd10d5f131087dc196fe7fc49433c9f308b45ff6ef50315de53
SHA512 f226c9dba08cb147b4851d50a766130e7ccacbbba32c39f5886d2660a61b3d0b63860da9f361e9dc540fbab44dccfcfc0a6e38447e3cbe04e8a09e9892eb3c99

C:\Users\Admin\AppData\Local\TempQEBPY.bat

MD5 4e72d3e60112961a57b2a72138c842ab
SHA1 e52ee2b6b90a128036bda35ea6f9e53e8241bdf8
SHA256 397dc89b5e6a0077fbccc933a0b0edba8a076de60546e518ab2a878715905c2e
SHA512 a560af21ae0904ab22cc1d6d2c5b430efd45d9a8dfe33fdce24eb85f27d40a97afdca72167757c3f3e400f22ac88237998136706d312f3a8b5941b1d06077f64

C:\Users\Admin\AppData\Local\TempVGEJW.bat

MD5 c429153eab55ba177d19099e9716b82e
SHA1 6338cf95201fdf4c4d0670a05132557dc81265e0
SHA256 e38544ba4ba829e537b660911a49ac124e2dcee2ecd640963e6aa11cd04e5afb
SHA512 90116849f981f4de0be363d2434345c8efe423f79f826132a73466da55d48c9ccdb0aca5e246f635d1d2bdaec54d1cd86c7a4cc214712caee74d260e8e454e5f

C:\Users\Admin\AppData\Local\TempCFGQM.bat

MD5 f93e33b71234fa46aea76abb934de754
SHA1 5979972a4cfbe27f657d7e7bc66d401f1d299d86
SHA256 35570e84142acd63a632c0099fab519587f130e429192dc9b879d05a7532a6af
SHA512 5eccbb39a725717f4371feef4f036971cca5e00916c4b192bed41313c7c1e7d528b79d09c810a034f4b7c7151d1237e91a5de67fda387e5d2eb75c33df4f3900

C:\Users\Admin\AppData\Local\TempVHFJE.bat

MD5 ae509edd5dcf523ca66bbe9a385a6970
SHA1 755cc715ac1c910495d7ebe4938c14b5f3a5c7c1
SHA256 9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa
SHA512 cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde

C:\Users\Admin\AppData\Local\TempRUVHI.bat

MD5 1ba4d592ec1a40d75455469f95b33c6b
SHA1 15a872b81fc9500357ce008cdc79e24a40694fc6
SHA256 d0bc0c629d35c64e6e1c97a5ac4331f420f7f24451a497887f16135462ec51b6
SHA512 da584451f34396500a3bd52f15d61529e115808dca1558d0cbda98a022af4af94f9dad15fb40e7bb90b501aeb13032e8e95c0bc5428e9366724f6313a75aeea9

C:\Users\Admin\AppData\Local\TempDYBNK.bat

MD5 5c4c29a410bd00bbacd2611f885a013e
SHA1 aefca89f9eae0e39d6b8c72f03268ed6fc908092
SHA256 1f481099fa4b0c87b95a68a86c643ff38f4840353624b518904e42b634869c83
SHA512 e4b7b19b4cfd65140b315b5c8ff204c0919e4af50febc215e3a5d67c780ccfa157e78f891cc1f44c928bd472aa1d749ec2a6b46d8e0da13baa707b1220ed4195

C:\Users\Admin\AppData\Local\TempJKHQC.bat

MD5 b86099f3542512c7dbc00e9321f85070
SHA1 c0f2b7f78e948bc3b3dc985bf7578151969449ec
SHA256 2f0c377431e0f2a24518b65ea703471d3d350c57d3cd796922f2477eba885831
SHA512 04d42c85b7e35d3cb7345bbb222a862909ea9dbe4830f8872d0932a3d18ec559669ef6676b06000c119c77bef9c34e3dc0119737c49758beaa373a98a676e087

C:\Users\Admin\AppData\Local\TempMJRDK.bat

MD5 761523d75b9c30f423b62c6f280a378e
SHA1 21eeeb6bfd663eb8a888aa5e5b2c825287e3fbcd
SHA256 efe411d82eb3fdb99f8843891b2748be43fff61c331bceba63fd5c5850c8488b
SHA512 2215a1e746443b6dde24abaca4de0fd008e465a01f7b533c5c09cac50b0f69d062a15810a06174ba2a85eaabf4d0678f7727cdbd6e44941ce4830a0322f0227c

C:\Users\Admin\AppData\Local\TempYLMJR.bat

MD5 94127c4337ea80ea6f049abb345f04f2
SHA1 31f5b87a86f9e3a56997b8bd617d57e29298f0a4
SHA256 fea8450bf502db38695c29f06dbf5d37abb247780313f9421b82d2ad8daf495c
SHA512 766755d545c344438e1a948f4ae25bb0a9fa4d96bc28ecd642f57f8d7bc41fa7fbc1953aaa253291cdefdfc9b7c08ad6ee692c7f901a2f8440ac2815e98adb44

C:\Users\Admin\AppData\Local\TempVHIFN.bat

MD5 bae0445eae1984998b8e8f2e95d61fcc
SHA1 d52837b67fd0715d254589b0abbed61a9e240601
SHA256 16ac196a027a14185c2aa74a7b35d47578fb80583f7f4babcd910ac11c386334
SHA512 98b89bfc0f41a337748dbf573b6d84bb7939cf60b826e2db94b2095aa385d9af350c4e61be9e4d1fe7d9a9b8efda6f94678ec1e3b24666d5f68e7866e04fbb7f

C:\Users\Admin\AppData\Local\TempXWTTU.bat

MD5 aa10094ff65a0e7402f5568b23ebfc95
SHA1 244feb6399ed8c8e2e819e21d366e8d8a039ad91
SHA256 4f64efabc8178271cc4a1ca265ef778782b50d3dd09c87539163bd46f88e5075
SHA512 f4bb4060a55d74dd1272262e97782ec1c365c002989c690a1ee6d6ebba65c501babff3bf24218a49d33f839af6fa993618f29756b39754ba232496efa0f1a30a

C:\Users\Admin\AppData\Local\TempBTXSO.bat

MD5 1bf4eb48250293512fe2fd33557d8fb0
SHA1 c78cd22e7b949339071d91fb97511add7f30dbb0
SHA256 74899bbdd7dfa2ece99eb1954c0e353ca12316e06495548fcdf8de24ce8cecf6
SHA512 4b70793f1f62c357ed670ec93ebc8baab6635aa3b2e33cb5877de5efa0927ed97fcd45308ad5eba5daa14fa0af264f2201c8e4a06616adf686de6d0846c4eaaf

C:\Users\Admin\AppData\Local\TempHCIWE.bat

MD5 c4aab59a6e9f43794e513644788f944f
SHA1 9f2c271ab850219d3a87188c3a1848cee93001b8
SHA256 feaaa0448ecb043ab6106f34b913dea22ce6499fc2f0f45c30d399a11005621d
SHA512 694557e76eb5ac1046cef50aff7824218c4612e93e329a43aaa1a9fa89113a266f71feca021251cbdc4eec57fc8993bbc550495221e9cd7ab614fffd8f25565c

C:\Users\Admin\AppData\Local\TempWIOTF.bat

MD5 ca7c5bcd0b45dd5537334145ce3e2e5d
SHA1 2917385f44d2886cc09d26748fd890c66275a1f1
SHA256 339d3edcd1810beee22b05229c882573ecdc853e769d06a76bcb8c436e744f4b
SHA512 0ca80c03b35a0fc94c0b8ab410213349cb8e29add7e951464591b2922f5a908b90f1223cda4dd597a4af5ec83e9d1d68953230df10448db8afcbba1caef74ca0

C:\Users\Admin\AppData\Local\TempAQQOW.bat

MD5 604014fadbaded9dbd15fa8aae1c67fd
SHA1 6b796e30f523ec0f8b8b4508cba334ce28a916d9
SHA256 5ecd75b87d6a5ba37de4115d6f335ed9c370e857d395e12b4cc130f2e1b8fbb0
SHA512 0bcf902a4010221a0867aff7d270471a2117b5e558d66ddfa7c72cb66b5b369daf3c131636a479c87d51a205a7c823f7b5bce482380bbbeaf4804ee9acb1e443

C:\Users\Admin\AppData\Local\TempWLXIH.bat

MD5 05ab3e41c1006175a0aaac827ddec92c
SHA1 d9c6617f99777ca69824e580dc6ca631b60885f2
SHA256 113dff06b16adff1661340c22a7fff630d2a3ed9001aacae58eaa0931cdef891
SHA512 a95e7f62ccc886db28770c6aa711013307aba9faba3ad2205a31b7631a2f716ced8c315165fc65faef5e29e857fdfe0f05c19ca13ad5442a6182935519e7666c

C:\Users\Admin\AppData\Local\TempTRVQY.bat

MD5 075bba071a67eaa4d515b948d126afab
SHA1 293c54640089b82a5527f11b0f4f9bd82082b751
SHA256 0c58df1e1d363beb30db4da96482e62b4e47141aa204f9388b412297550adc03
SHA512 a59c6570121606bdd49e30c7df73666b6221c69564627aff3fde5e884d2ddb34e165747566dd8b49ed98f880dcc99ca8071f182154d4386eae979bebd04be15a

C:\Users\Admin\AppData\Local\TempRMUIJ.bat

MD5 971080fcbe388252dffb632abd9025a6
SHA1 6b789100b910512d73566a0a8b2e29392aaa67c6
SHA256 b5817365eb96edda168a8c0fab6876ff593363dea6017b2573ef231fbf5d0971
SHA512 9202b0ea9ff52e8e45ce2690ff672b81fc4ed470b127aa0346c75aa4fe686edfaf7e3e36aa96090f5f73efe2a9dcee37e0ac8b23fe0af00d56a0fd8edc5cad9e

C:\Users\Admin\AppData\Local\TempIACQM.bat

MD5 1725034dce64e5b21bf9bb34f976d7f2
SHA1 a6a51a02e2e4434a8dbe3be66f59ee9e9198e035
SHA256 6b7594806abe8ee858a0469b3bd160e6066e3c8ee725cf7dc6a3e9af9c119caa
SHA512 9ba942b7912e4f69c72238317d4cb8a1d57c39e193d9523ecf106b1351fe804c67cd5a7473b4faee9da769902a8335d6046ec6b3516c8d699a0b50c62f2055e9

C:\Users\Admin\AppData\Local\TempULJNI.bat

MD5 8ca42b41c8e2de27d308a6cc0759a024
SHA1 0ca13c792b5c2e0f0b28c31ba19f56810f8e0dad
SHA256 d6e22066c8860f60d38f58320258e5073e2695dfeaea7bc1a1111e2fb11ccb02
SHA512 bb288998fdd86c53ea2f2e45fcda1a01727eb7698a6f1dae71310c8c2fd695b0a1bb7cb5d74aa9eac3ec61711278a9728c7bd677c736a103e0ed90b4dfb8bc0a

C:\Users\Admin\AppData\Local\TempVGFJW.bat

MD5 6802e1d742b92a5ca7ef02f9db16d1cd
SHA1 d034a1fe579e06e2b8d5baa8e2faa42c1bbbe37b
SHA256 513c6b684727277667bdad458fd8639d2d243c797cd6a6a8242fb299455d6628
SHA512 a35e9c6b2a954c0dc6c8edd5317a28c1a0382f9703e36f4365bdee7439d952d0d887f53e12a535546fc4a3f3078012ba567131d050095cf6d3e9fba47891c44e

memory/2912-1026-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1031-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1033-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1035-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1036-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1038-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-1039-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AEJXWIRISOJSDTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPXHDOIJSVWIJG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJACDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKTKPHYPDNE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPKJLBOVFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OULJNIPEFXVEFYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VNDRMKPCPRMFIKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSNLODRYITYIUGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMEJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDEAFAVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJLGEHWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDQGUQNSFSUPIMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAEAHTUPNQFTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVMJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMALULAVRMVGWBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOKYWNXQPRD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 232 set thread context of 2160 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4008 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4008 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
PID 2208 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
PID 2208 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
PID 4508 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4508 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
PID 4508 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
PID 4508 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
PID 3944 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 988 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 988 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
PID 3944 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
PID 3944 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
PID 4084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2804 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4084 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 4084 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 4084 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 1512 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4108 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4108 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1512 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
PID 1512 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
PID 1512 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
PID 3916 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3916 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
PID 3916 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
PID 3916 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
PID 1276 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4708 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4708 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1276 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
PID 1276 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
PID 1276 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
PID 4540 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBHMC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPXHDOIJSVWIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPCOWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VNDRMKPCPRMFIKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJACDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWAWX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RSNLODRYITYIUGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEAHTUPNQFTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMALULAVRMVGWBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSJHS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OULJNIPEFXVEFYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOVFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSFCR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDQGUQNSFSUPIMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTQAL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIRISOJSDTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempOBHMC.txt

MD5 70184d94e9f3f6e8777a1f90db341b13
SHA1 f9102f4d54a9ea9bf8c17752e02757a1a67214b6
SHA256 bdb37d995521e3e457625bf6f7dc3fe98a2ca277b93c74202a8e14df145f82c5
SHA512 fb6dd1225d9f379f79dca5e5297a84c3234776b485f4f8a05849c74f5918fcc7e9398238b844124dbda97423488ea383528d44f18eda1286545f554886247e45

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.txt

MD5 2ffa10b8c4647b3fb8af823dd885af87
SHA1 9668569e5697e192f78bd6679878beac478629cf
SHA256 0f151230b680a51b148525075d280cb4c556276aae1b07f27f1647784114fa1d
SHA512 ea078db38fcbb366eb219e3be060bda87da7fb630bfe088ef62cf6a3b8effc0364e33cd8a36cf330b7db3b56cfa93f2c4000ec42c961aa6be90d986bece625bc

C:\Users\Admin\AppData\Local\TempGFJWA.txt

MD5 6f2cf50a62a16cb7fa6b57880d901e18
SHA1 c31130c5581bb2c672d184800d61c3e7a3217bd8
SHA256 d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916
SHA512 b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

MD5 06b9da828ef7d50d37174bcd013bf492
SHA1 ebce35af00f75faf8bdab3b5e8bc2d1c75afe5be
SHA256 6b458101e004754aef571612742d3bc792e5effa26f63767453b250f292904eb
SHA512 01c9aa31c0403be7995284ff11d7c1f529e3a67b32b33ed96b941eb69bdada242f3e119363e9c5a16119bea752577fbd99ff2b625d3dcac0f106a6eb9d49708a

C:\Users\Admin\AppData\Local\TempPCOWN.txt

MD5 b9bdb0081d50820c8a9224cdcc843384
SHA1 0a24f9900d36d1d32c4bab84d8b771ad20188640
SHA256 39a8e2908f0b834e3d206d4fe5bbbdc5b00ebc54c979cb4473746752f6729cb5
SHA512 b1f32c3d5ccda50f472ef3e5e2559bd83b7439244ba5eb4d752b66bcc2752604e7cb9e888d76d4d2421b472d3ef26dbcf3c9de0f85f41b9b74ef0635f4171d31

C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe

MD5 6803d5f61a3e288aa963872f7daa94ff
SHA1 c67a976672379913d50bac9c34be3d6661a8a84d
SHA256 be5134a6917602562a3eea76b54c05632943952405bda39154098bfc47093616
SHA512 051936e7363ba0908daccdf14f773e915e456b9ea400ce4937981a439e1486de94295ae646b55556884d224a459e876cd86d80ba40cad5ead5537626415bf902

C:\Users\Admin\AppData\Local\TempBXQVH.txt

MD5 0421624f831bbfbc55712498f7ac30f1
SHA1 2f08a37e248d3dd392af140a8abbc5843fbf8122
SHA256 27663237f1252562de4d6ce1a91f02515be5be04b426812066ccec990a2bc963
SHA512 e46addad1851c2deeef2536d79763f1932a64b53473683915f1a9e5ca188504df1df8890a0b5035b7f745b656700bebcd50c3c7750dbfa8533e99be8dea0f929

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

MD5 7f15128fba5f20375521d65bbb60212c
SHA1 32f6422960bf1d99ca724015a0d24e2f2e6bb60d
SHA256 3ade0a6e1cbe2b86e93c262551eefbf270cad8faba8c5f46d1b7fa81f413b9fb
SHA512 7686e374bfb115687f5c179e5fe4e86300b12c86b590a2e13a4aeeb6dbe3065f607295ded423cad0036d036c1c5ab03f245767f0e4d223eeaf603a28892fb5b3

C:\Users\Admin\AppData\Local\TempIWAWX.txt

MD5 1d380f5540941a2d03e8a4cd4aba6bb6
SHA1 05571e48a5d8c4e9f85de251c401bb470e4bdd57
SHA256 efdd646f3f9cafcde52c14e3e8a81af258fdbfb171b08af7c316f7a910ff4d46
SHA512 27da3d3c0f07d654502de410f4065fcd8f4c3abead470d2ab895af3bfb45318457a9f0fee4f3ed4ab665926ccf7e5b189d9ffc5646878b883c37aa9b79f485c9

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe

MD5 38c0fb623671cccec28f35c6c0241777
SHA1 bd180313ace092c802b8188e64d3d9dd735010fc
SHA256 90b1f567d0bb51c587be7084ce2536129a5a38d4fd2e8c418b231317c90d9d7e
SHA512 4c283c435fe54035bf4f4e695f135f83f2709434fdcfb129e8ff9b147771b56c2e1e4ed767a3f46c9a911f24cf5638a63f11d7ab02398e691df9cd5c01b0dd5a

C:\Users\Admin\AppData\Local\TempWVRSS.txt

MD5 ecbf0cbab9dad148c5ad57d1ce1f59ed
SHA1 42a9f5253fe3e05faa59878b2382b77ea8341b2f
SHA256 169fef7bf9b907f256d2785a26cc1cae9cfb98f3ef15023d2b8827b93d8f5911
SHA512 5e5e40a1120d77c18885c99c2112aaec6e03305faca1e6cc665346d6fcbea46f56606808d7949edd8dc0ea3e212bad0d349aadeb07afdf9a96440c50e5c8cc58

C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe

MD5 cae5b725014a82c9ba96b81702c377c0
SHA1 702421bd2ee6f9ac197a2340885da83568fe4ca9
SHA256 79289bddc0a421473c853f58df17254e485a4a02a744580d59eee6835454f5eb
SHA512 4c023fc26c78ac24fbf607472a859b66382815f5e9bfb85c372eb85ecd5b4de052d96127846ddd3b7f7da01925929de8a1b8116cae586aeb8e8bb1cc5e92e51a

C:\Users\Admin\AppData\Local\TempVKXIG.txt

MD5 5cb7a134205578e75c05adb5b04eea43
SHA1 a0dc3ba15b04f5f31f63788e1731cb00852dcbef
SHA256 69feaedfc927f5a4b893e3958246361a4bb097c25270680f07f6ef29b12c2bcd
SHA512 6d598e2b18dd606e7a8e3305529a2239593dd0b5c113001a73aa1f20494d948179c4d73dbd152b6f1db1b1bffde6b58f96cc61bb71ae1da9e887ff4ffece9e2c

C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe

MD5 73233ee8c4dd8c60c96a777193efb970
SHA1 1d628262a3b9025dd39df17ab0e1fede097714fc
SHA256 cfef66cce1b9bf1aca1ae57f02a3e60c6764b1bc9d2851c3c96709d62695b091
SHA512 67d3ccdaf708c249a570a6ff4f4e75cd8014bbb9136460273e2fce28b04fab2f78c226886632f791d03b5bb81cccadbd9cc8830b601f1599ab6c5dcec2f7011a

C:\Users\Admin\AppData\Local\TempNJXWI.txt

MD5 6f37bf87416de1c98fafbe87180d9d03
SHA1 fb17273119e4df1d10c79a78bd0a9872580856a1
SHA256 9de1012d1bd2cb99ed801dd9ea89da00edc61dc142c9a41626680d69d0777717
SHA512 58f51727285195df90c585a09793f500b4144bb4f19b21da2803e6eba65e08eacc002e21d72b2a7c46c91c05530f5cbb96674112c73315f11e96d7a8774e72b8

C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe

MD5 6b95ccaef900346551ff7a469656b1a8
SHA1 96c07530ef65f17d6ae7447d646213ddf4e97d29
SHA256 e683552e7e22a4e6d56ccf67941f7332c2afaf92055babac43e5ce86890ac808
SHA512 29aa886e0136d858e077207db7dd407ed0ef839bdb63256b2ff1e0f17efe669b19ccbae5c2958acf2501bc90ee26cfaf049f0d2d6d90feda064ff80e1b53a76f

C:\Users\Admin\AppData\Local\TempVWTCO.txt

MD5 f4eace3b16b0774bb478b9e9f7eaeb35
SHA1 0264561da594b48f388d4bfedc24eac48fd8834c
SHA256 47c5b1731923a2b5c4d2159aba45c2b252c66cf0ff5baf92fe0b1d34df13a943
SHA512 2947f33d8726b7d1943b42f5b048dcf9f0bfb07119697b27b9cb7e0a5d2b4668037d5fa705e23bedd54376307e9e3b3722240fa75ed9d631bdb0149796ede7a1

C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe

MD5 c2904726c27c62edcfdba652961dec4c
SHA1 e479be8fc0ec80f99932d26ad3885793615378fa
SHA256 101e2a2bba03f55812afeedd360d51e643cc3ce7d1e0c15be870305f111f6057
SHA512 b8b85b6fbd980e5ccb5382e91050569d85b2238d777e10faa141482501ef53f34d8fca82ae3d42cd1e485b469abdd9549541e010babbf47733a379e695aff321

C:\Users\Admin\AppData\Local\TempHJSOB.txt

MD5 9a43227d9d25c3b74f5890f01e9d031f
SHA1 a43915501c16406c07d6da843d4351bece3b5481
SHA256 aca7d0f9b9f8ff095e80b697b20c195eebdf5d581194972b659df219739e74c3
SHA512 38e5f238b195df3b540aa20e2afdbe60baffff136f14b50cf9e6b3c3a4d104bc20090468e052a5817cc1d933516dac9328688523865c641d656c34c54d276745

C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe

MD5 38c6aa80461c2a8ba3ce645864fc5c16
SHA1 b5776df8f676b12004a7bd71235ccec530cf8404
SHA256 14bc2382f2178df41a7b6abce5fab2074e4f50eaefa02703de830bd903186211
SHA512 1ca20ef7d1e1f339cf4590f812db917dadca69896c1652b67939b133ab12bac52cae34411af5a039ff85bcf185b67a15dc9bc5cda30390ddff0547d9bfdb1d9b

C:\Users\Admin\AppData\Local\TempJSOWN.txt

MD5 9ebeb1bbe4a4bc810eb37f9b4285fd99
SHA1 870b078d5bd267ed25bd46a3ccb02c6e12015ae3
SHA256 b94b332175f87071708e53728debf49cd1862922506864f4a2f5d94761947b50
SHA512 18ba50012d07bdb3b67a8f30bc3bd2456b0dffd72c2f222765f93e4d342b48e9c025e87b4fec173b4600d75466ef59532dda83f6f112ea68d2be4fd87bccdae4

C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe

MD5 72f1ff88d03d16c0c0e813fc9e0a41c8
SHA1 d4e9f91b1de27f887424477829856c3c491efb61
SHA256 26bc65e8bac4d820db93588dff096aa7eeedbf436f8fdeaaa9298377b4faaf72
SHA512 17697c103342c99444369424a9728b9fdf20bc7fc4cd34fc9075f3039af8c66fe440915d0c29144956fcb416bff66cff37e231b93eb7adb72c9cf9936049ce30

C:\Users\Admin\AppData\Local\TempJSJHS.txt

MD5 42ea1a3ef60848997a8e479f243e3561
SHA1 cbf65e1367eb66d498dc47efa36adae5903ef8a0
SHA256 bf0e1c29fd8185ba6e5a60134f47220722e669a6924af09c2e6fdbd4748d049f
SHA512 c2aa351c4aee68bb654fdb58f49ceaf666ff34ccc18c0dd7543e12bc4826e767ce6e80ccf3fc50db7569728db412ca40328aa22f6986185332595dcfa328bc0b

C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe

MD5 1319be852b3ac93061be8cb620ca7919
SHA1 e15bae19f15eb9ef410a7afcb67491e52aab73a6
SHA256 a958dd07644a2a115f7e0f5a46b1c96c3ab07382f6d6cbd83a239046056731b8
SHA512 92ce42232e38bd3512b1f70335b9b62dc777c0e44b805e1acb2b1d548051a664c7668544ea84a3491b74893faaac49cbcdc5e9a9a60c4e8f4968c3cf38384475

C:\Users\Admin\AppData\Local\TempGYXTU.txt

MD5 f662fbbeabc47fd6044be333884d08f8
SHA1 6a2789eab411b65025f34c1ef223f3c57ba9b370
SHA256 461ca657c06bf7f5612fa2a53dd8ce5948eb219691b4bc9bd13062935b8c553c
SHA512 ca54498fe5f840caa6344bb8e01792c95f2a7a0ff383899c5ee2f03cf7a144da6979e737e529beac0c0848066b2f8cb259cda2464730405547dba92771e6b078

C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe

MD5 c10080f6f65e39e92b7ca5495f4e9b59
SHA1 97a2f2b8d1663b21c41f7d51682f712c1e5566b9
SHA256 bc04daf6caa6ecc55ce8071d83d4ac397e54d3f2e945ef58785064dd52373219
SHA512 c9fdc476022c1c946b4b631259ffc07c47f15f7ee7e4747b1fe34022a30de1196aefe704461f3f224d13b42b42797e0a8085a2550351a81e5568224fe72960b6

C:\Users\Admin\AppData\Local\TempBTXSO.txt

MD5 ee43c5410ff083f25fe89002fbc791e3
SHA1 d6326230df59d77df3a85811dba022b53d798167
SHA256 7d62d099d0f41de498f140ec5675d421e9d416f2304ba756a809064125641b3b
SHA512 558661a6298c381c12b30a21dba3f87126bdbd37575ee076a70752a5e18e196fb5db5fcc136802c6e588baed6e017bfdf060f045c825d73a4dd0ff9b4fbb619b

C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe

MD5 aa924abd66fb2c619c17710212cdf7d5
SHA1 f3fe74c80568f1572c2184d8071a2e7aaa0aefb9
SHA256 5788aca6e9714744c6d52703ed4a5ee7750d711c6902936b951c4a2c4518cbe4
SHA512 22513328644341a97e69c9560bf01c081ecea35827b82845bea26bbad89732a62bd4885ebfba4673d32bc7ca80a8b026dd661f4be5b4fd886a54882de4c399a2

C:\Users\Admin\AppData\Local\TempSEMEH.txt

MD5 5c86f637d8894a6cf2eb5fc686133c84
SHA1 316501888a2b7a55b97ee6fa37b7cf37d702ffe5
SHA256 b7025229dfd24162095f98f29366125ae11f4eb511634ef8969ad338dc8fa84b
SHA512 99bdf20ddc96cfc80c13a59c71a25b5900ca800362c9ee079eeb8b213437d1260d83952ed9959193c605f1195d43b203421f7c801da0cc869f453df1a35b3551

C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

MD5 42f95c141450c2a7112c51c4c8acff42
SHA1 980b66f8edefb0c14b8c5da67fab0f24a1b129be
SHA256 9284ec566d5387286a58f53534d3c9545c8e68fda235c2516df689a3b13635cc
SHA512 c8cb1acc79f23fa1614176ef78d69b3f01a1bc40d522a09b926f05e1b329f26b925efa0d105313f44d3053438871faeff8677ce4aaf3911bdccd3ecbcc45af6b

C:\Users\Admin\AppData\Local\TempWSFCR.txt

MD5 35bfbee1dc846547018d21be699effc3
SHA1 e75fd91255fffb0d4d0f0f65349af6b737fc8bf7
SHA256 0c13608f5998a08bf5afb026f729d178758e184233f44771f799707fc4202e86
SHA512 14a4964fc902035fdf9c37336c6e36f07d94fb297d905047a74f7049710a81e1fa3ae70882c694db59dc1db348e0ea66138ea90d34ecaf9b4bc908c16d17b8cb

C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe

MD5 a351a374c46058a7020bb221c258edfd
SHA1 fac6dc944e6bf02cb52b37121c0580dad48245b3
SHA256 f82abb5742acd7f265ba5c793335e94275b9e31941f62d2316095362628cf839
SHA512 39cf4c01f90dd6a1efe2eefa8aef1a0d3f3c2d05be2a85caa53165ae52dec0e10a907d0bd0a14427eb8d05f69e69f00716367d4cb016217070f18c30b883fad3

C:\Users\Admin\AppData\Local\TempGAOXK.txt

MD5 7ed000eed1ab7f3420e001d25a18e2e0
SHA1 c53a4d8d38369ee75f7de08af9704b1032aeba66
SHA256 6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840
SHA512 1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0

C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

MD5 6750c4e10c2d462b619e5bef4ec59805
SHA1 c4b1fbf8747d3fdb7ac66242d2e039a4699bc57e
SHA256 c53bab4aadfaa2774404633bfe0c50ba35478b6477ad595fe93f87e88e02b061
SHA512 2a9be692a88fb07962098a864dda6d886ad0602d549217ba9064e3410b9033120d5a28db893ae4ea3b220d16015cc48ee7054a9a9157b6e678201399b9ce53d3

C:\Users\Admin\AppData\Local\TempQRWDE.txt

MD5 5f86bd202bfcd38eb1df9dc3f99b3f2d
SHA1 20eb5c3c335c0ae536940a2687e7a4b19f36ce56
SHA256 d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84
SHA512 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

MD5 bc521526298c3bf6e96e01e49beb179e
SHA1 014c22710913b9cb8a3f387c0264aa67e882e1aa
SHA256 98097c56d32f6c6d519d086809e0aa94e1de15fe04c87a394d4f418a6f6b55e8
SHA512 fd919259477930c87d97f0871f7c8937c8c3be061f4a0ff7736e77d87894839c9f49aaf7ebc1d5ee1b793f9638355e89d34f7f4adf300e3fde574c0888d48845

C:\Users\Admin\AppData\Local\TempMWSFC.txt

MD5 d436191c50229e232e217c85c462aa77
SHA1 b2aa8f91e2a09897c42675400e041b62bf538101
SHA256 9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6
SHA512 12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce

C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

MD5 ad1189ce23329fa054bc2158fd43bb4d
SHA1 5de0c8f870d04d72290b6dcd1a29fba8f2fa5612
SHA256 9781054c91a12b59745ecc3fcdbc19fa45fee75b4d21ff17c9c829c152816efc
SHA512 621b0d539fccfe76abdace9b15cc0c649c75e0693157ed482711ca6f9a871c3704756500f92c9af988c991c7d47259261545196996d45fa0f9390ca0459b9a87

C:\Users\Admin\AppData\Local\TempQYBUU.txt

MD5 e2fde989efdfa9c12af7ee59baa74dfd
SHA1 496290188649323aeb029f1cf8f70cae43d00d99
SHA256 f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2
SHA512 6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

MD5 db7c2ff2933095dcfae08c48b9eac92d
SHA1 adf538488b08479cff788339f3fb8160d3a58309
SHA256 9c71d0dcb0cde4a85abde79239d652decbd2f2dea346fb973132c863cade9dab
SHA512 b94cd0801f4bde739cde970cbf0140a51d0093713780fa4ae67689e1887e406f8a058ef5bf6e7ffff14e97d61456b53166918c24ea971ce78902c1045149687a

C:\Users\Admin\AppData\Local\TempXDVUQ.txt

MD5 05608828504e3676cef951b8df0129e0
SHA1 c21932475e83ba219e6025657a54214fc43fcf32
SHA256 be65e5129ad5455e50dac2a352062c7f82c1c8dd519afc01e682ce7d87dd15e9
SHA512 3322f59fa383e0e3086ff2598b50348b6865702f71a63b47a900c3654c29b1a26f9775fe1b2dad31352125f9870e47b042b1b008a20773d8b3ebd21ea3ce2372

C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe

MD5 0e5c174c5809b1356a71023fbfed7152
SHA1 d5c446645a7601f708e4beb7dd8e9d015d58577e
SHA256 f3124072b34838e1bd1f1c98e4017701705d22df3cd4e3c65de5921645c1e06b
SHA512 b44b619c449a9f6aec143302a4279b72ffa810451f5f1feebca3a9a8e42ada35aea141c71188b7b8480d58a6ce46114e0c2354cd7ac9c65f08bf882bd425a160

C:\Users\Admin\AppData\Local\TempSTQAL.txt

MD5 2d444a1f4b3b0a068f8a2d86ee91ddea
SHA1 3710de6bbffdf5fb1bf171ba6c97f7af835dd692
SHA256 bb5b8cdd96c8397e4738b0e337da9392b5d0d15ef6a186db4b7f5d35c2d1d057
SHA512 2690efc4c90472096b2fcbe0cd6894c8e02fa19346e653923280e37ca2a0eaa6afd6d487f089266becd8d0bbb0b152f56f619eee05120c40d1ca8a72a892c210

C:\Users\Admin\AppData\Local\TempQBVUJ.txt

MD5 878f9cef61636cca20cfb70db6163294
SHA1 6af0e6d2f4839baad8de028762aaae888e12e698
SHA256 224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3
SHA512 84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

C:\Users\Admin\AppData\Local\TempVGFJW.txt

MD5 ac25c8c9ed6bcd533246820219581d49
SHA1 48d325f7a561d8de40e892dfc28e05bacd7a9637
SHA256 8c5c2f6e28be144dc065d86a1fc060648df942eea0b3a65289dad855126a4176
SHA512 9085d29aedd00a6be910a9b4b17484e744164ec6c3c8cf10cc70d2643bd2e1f69fe5299fba25b4a5fe56dc75f16830b4b884f3ddfa26f1741fa8322d5e0d0555

C:\Users\Admin\AppData\Local\TempDHIRN.txt

MD5 662efbf888c6d75769e8c5c0dec1d01e
SHA1 3181e950587a5f94a137cf768dcd15f46c0772af
SHA256 b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736
SHA512 f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d

memory/2160-666-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-667-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-672-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-673-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-675-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-676-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-677-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-679-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-680-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-681-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2160-683-0x0000000000400000-0x0000000000471000-memory.dmp