Malware Analysis Report

2025-05-28 17:57

Sample ID 250308-2zmepatwhx
Target e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA256 e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Threat Level: Known bad

The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades

Blackshades payload

Blackshades family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win7-20240903-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJPWWHABPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\DTURAAMSXIGKFNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRWCDAJBGVUIJFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VRFSDBGYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ASKGBRKLUXKLIRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVXIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXJHLDNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJOVWHBPYLKXEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTAJWSQAVHBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAYPQNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCMSKBBDFSAONID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLQDAPXPCEYUPDY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVDL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EAOUMDDFAHUCQPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CQGUPNSFSUPILNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPUBCHAFTTHIDBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTQUQXMNAFMNVRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHVUGOGXPLGWQBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDCIEUHOJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AEJXWIQIROIYSDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IVCMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQAHRNIDCSTQYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFJFCTRHHJEBCLH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSAVYXLPUBCIA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQWCDAJBGVUIJED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AHLCNPKIKAOVEPU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYNEJBSJHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 2132 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 2132 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 2132 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
PID 768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
PID 768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
PID 768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
PID 2828 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2828 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
PID 2828 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
PID 2828 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
PID 2828 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
PID 1088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
PID 1088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
PID 1088 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
PID 1712 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
PID 1712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
PID 1712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
PID 1712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
PID 2640 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFRCBF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AHLCNPKIKAOVEPU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKEJXG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLQDAPXPCEYUPDY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

"C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVXIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVOTFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJPWWHABPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCXAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVDL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKBFTL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EAOUMDDFAHUCQPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDSTQL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIQIROIYSDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDVTCC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DTURAAMSXIGKFNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFTBPO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXJHLDNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe

"C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSFCRQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CQGUPNSFSUPILNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVCMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTHOJO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPUBCHAFTTHIDBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVUGOG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFJFCTRHHJEBCLH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJOVWHBPYLKXEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFVIQK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQWCDAJBGVUIJED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVHBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFVIQK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRWCDAJBGVUIJFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBYW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTQUQXMNAFMNVRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAQROW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUGOGXPLGWQBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFSDBGYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJOACF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ASKGBRKLUXKLIRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMSKBBDFSAONID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe"

C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe

C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempFRCBF.bat

MD5 5e2910770ef86d0d741e5b5db5df76a5
SHA1 b28e09a9386e327e2f533ff7114ea7c37177cbec
SHA256 db7f0426595911fb5c697cf2e9485d513837c4731f3770dbef1ab1e5337441c1
SHA512 9acb40418719b7b8fdb19af5316a4b820bdcdd70e206105c7faa8b5ef0bbe18d8ab8851d3edcfeba5d39b5d948d0d0b10b03e8901ded3d8f55cde606bc3fa2b7

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

MD5 cb0e7e7dfe89f8afe1faab2781dc4b5b
SHA1 eff84cba73f72bb05c11911bf77a7047f19f9137
SHA256 55202f31bf7e3e2fe3d68cd3a8bc2c1f2eeba217c85017d3fe0c7421bc0adbb3
SHA512 6babe7251716cf907d000df6324305ab13997c47ffb2e184da716445b976008adf254da115b3ca9364f157bc0bcf729a58fb80b6ae9054d192839cba55589d97

C:\Users\Admin\AppData\Local\TempKEJXG.bat

MD5 273e26c247fb0fe490286eb10662e314
SHA1 75f2f60a4274100e801d45b1ced17e450fa05a6d
SHA256 952ea2475d41aa8c9deb26402ce85f45c1bc5aba6f9f4beb7a385c473bcfbaab
SHA512 758ac276eda0ce611aed6d15307c0cb4172a26301c4e86d8713915df6ab9d19e5010ad3e6f8a1977194376c79d6fe9075407d031eaa88ff8c223ce685d0fbdcc

\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

MD5 54605a32e0454059fd847fe2feb01c8c
SHA1 52eeba47c32b47441d5665416da9385cda2f86f9
SHA256 98f89c1a3d7f7d4242be75159af331532b8772716c9e08c5043ff44c48401afc
SHA512 fd5f991fedf4aa03f741ece6885851f2a9469e361f7d8db82b3ff374398019e655e90c05718efaa4ee54a73e49cc8026f68986d9744d4b0b9d19c332fadefee3

C:\Users\Admin\AppData\Local\TempGPBHM.bat

MD5 208e3a0f906b0b72f4d8c1627360b872
SHA1 ab6473eb79f2067297371802228f733fb84a8d82
SHA256 3a38af70eb9eff06c24abdadbb3202280c08623bb318b02ade8f808ffc83a89e
SHA512 acdd4f1ea9bff2750af8880e2b1c442d6481a84f30318ffcee3d751feea518870d9156a6683b791452688ef330a82fb0b26d975d54d01cfb71b9097454b6cc39

\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

MD5 20581163ba6e109d8d27550519200256
SHA1 155405d75afb9bd561ce0746cc48bf820edaaa91
SHA256 bef9f735bfdbdd6fd58da42896fae27e98014361d84ae2a5da83cd9c60db9b67
SHA512 63c891de7666a60f877fc150d6049bbcdd4277a3c4d00034dc883f9510513af9d0695eaf0964b8ce03e3388297964bfee4410cee4804f7160ca8053b7e714839

C:\Users\Admin\AppData\Local\TempVRQFO.bat

MD5 5a2ae5a03652e9babf10380a05acfe57
SHA1 c8c931e5bf56e0fc6e7d1b1c7a85db29d48aeebf
SHA256 46dfeb0ecfa51a28207a208d888bb7e4dfce44e59bfdfb2c3e128b8f88fdfe5f
SHA512 1f3a602938af36277ff64cd4c3cd7e27514ff2b7ca4611d8a7346bc86dcf1a4af8780d05ee5c1f404a537891301968210a9aa3d6dd27f9d87b3a044ac4c25f34

\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

MD5 c573e403df85439e15d12dc1e35cc9e1
SHA1 30e6edce86ee5b3cdf4e8e4ee97d772d81afacbf
SHA256 2e12c0fbbe807ce90d384ca17b70318e41d26ed0d5e0e7eb0971ed7f8a5b80be
SHA512 525efa71d312007e79d91729a374d7c0889d9be93964356ddd45ee50349f92edd25fc5f9ee8f432d5e0766725d8d23d19eab1e8dc5e3136bcf3fa874db084434

C:\Users\Admin\AppData\Local\TempVOTFC.bat

MD5 bd779e56a78ee71b78bc8a6945dd0706
SHA1 ec2e1f011e51dd63a1e5708a183d1f9d16d9331f
SHA256 cb8676ae539e6307a4fecec737cefc88603f62e24277ba31cdf2b83030c63948
SHA512 1a99b0a7fb85ea727353c62b0b12b4a698ef5ee0c11c9c7e16b50b0e310c5edeaa85e9d01149397db7aa9cd581b4ffac7720ca5bf9bb347c13ae91dc7aa1cc46

\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe

MD5 675245d8fb1ae9c7413058c6f8febc62
SHA1 ec39a2634d861352a08c9f6e598a46123e63805f
SHA256 8f9ba8637aaad454d14f7c2a0bd78b7d76103a32ba8ee59cad421eda018c2200
SHA512 62e6cb1b08dd9dbb69adfcd14995249c4c0125e6b202cc5a0cc0f7b2277d7d7d1c6d5216d429f1c194d078bd23fdb96b5b876347e33ccfee5ab81f3322cc5ed7

C:\Users\Admin\AppData\Local\TempCXAMY.bat

MD5 e466b7bef8cce718fbb8bc343b27f16d
SHA1 d0b057a7abfc0101b77e241f77518957a66fe528
SHA256 691ff9337efd6cc5bcff0305153914456107aabf12afc973729a3bf48110cc8d
SHA512 39259ca71f33b1d5c91fe3783e942627708ab66c07992c56e01729c384af15bb2a710d3f21a41862941a1378004260d9cb252fe1a127cbf84d74a6fcd92903a0

\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

MD5 b6d5ee3553d25076d9b5271c232d2e94
SHA1 6d0b9931694743f40d582a751e76e768ce4b1121
SHA256 989f93d1bfd0d5715ab6d3d07e54d45d3303867379094c0600176664357f4d19
SHA512 0c82ec01f4971f3ea7f7e0fb410fe9d5b4b68393c9b031b0cf88cb8d334706b601ac2a3ec6adbb5c877029137019e979238387b236351e072409260cf93733f5

C:\Users\Admin\AppData\Local\TempKBFTL.bat

MD5 f4fb54d6842948ff1e3279c9ac2412f3
SHA1 7968be99a77ba240d2c73832c0092394fade9063
SHA256 9d29f649d1a63b41b7efba55add655ef5696d6156fad3e0ee9e33ef4e047ce13
SHA512 a1fc67177ec4e6129b04c86a1bb9e74b37127fee5df4d1540f8efea2e6de8de3e7af9fc6b97e7fab3d7827065086dc1ad0c8dbeed1766e24ef8c98b4775cae55

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

MD5 574500a34b1ad8480a87fefc30ba5a79
SHA1 51185dc151b09d6f353b30028fa26c7c2b402e64
SHA256 200ab15e8723204212a91faac940b498846bcf412b3ebd126924c45ec774c418
SHA512 8cb9b5ca1ed4081ea3e91e4c0a997a553345b7ca62bc6391c9f659dd30d6e4d6f30c581245d34d01f04b66433f58f27df3983ab4df8dcfe509ee952f48978ef8

C:\Users\Admin\AppData\Local\TempDSTQL.bat

MD5 23267ed96103fe3ce657908f0bac2325
SHA1 08e023ca807687389eee680e1d2380d3dc01747e
SHA256 00e538f0fe12acfad8f07b06e824893f9afc2e4e2298be29e565ed02f360a5bf
SHA512 ff65e792b25850a13bbdc7eec411b3d6dbc6e50beaa38cfc711178238fe2c24b6bef4496e61563e25e1393f9ffa2dbbf2729dadf0ce5c130c77f3e9e6a72850b

C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe

MD5 38aece243c06cd587505ca6658fde6ed
SHA1 63763a9aa50505175fb6acc347126a02716b1e8d
SHA256 1576ea52d98216747a2f93839b1ac4204ff86893c7a7f0b97ab4a88a4dc80d39
SHA512 8b9122f85804a79e3913256bc06e0e8c76ec88839bc4d6480c5d7c2e5824c55e3808b42012b15ea65cc1999199cd3ca0fcfe4f83ddbd0d0fdd33fe309404cd0e

C:\Users\Admin\AppData\Local\TempDVTCC.bat

MD5 a3163f7ed04e2cfeff26b7b6fdf06c14
SHA1 5f8d1b9f909b5120d5f0a2313bb21d3654ba7093
SHA256 064bb4ec0e899180058599bfd9b3902bee1536ce2aad3a3158a52cbcdc145c0c
SHA512 e1b6ff86a28ea05b17b6e053f64a27ca1252fa92c020ec9ff2afcf064c47ce5b31ba0da1f543e322ff15c25376465b274aac96fabce01aa5885aecdfefd8a144

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

MD5 aa62ecaed2393b9d0356dfa34ab7779c
SHA1 c53ba51ad98322ea8e09d6c8d2809bc0c73a6df8
SHA256 da9224e1ea3ffad60ba28e7452490672f318cd5eebb6dcc96350fa36add1410a
SHA512 1d6dd907f5815fb31a4243e9d45f657fce5eed0bb775d9b605c0721e538775c3a9e0db3ace667dd444f5aa6da5d322d2d06b9571c259200f99494daf851c4ab0

C:\Users\Admin\AppData\Local\TempFTBPO.bat

MD5 e19cb0f3d346261da0f117bc8fa1b8cf
SHA1 0f583c2f889938ef1b05acd6b580af1aa05bc0c0
SHA256 74e1a79bd4fe9fe26a302d986f9b22e8ed30c1e4e646371a0cbee8d1683cf669
SHA512 a0e1682e28f35be08fa69532ef4848f66cd9d2b68b006f7e914c5af2d0201dc42d29c89364c77482acde27e027f3388c4cb6b6ee5d2fe8d77ade7af4156235ed

\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe

MD5 09b74e6094a209ae6711fd7d19f2c93a
SHA1 6b15b1473233a7bcba9e39ff4988bcefbe073970
SHA256 a4660a2d66c17d9336e7f00494f796351505cd45202dcdef94e9cd960ba72893
SHA512 d9de9584c151a69ceadf81684332872e4659b02f6a81aebc7d1a068e2f0ab694cd7f3566df2a23c6dcad8bc04ddb56a52cae51249056964d31e7e5327b020dda

C:\Users\Admin\AppData\Local\TempWSRGP.bat

MD5 a4759c272815e54762c8b6d29f8589ab
SHA1 2845be5ed3de87aea965d814bb975c240f663fc7
SHA256 16b8eff2b6ad710fd19b65ccf37c005466e6c90949bfa5edadcd7a16dd185f65
SHA512 894f5f0b056cbb1728dd52175d95eb9779ec27065191fb1c6c1255894d809edddd89c2d709c415f0475514b529ce922063a448d99dcceb138d35c5a390e8b960

\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

MD5 612ebd906b75ed99f12392d6ae645b21
SHA1 dd6b36f6bdbdd2603a13b4f3e5f1d2d31988b6b8
SHA256 9f56cb6bdb906026b1d81d9c4c443e9d36d29297f1035492c45e247eff8ad6ba
SHA512 64983dbb9404a43cf9df2a53dae0da758e1d1c671bb6ca9687048b2f6e5f1558331279cd6d63f137ead210311953d2f80440867baee551f6ac3d980831248e04

C:\Users\Admin\AppData\Local\TempSFCRQ.bat

MD5 cbd327f5eb06e76c33435e5fb58e5366
SHA1 6c080c7283d67a05ecb8d7fc0f26ddf28ff030c2
SHA256 9098f1397287e147e304fb19e44d79c2171f76f9d83831a4e327c8292a095650
SHA512 c2e3535b5b5ef1185191cb49e28ea055f30a6a292553c1e96459035a5c4dbdc32902d3dcc230adf8defe6d75ee537a4517e3b276e2d9f23c99ada75859ee9569

\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe

MD5 14c939481ee7009696ad8277e08b31d4
SHA1 665c55578a91878e12256dbbb397f46159cd1320
SHA256 32f41333d45769b31effb75d4efa2bc38b3982376060ac6062a4a664e15ea8fb
SHA512 0cf471b9f7e3909f286c547f95168e6df37f6bf34bda0dc1c664637866a8edd9c0f84a81aa1787597ef332f5e42b5688d93b6c79b86e0cf00493a88f86f97066

C:\Users\Admin\AppData\Local\TempRSXEF.bat

MD5 526995ae99ace1c5aaf20971aac779d3
SHA1 819282786691057a7ca14b8a14c4a71e417bc874
SHA256 ad20d330536a1e00eeda324cba7b254446e100ff3c253377f04a363613c3ec4a
SHA512 fc64082794e5ad3623945c81c4ce59af7da2559e7fa2ee0a1fdc8787d5f114f4cc51d1c1ca91762a913ca296c965b55a3a7ab6736d338c0a5b3eb072c1c08df2

\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe

MD5 ca1412bb8f59fa428dbac0256dff5501
SHA1 b583db2c6f6be61e92fa010e64719b42677bac0c
SHA256 f9fa81f31a74a1d5b87cbe8c45e438f6f00922d03104e0db2b59eb1b80c220ed
SHA512 303b6b00b2b8b9fa6011de84dc9fd81128534b3be5d6494e0791e21fa77c7b46f0a967310d7c7d41c14a2c674bcaf2ac9ca020fb6d8896421296b6c414d2158f

C:\Users\Admin\AppData\Local\TempTHOJO.bat

MD5 fb0cc3cec9624b394f34b306f3df2bac
SHA1 40a7308e51723648db8998cb81022a0eebdca704
SHA256 47742b44419123b3dad621e5a74a1cf373b3a88b3e18870d6f876019a4ab0829
SHA512 3c3b6e03e0987687a05331e09360b76173a24df8e3a11b6bf691223e28f199c036476f1c79e726a0aaaf086541e8630ccc404b13847a2a4f607a82ee22bef41d

C:\Users\Admin\AppData\Local\TempVUGOG.bat

MD5 07db573cd441f9ba45b4221854ec2c6a
SHA1 db1343024d071550aaf10c8c4787332cade7db3e
SHA256 196c4123cefd730828b26167029e7db703616bd63ccb46c94e9051274e9aeb95
SHA512 9982f497b48b7f842cf991a727e9fc21705cf0203eb8a7b3dd19d15e9f483e0cef83c36db28eb5bd97b57725d32d782390412cb8fc2ac10f6882b49c024d2951

C:\Users\Admin\AppData\Local\TempMIWVH.bat

MD5 4e718d0a98d038fc6a7f4d8e2e11dc51
SHA1 8592e2ecd0a09e5433fea27080a4b5ffb7151ded
SHA256 609dac82e9c98d3f35474c6677ea71dd89c7e8278440ee25ce0756e301aa1f4a
SHA512 80da7ea6e5d1446b275819de6216d5c021308cf6200d8ee9b98f81e6ff01e1b6d53c8e01c7cb0f6e603f440c4c5ac675b6c69958a4769fbf8311855aa5b5d56d

C:\Users\Admin\AppData\Local\TempNTFBL.bat

MD5 b442dfc6afadce97d581492c2fb4e146
SHA1 4080ababdc3cf53781daaba654645eb4e359aea6
SHA256 a4dd385f951de5f0d9d6f18c3ebbe661564f156d9196c61054e2d4852497181a
SHA512 4ee21d55c46ed298e2ac1aed3116ced8c32951b704f45942c1018a19ac610a797145bca2bf781583dfbe0b8f99ec27aad6560c99497be612808bc56337570f7a

C:\Users\Admin\AppData\Local\TempFVIQK.bat

MD5 9f846d611886c8b57000102a0982236c
SHA1 80222b4ade3d2e00a8c923b62f6edeef38896abf
SHA256 fb13dfce3078689b589679ca6b022a8b7d4f0a262d48a82b169a23d4d19af359
SHA512 e15bc7849e5e01d9379cbe4030ef200b8db7c620f981c78b61cb7236b0c244ce243cabeca5831fe0558c0d8169a482f458545bb237bc1271492b8d23d17debdb

C:\Users\Admin\AppData\Local\TempLOPUB.bat

MD5 665833cc5a34da48e2dd94504a8a8079
SHA1 1dda78b66734c62453435bb9e5b014745fa3e642
SHA256 d24962ca514fde2e3f5380dac38255a492260c6e739ae65beb0b5a21082ab319
SHA512 e7906a2575a2348db442e9f21acf6e6aee45e63b910df34404f5229cfbdcac7f3f168ed2612dc0da3ef89cf50e3cf2838cb6c4567293579155e0b0040675b603

C:\Users\Admin\AppData\Local\TempFVIQK.bat

MD5 56aa6055a511c140b666aaa9e9e41751
SHA1 d34a27ef063a309f892fc8e71a308952501ffe7f
SHA256 5b9d9ae763ca6596c0e3bb4ddff4f3342fd7a2461e42d27f4405ef46ba792bfd
SHA512 91c933590f3097aad5af9c95a8e5e0d2b5484fceb64cc8ef73b8c083b9cb6d538f7fea6655391fd430cf070e0c9c927104237172886ff73d2175b54eae95d197

C:\Users\Admin\AppData\Local\TempKTPCO.bat

MD5 e19b90bfba2c69d2c21ac3776c877917
SHA1 85d70a13fc6e4842be8e175522d24be6bd879a9e
SHA256 f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5
SHA512 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f

C:\Users\Admin\AppData\Local\TempDXBMK.bat

MD5 f2cddf9b4c6dc1c004b21edafc8229cd
SHA1 29cdd639f4c179567cb348866c5f6e3dba09d708
SHA256 8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db
SHA512 e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0

C:\Users\Admin\AppData\Local\TempGPBYW.bat

MD5 fb070329d6d15d90f18a65741b6b7cfa
SHA1 0c2d3c17f12d61a4756a3f5f0454202613734d0d
SHA256 d4acf07185f5368fdaa6cd3c2fd66f73372cc4674e21294545da5252abfef25f
SHA512 400df25f2616cc914d270435c5f020628b1418dee201f59131dd7579a475916eb95c641b512372a2977aeb7099eec5000f1659c78e98530f5b86243858316e59

C:\Users\Admin\AppData\Local\TempAQROW.bat

MD5 d0dccfbf8d3675fe2c5c43a96bfb9601
SHA1 296433852b28405986dcce498a035a421e6f0e0f
SHA256 605ad991bc8f37568f407c58d4fa640cb52df9ef9c43dcfcd1266cb59294420f
SHA512 deeded30db6df2d53e9aaef908bbc6a4d21517fa177573646dcf37d7612795fd106c6a55f11185c1fc6b395cd61b35160dcb165d522fa3547de9054ef71ed833

C:\Users\Admin\AppData\Local\TempFYYNW.bat

MD5 ae6d6a1d6a155b15cc3603b65f0b591c
SHA1 fad414a686cf2d48076fff166d85305b7443d20c
SHA256 6a46a530bbddf943593013e9225240cc859f544eebbd9b52444fdfdd4511cc1f
SHA512 4edb09c141e263482170fdd25d7abdb79931bb2f40261156333bfb639d75f4eb54b6fdeaafe74fa331b7d30b24c8f1c49b7718d609dc9423295789bf6ca4a2ce

C:\Users\Admin\AppData\Local\TempJOACF.bat

MD5 9ffa369c44bc37ecb474c80450a73040
SHA1 2ed747490b6646a309e137614d91c54e83b5d02c
SHA256 6e36877eb5ad6afd0b2616caf59d54f4181e3417384416c402a1072e51de8880
SHA512 915a176804bad8d830994f15e425fb7149d1a6d9830a34502e99c7a83de03a8580facb45bb9a8f81383f2bcdd38b3c1bc25cb4ffa21729f7bbad2097ab2eddde

C:\Users\Admin\AppData\Local\TempYRXJF.bat

MD5 5da712d36756298ded5a0df13f98720d
SHA1 c734432282ef504ae8ced2cc68ff7c16b61b3a74
SHA256 8ac183b8ca80c0ba81faad4d3296c8e7e82aca4c807d74c110317a69fb1b962b
SHA512 975268f3db052dc34d7a7502aa8243eec92c9c637e5a76356718478d90327b30a14889a897bd24a17a01153d5ba275aa969d1772d248c357b89520911784ad9e

memory/2968-714-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-719-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-722-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-723-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-724-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-726-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-727-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-728-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-730-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-731-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 23:01

Reported

2025-03-08 23:03

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGVJQLQAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LODJWWIQHRNIYRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAEAVQDL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJWHGKXYBLRYYJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSXDECKCHWVJKGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIRDJOACEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSIBYAHQGMDULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCSBRSPYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIJURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OGXPLGWQBRAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMYCHVUG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRNLPCPRMFJKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPMVHNSDBFAIUVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPKSGHYAHHQLULA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BQROXJPUGEIDKWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICAHRHMEVMALB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NUYKIMHPDEXVEEX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRHVQOTGTVAQJMO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJDXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSWKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPMVHN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSTQYKR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPPWLKLHFMHXKSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPDDEEAVQDKF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQQAXMLMIGNIYLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWKLGEHXKRBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSXEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJIVCLVTDYKEYFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJCHOXAAOTLTHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHFJEMBYCUSBBVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REIECSYQHHJEABK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GCAQWOFFHCJWESR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWUXINSAFCRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1540 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3168 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3168 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3436 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
PID 3436 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
PID 3436 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
PID 1448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1448 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
PID 1448 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
PID 1448 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
PID 2628 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3432 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3432 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
PID 2628 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
PID 2628 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
PID 4404 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
PID 4404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
PID 4404 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
PID 4744 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4744 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 4744 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 4744 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 2132 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5040 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5040 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
PID 2132 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
PID 2132 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
PID 4008 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4008 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
PID 4008 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
PID 4008 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
PID 1448 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBDRNM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJWHGKXYBLRYYJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRDJO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIRIG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NUYKIMHPDEXVEEX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJPUFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBRAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORSXE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJIVCLVTDYKEYFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJRA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSXDECKCHWVJKGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXTAGD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRHVQOTGTVAQJMO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe

"C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOGD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WHFJEMBYCUSBBVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNLPCPRMFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJUSRV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPKSGHYAHHQLULA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXHS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLIRDJOACEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCSBRSPYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REIECSYQHHJEABK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORGUC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPMVHNSDBFAIUVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDHV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GCAQWOFFHCJWESR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGVJQLQAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLGEHXKRBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSRAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQROXJPUGEIDKWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSCRSP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LODJWWIQHRNIYRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"

C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempBDRNM.txt

MD5 6fa2e9edd5f1b2cf91a50fce556ab425
SHA1 1ab599c81af314d7fcb5d71ade64ef1d6af90f9e
SHA256 c64127a4b8d2e39e1d2b59bafa74f26d532ab3407d4042e7af966ad7f26bdc9b
SHA512 8d2d9ad81c5636ca916f7d12af80ed05de97e7411bbd0f4a85be43d138ffd98af725384d6fd862af3eec97ade67118341d848f504cf4c8b21405be4bcafb7fa8

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.txt

MD5 b711b37fe1827d094f49245996fb6586
SHA1 f18cce62ba76149d0212f74818cba48753a8cabf
SHA256 91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf
SHA512 9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6

C:\Users\Admin\AppData\Local\TempJRDJO.txt

MD5 c84fae6cade4418f510bef53dbaf1202
SHA1 adc0e9b7e978c8a8835ddbbd3a0ccdd21f518bfc
SHA256 242708153ac165985ebed0a13191950afcf8d69f8300d912acc4733f1ae12acd
SHA512 4b9b9a4a9dfdff6b4d27fe3e9a1cd53df4fac54e602699572cec0539b463d621aa782f47a490e46521cd1d754b5c076739105d33785a62ae058799dfa43f8846

C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe

MD5 b5a004240d8425c443afc35bcc398ce3
SHA1 a05785b0d5448b95bc1fdb8d54356e51a2d422c4
SHA256 5208baa58cf7293e68ca4b2ca3e2a77e9abbd6cb96e725b5cc5172164a6a4223
SHA512 a12ebb0e80c4c328814944ff442b166ba55e0acd7a71439071b6c82bc7c095522eb23cd6cd262ff6dadac5aabc8557bd1b2b090909b2e7afbd0e3eccf97b4355

C:\Users\Admin\AppData\Local\TempMVREB.txt

MD5 0e84f3bcd40232c8eb14e54587f94776
SHA1 e7648e0fc12856e52efec01dedf8cb4eba0c9953
SHA256 ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e
SHA512 7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe

MD5 01840a4769bcdf062394f921450ed1ae
SHA1 2366cf740817c952f7922f880fa134dd32182031
SHA256 4dfb87fbf88fbb5cb887fed09fedc76c505fb1289ec8049a895cc3baff03b5e0
SHA512 5d4ab327a4f33d9d0be01313e69bb55bfa6796e324366158fd43678d33e7f822d5fd17152748f8bf788a7f8d3d52ef5d1700b7a1d9ab4c3a236f58616157caf0

C:\Users\Admin\AppData\Local\TempNIRIG.txt

MD5 826a20596f6976249332de226c6cfdf8
SHA1 3f811f098b3e8445eae5da7e9dcd98b2ef5177e8
SHA256 bce12e777216230c396e60c89fe1ea2bb30f28ef17900ca1c037d7044f519c9d
SHA512 098f41014807cd5573eef56262adf36b0d5a5082afdd760ce5e07456ab1a7935a6a53b92d4af07f9b42fadbff0a693cbfcf548c62c059bfe26828e5f9745bd17

C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe

MD5 a22631593e49a69770ded955ef90f885
SHA1 2f5ea65ab98f5f586ec1f2ce40a5e34f2880ec38
SHA256 02132dda2c1229ec1f370967c88020593f5c287b21ef25a7e1b4b1055106e966
SHA512 4a91fb9b1a318854f58d2a203639cf82d8542228f477039485db226ac55b6e589c575fa584e6db6b349bb25765ad43bd7c58f45e638d24c7db6f51a14fdb0c23

C:\Users\Admin\AppData\Local\TempDRYHT.txt

MD5 adc7a0d1c28b95fb10bf331628342207
SHA1 af786319d980e4cd7f481e0208bcd7265b0cb1ea
SHA256 f5070ad84d95dcf703f95455d7a0db0c2f4c552d5057674ce3733f01ce60b207
SHA512 679455ebb23dcbe3334b58bb48550a2bec1585b3982b1d6be020fa74cd7e1fa03e32e9b33a4eb5ce741a3dc1d282aca4868bb66e2d13177354fd36cfdc797919

C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

MD5 3e48773f7ac1202516147971509dd11c
SHA1 9890451919153cd9bab36c6f5ac54cbc5f1faf0e
SHA256 5538003bdaf9a280948775fc5e9ca935648899ecfad67cd0efd183626133460f
SHA512 7ffaa38ca6f1d04cdff3e0a5bc8b220336c8b68ecd64ac0c091aac93d5cebbb2a89d60ee7f26b2e99e78f45403fc6e6ca72b7acf92cb5ee74f7c3667bc2060ad

C:\Users\Admin\AppData\Local\TempOPYUB.txt

MD5 0b6b760849c7bd9de74e64f9c2f3fdab
SHA1 2ab2b28c12975c0a6748cedf34261ab55a4c198b
SHA256 892339a1c3d9473d0b7352a4a7cfe9607924df83c741dcae24220c92bd2a0b2d
SHA512 9317e2739e7b523a31e1382fd38fdd9eb0498cba45c091c4265a3f87af2c66379b595a1af65b6754366f0f061c4753c5e67710f7340fe656124bf6bcc2c12f60

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe

MD5 9f0fa15911cccd9a450730f1180f0b13
SHA1 eda0b14882ccf493773dceb173a97a206b69488e
SHA256 6b8c4bc8f9609a45b324f9823129e18ceaa84e7f18df9dc1ba4d173fad406d3c
SHA512 9e5de86de04942da978483ce77cbdcdc57dbe85ccf3c8ff685f3b6387eaf659e92694f0866780c5fa9d8b9e42784f86d798923a32efb68853195b285aeaf4ac0

C:\Users\Admin\AppData\Local\TempYGOFD.txt

MD5 af522a5ea303ea851c24f9829c421740
SHA1 f5a77928aac462afe7f56199ae8de75e032481bf
SHA256 5ff4f4614539c82da38c5537d8ffd56163edec2b1dc2af8e41cb98e7baba0a87
SHA512 9af85c64ae72327555a0065d5206341edc93838d6fe49e41c95459add623c79acaf9803a731939b1a77526b7084d39ca62255c301550f4fa9d5ac776e7a3e183

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe

MD5 f33a936a804f16d5ccf7ec6c1579c0ad
SHA1 a2014dfe2720d2d02837c34a65cc5e8471de06af
SHA256 0e3b851354ed62584675d3fd9a0eaeb6049bdb194f16e1fa3cab06166ed0f6f3
SHA512 3abb62e96a0f6d39d96e5f10cc48a52ce561447ee3e0b071da16fd2889e88fff9215ece5542f1247ff5e5cd95cc3cedcf2f80496d4b79ecf2b43e927a69709d2

C:\Users\Admin\AppData\Local\TempQBVUJ.txt

MD5 7b79dc7eea216022d53f393972e89b61
SHA1 0492d08361efc368281d3dd53dbce45872a425d4
SHA256 d579c56a04a19b8c0798f0fbf1b2b097259581aa491ac42af34ec0eb085feb37
SHA512 59be76023f9d1fb5af5f9119ea61169b441fb0127919767e4756a2b8b300a0de9d5af4b13f5d9ae70270c9e3211d840a30f291cb69a4b980692bb2b753468f0f

C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe

MD5 e8da65d2bb8c494d853e0667c17dc2b7
SHA1 65d2f7da8dc88525ab56ce94cf4d39af00a3fb19
SHA256 fc2f17030d74479e84fde7c69dfad47369b3f7220289c3dce7f89fbb0f026ddd
SHA512 0951ae082c46daa3a671171382803c510dc77b9ce3ca79f4e4bfbd9e9cd30f7120a03de6b13c01945a805387039d83588063dc15a2fea477fe25c6df6e6756f1

C:\Users\Admin\AppData\Local\TempVHFJE.txt

MD5 ae509edd5dcf523ca66bbe9a385a6970
SHA1 755cc715ac1c910495d7ebe4938c14b5f3a5c7c1
SHA256 9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa
SHA512 cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

MD5 a6d0bf66361dc01a9a2343310b1b1d69
SHA1 3e30d106ba8a5e284b7dcad14304105ee0cc02c8
SHA256 1a4631951129a3e3a5c74815b3c70145d27dfb6dee1623e1267e8e11f0284ea7
SHA512 1dec0647dc1ca6a11b58e70825831c8f346b7a0294747cf937b91f00f896dccb8798e9c7c97ff2b55ca391b428c26e9584c3f7a2ea0f4c089c1de7f9674439e2

C:\Users\Admin\AppData\Local\TempJPUFD.txt

MD5 66097a57ad354205f527a8611e0d521d
SHA1 b5dfcf50ce1b17eb8d280c2b7d991c23b79ee197
SHA256 8abdbf15859cbef19f04e689075848a98e404baaf4de37a50abce37b230380b1
SHA512 ea74eb331a4ee32f9640b0f5f205269d6ec5a8b9605a25ae964602064cd8a574caa2a716bd2f0dbd46b0d9b3c1619bc10751aa11ab4af06d2ed42fb3a9a083d1

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe

MD5 f7fb5bc4701114c2eb8502f4c7ab3c53
SHA1 731fd52eb645028840530e94fc60402e5d2a0191
SHA256 a1eba8a24282f9ef1dbda69459626603f2b4940151125246aa2ddc9692f62a62
SHA512 f4e3f28a6daeac6006c1e53cde9a4e6f4f437b2c70c8ea32717d63ad4ab46586d7a3ddd4ecc53277e362c94784fde3dc029ccec57a29ff35d7099655765bf7a7

C:\Users\Admin\AppData\Local\TempMIWVH.txt

MD5 744a5026709d2e515773358787335ddd
SHA1 30e8cd8484237258baf44dbe7519134890471634
SHA256 275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9
SHA512 7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

MD5 afa78eb7d384e992bc3d2eff53715c63
SHA1 cea87f221bea8e3d463876c3f5eb8b77d1902bcf
SHA256 1972ec40beddcc0eac2e7677ca0dccdf4a6d864725e770a26aca7ea37472c80f
SHA512 06da14957dff1c7e4a82e3d973175be30ce9e9e341e3849d03a24958c3ce24fe85ad3bcd3b9ae62f34950d1f1a22ae511e17142f4aad738a9d1de29209401b45

C:\Users\Admin\AppData\Local\TempORSXE.txt

MD5 614f1433fbe565374413c79c491fdb8c
SHA1 27c042d949d3310e3ed482df360a440af8a95976
SHA256 f6feacdd588ebc36b5577beb6494d1b972635898ab4df10ce41848ffee437ae0
SHA512 082322c1cb90f34383487526bf7602b1efeea9053b3dbcbceb1e7a48ba56c3af52dcab39e6d8a717bc2dba9fdbf9c3a7bdeddab42cd47fdf0ded97169328704d

C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe

MD5 faa1c13b321003440f1894417b9e72b3
SHA1 60e4734f04f3b62849693412d2b84af2ecc26ab5
SHA256 593dc4bfcfe9b10423c72f927ec51c93e45a698a1e2b11a2de734d66bd09e6b8
SHA512 09b89b813ec9eed289cb0562816243d034d553c70ab1f4e1b828710d5e8674b7db208f0cd17417a88aab7488f5c910e9230bf9a3506aacd46d11fcf3dadae0d2

C:\Users\Admin\AppData\Local\TempHIFOA.txt

MD5 65051c70fb370f0677d286ed2bb6bbc2
SHA1 fd7d7addbb9b886bb624ed5943299ac1b5736fee
SHA256 c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9
SHA512 fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145

C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

MD5 7d469346060ba30733fcf972d3ead2ad
SHA1 b41f698ada0483ad44ec54b5b802012d3c68b325
SHA256 b055c8829fbfa74df9ea916e0e4e74d4f34fa45fd49767fc9c30898ed8467e2c
SHA512 4f6f76e1b883662ba8618425c807e4cf85bffe16a78e607e41184644453f4a3e68a3e10dca96e98eb363021df99208a31007be8869045ab707c304effe7ef0e2

C:\Users\Admin\AppData\Local\TempXQWIE.txt

MD5 8cf657ee18ff90831120c9ab8a391242
SHA1 1b5943769649c6f011a26190d57915b340441fcf
SHA256 ceae3950d64bdd606b5d177cf82023520e05aefa538ae9752dd66875e4bf6b00
SHA512 5e49079d50c85bb2c15d893dc1bc7033792e420ce86a3c43d7627c89ac3ad50cd46ad1e42ea2e64cf0acf4a1499165cdc047b34bd06e3f3f4fd7bd3d2929b23a

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

MD5 0e8bbf799aec17349b686278849c66b9
SHA1 48f976a6189278410789bdeccfc7854a45cd32fd
SHA256 d7c9ee3f5156b2a6ce7fba1367716193310fcbac616204b24f4fdda6ac36e388
SHA512 fbc38484c8b37f518c6f1e3d2d4e60a5096ffa08cb17acdfca5fe02e0991332682b057b95d564237bb614e403e0c13b5e5b22b04ab12f22331a72818fa39c969

C:\Users\Admin\AppData\Local\TempGWJRA.txt

MD5 aafa596022ec916e16d728991c445f33
SHA1 b74870573178579c6257ffbbc49ad226dcb9737b
SHA256 6a3917efbae6a89e372b72356fde1ddfc5a6399272cbbb25881e107747c3fc69
SHA512 18e061d778bd0655c293d67b05b9723028aff20dd932e26af826f50b3979f9e0be121eb5e9f95a1de85b4c47ce25fb60d118ce918ab27e8cd194d34730a9c7b0

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

MD5 b4073c9280e41ad9a573139efa7b3542
SHA1 ba95c3f00e262aea13d50db17bd0c8f4de9d5740
SHA256 8664ee45d8e448fd1f3df051db89acba3d0367dbba737041e5e574f2174345db
SHA512 39461f6c0efc5e0c02833287345a0575e855d3f19961292ac0fefdd904ca4410c89acc1005c1894c1f6c1bbb0db5ece131a34f50957575415ab741d86dc9155c

C:\Users\Admin\AppData\Local\TempXTAGD.txt

MD5 3cf525dbf29f25f34df23201d08fce18
SHA1 0890f015a03ebf0b241fc3f586fbcce07e080662
SHA256 de0703967a2d9f0e376b5597e2c3afc2db7bc40ed7762a64fa4abaf1ae30cc32
SHA512 8a97f87963b63ebfa214e5f4a76ba01c89ef2ea4ac686bb3dd879acd6af7b1f28e1c1aa08fa5fa295c0ba57132135e5779623078fca541816edf973822504ac0

C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe

MD5 93f619453f1ab2ccfea52b733177724b
SHA1 50b181091fd2b625ce72318829d2b19a644cabb0
SHA256 4bb6aaf5ece3c7d885ae2161344ca2600b12075b933b963fdc59643775087948
SHA512 bd2cbbd7a339586748d58c1a489d95de6a99f17d953ac5b9e5051415ed6b24d96fe5234716f67e7e580c08ee877f5d04cdc1356e3fffea33cc9fdcf439047637

C:\Users\Admin\AppData\Local\TempQRWDE.txt

MD5 9b570159134045325ae16d82147020a5
SHA1 5455f8b560bb5ab16f9405bfc031141c4dcd1ad9
SHA256 a80b5e8717edf443f6577ed46e4370efff33d07b477f8b753726a958f36fe9ed
SHA512 e26345a5f1806f93766dd7b9d00b1712e16a27f11655884e3e27d26a7b932ff95cff18bcecb5b0560fcaa8e15dd773f44924bc80b3029418b0c3229b1a13c410

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe

MD5 d6eeda45170c43449f0b581926883578
SHA1 769e69a6142e83ec668259a5a85717c6381e7432
SHA256 6c8e56b9a796c4aea0c4cd89805b57e16cdfce4c378e084e06b69c5e92031515
SHA512 80495f13c7b650c653c4c09a6b81255029577f4eb6b0fa3af29573d7316824fbd1ee995d8c3ce3e8eeb210130f6277ec91333426892168c4b107d2c20bc9b695

C:\Users\Admin\AppData\Local\TempJSNWN.txt

MD5 3aa1f329efa98263ae6cc7490d68de80
SHA1 a1dbf8a2daf345103f9b40ab592015ecd1bf2247
SHA256 7f36f38822581f1e739154d1aaf807c671e26fa73e6507474034732ea3d4b61d
SHA512 7cdd827d7dd312388aa55eeb73a0e5606ca1b48eb3c8c954f16f31b6ac24af788f9a47cda3283adc6179d7b7a5a9ae9e33b40444c571a50a8e7dcd61ebc2a4a7

C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe

MD5 0a0930eb722649f8597f11af153f4e73
SHA1 bdea61cfc664cee5be455963a119e0c243e380f0
SHA256 ca24c5374a07dee14a18f64d7462cbb556e0486448b7f093d9bb9da95424ca87
SHA512 148933ccdaa587dea5dfa555c2d022061e2eff2a61fab7bbd5a501d6e13ad37b27d6537a2c822553b61f062ba842e23fa20e706bcb840f9f38beadd3a044897c

C:\Users\Admin\AppData\Local\TempYGOGD.txt

MD5 4b6b4213a6274deff4ca98e7bb0fd4ab
SHA1 ad0b1b25e8b71b3c14c40e8a064d72aa88e3e6a4
SHA256 b60d1d001ef0e51c969f6f40e26bed2b518e09345230e104370aecd4a1c5b7b7
SHA512 b490f77f739a0d4e8f2a3f37a68e67c133a44ce9191343044910f23f8add242c4e9e2d5f6924e501a1058c71bc04b21f9fa18cd5ce3ef734be68d4bddf90a1fc

C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe

MD5 6db66dcebc78552254bb4b8a02fe372f
SHA1 524a1e5fad999138cbb3d0fdb4440bd3325b3e38
SHA256 a22cb7710ff5f4910142ba36cfb2b4fbc1c317c92c06f12ebac7548c86499524
SHA512 fdb9725855823d7f9fe2488da0c410bc48f412d21d3519a9ece2b61edd548d95e3d547ed7c9a49b538c9ddb3e3cd4b8ae559771cf8246e1b041486643b02f567

C:\Users\Admin\AppData\Local\TempUGEIW.txt

MD5 54b154c0074045c0b65130047455e866
SHA1 6cb37d98075d62318d5dee038e950d05cbb0f5db
SHA256 2d21b38c4c487ca8efc5582b062d720de64658d9ca8dac2fa857c4148d206695
SHA512 cc53906aaa17be744adbeb782b13989a44d9cf77a3b3e28ac6f616085318f9287bd5bef1ddd208628244556bddd4d4cbb375dfdf1993c959f6c0ddd57e406f96

C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

MD5 dc1528587a43c4c1a6f607ef822c1536
SHA1 fe5bc1ef92bde67fec479f475cae6b47215531ea
SHA256 d2164cb270f0595661850d582aa2ba8510fbf3b8c32aa4faf980a5c094f88944
SHA512 c5089f8fc2fa6a3b87c75de641be693410465f627a3f186f3cdbfc0122c747090018a7586b34e7cf8ff3d3aea4ee6b3cd230eafa0010736985fe7b30a1a87f3e

C:\Users\Admin\AppData\Local\TempOWOIB.txt

MD5 8c6e9ab42638a703b50323eb4618a1ec
SHA1 5f7db0ce1b8a409aed54ba74a07dc14aefa4b0c2
SHA256 b481ac9a779de2bba017d298d5c89b027bd384a8acfa73d39b2452d402a9cede
SHA512 2f573af84dc17a35e21972d2a18bde3407b9a18655d195b23c81ed91c641309d3f65c1135b2d908d0ce43c5b2779525e471313863598bb09a5b9529e57a5c7fb

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

MD5 d4fce83e0f10002d817251788de66bb9
SHA1 10a834c23b5cb11aa364a4c4901851adbe6bb358
SHA256 a1295835b81d680455c358c86c6355bc4b99950d49afef7367c156f10d2e19fb
SHA512 9eb7619e475f5257b0b83b1c35129d08b0b7ce7e7ccbf439bb717ea920a2f2ee072ea251739bb2f7d33030a1de868bbd82a4700fe2da90bcedd22559efe7087f

C:\Users\Admin\AppData\Local\TempJUSRV.txt

MD5 1ee484831f631cf02e6151a3adaa385a
SHA1 9021d396e9d54d48211446a539e7913e6c3de55b
SHA256 7c533bf5a46fea75032fe6c4ed8a3cae26ad9e3fc767ac9dd6bd48c775d44279
SHA512 5476d0cb15e0a1508556b8dad1a9df0bfdf4b6fe93e9cdd92d03a9fc88769f76de78634164b49a622665db052b630e3b02a1c7bdd6dbe185dcf75de78a4ad6ec

C:\Users\Admin\AppData\Local\TempMPRWC.txt

MD5 5826b21bd1acd9827aab11fa4ae96f80
SHA1 70dbcf9b36551660a8101cf41b3d223306a8a912
SHA256 4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f
SHA512 961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6

C:\Users\Admin\AppData\Local\TempVHIFN.txt

MD5 bae0445eae1984998b8e8f2e95d61fcc
SHA1 d52837b67fd0715d254589b0abbed61a9e240601
SHA256 16ac196a027a14185c2aa74a7b35d47578fb80583f7f4babcd910ac11c386334
SHA512 98b89bfc0f41a337748dbf573b6d84bb7939cf60b826e2db94b2095aa385d9af350c4e61be9e4d1fe7d9a9b8efda6f94678ec1e3b24666d5f68e7866e04fbb7f

C:\Users\Admin\AppData\Local\TempCQXHS.txt

MD5 5037eb92e66a2c05e7d5078a8a1143b1
SHA1 4a388c5871ba342bda5d0aa51ad5bae27b732d8f
SHA256 382df9b3a1a226397b05dc0774a41a46a3b28f8be91a16cc62b23c3238f1bd93
SHA512 63f98ee3fc58a56a94d7560a88a356fa0d2d39d3ec0826c868501b059b8b7175767ec3a01f9605bbbb98caf82d54830cfe7e4893018cd20420db1bf72850282f

C:\Users\Admin\AppData\Local\TempQVGEI.txt

MD5 3ea11b70a23cf32f40c930d247ce49f5
SHA1 f47f06e80b041991b8c9b357b1d3a47a444e4014
SHA256 ef2e242f3d41094edc4a8f7a42283fb7636c3c91f25adde5b661524547fac631
SHA512 faed7053581bbeb36693940f324188a4b63c334f89299fb9ed5c012aaa87caa177648a9294d67140f01e0c485eb976b8af5289fbab989d6cce6ec7bbd269a8ad

C:\Users\Admin\AppData\Local\TempRRCWV.txt

MD5 4e1bd99e24df2894bc8d6ca5770c579d
SHA1 5600d1a3f6c3e7edaf7cb21e2140548cff9f83ff
SHA256 690c45e0963cb87f5a01c5c56b9496fca439f1f82c53d6654610568c599f89f5
SHA512 5c7484f19badf65018fcad73d0ef6a292b959eb9e8bf810748b355595a96085a59910718377b07513c7ac4d688582bee7058b382934d10caf591c83bd820a5de

C:\Users\Admin\AppData\Local\TempUSBCV.txt

MD5 1bdd43fd176c6a51eb3d368fc62a282d
SHA1 b8686c37cf50a944d5a573a09735f54f7cfb1459
SHA256 3e67c3f8a8e5cbcb8bee910de4451b20a5fd975c48cbdc3f454f01b6865752a1
SHA512 b9c52bb7f4caafc7f3c894af10b6b7a62a407aa9944721d1a4eac4ac1aeaa219cf3d5f172c1ad42eb68dabffe40b8b1a561bf1a6d9176ff63bb4cea903e23a9c

C:\Users\Admin\AppData\Local\TempPYPEN.txt

MD5 89e522433b731c85139482d45f788ec2
SHA1 a7c7a82cc9f450613d5574eb9516b8bfb3468c7d
SHA256 b813aea977c0e97dac7254217395f1e7c8fc3496a4c024320c9ed30d6ad5ce5f
SHA512 4a8d39ee33e7d49146e2747bd2d432fd45bec1678e4c8cbd97a86bd5f27f3c71dfae1df8c94e801e8a1b14425d91e8b94965302c786e9443a1378e54835f3e52

C:\Users\Admin\AppData\Local\TempYGUTF.txt

MD5 1fb3aeea25d3ac5c3b3862b15b20e5f5
SHA1 59debac864640ba025d397706c2f9ca73fa8c95b
SHA256 0f48fc9fdbe9a498dc66e95000b6ef3afd22994ce4102a4de6445baa77e7be25
SHA512 e7060eb7ae87e18ccaa49c6c04ec0e61a2c4cb259572f8e2fc57c5abcb942bdc4e6b9f7bf739a1aa0cdb33fde64bf482bdde01e2a6c16c44cf92927b26a4512a

C:\Users\Admin\AppData\Local\TempBEFPL.bat

MD5 5d5193981fbb091f2db96343213a1540
SHA1 ff915d08eb74f807c0f4025cb9328452915d57b4
SHA256 0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611
SHA512 22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

C:\Users\Admin\AppData\Local\TempORGUC.txt

MD5 6fbab6998ebcde0fb2d77e94a8d48a4a
SHA1 114790d9ec86e848a0320b012114fd1ec8a9ac72
SHA256 058bedcbeb05b6ffe92cf33a62a3ba718497ea8a9c478fe89beee82b3cf188fc
SHA512 43a73aee74123e2d2cb687c80ce6bdc52029a1537f6f8a7c4beab9d011cf0d2018a6aed97f97217a2f16b7e7e06cc95f0004c141eefca656432c285c824cd0b7

C:\Users\Admin\AppData\Local\TempVGFJW.txt

MD5 6802e1d742b92a5ca7ef02f9db16d1cd
SHA1 d034a1fe579e06e2b8d5baa8e2faa42c1bbbe37b
SHA256 513c6b684727277667bdad458fd8639d2d243c797cd6a6a8242fb299455d6628
SHA512 a35e9c6b2a954c0dc6c8edd5317a28c1a0382f9703e36f4365bdee7439d952d0d887f53e12a535546fc4a3f3078012ba567131d050095cf6d3e9fba47891c44e

C:\Users\Admin\AppData\Local\TempDMDHV.txt

MD5 8be720d3cdc5c62641df5ef56fae71ab
SHA1 a723734b68a48265dac3e7eefc87d0561c1dfaf5
SHA256 b98594696bf6f74fc972241084b34888a162de79897092e79281a2747136274c
SHA512 40b8586595edccbed2200722990d0aa933bbee9735436083a586550d7cff6db35d986976a1de2beba0e7f5314d1b49294c88e81682897c6dc1ab13a4b9b1d79c

C:\Users\Admin\AppData\Local\TempVASWR.txt

MD5 83f2239c58729035bb37f589e00bb176
SHA1 be8a88b50229293129567784e029ba75c3780898
SHA256 22be063a91746ef1516216858887c5d1e2f5679bdd2e5a2a7415cc3d5a2d2911
SHA512 7251675b46a0e88bbd86f1ecc2c4bfb14d6722044f32cf753d398d90cde7f0fb8c19958e8c3b9a0c9a1cec3b1cf367ead99504a93a2bf38d7faca75d79100573

C:\Users\Admin\AppData\Local\TempRSPYK.txt

MD5 7de2ff60a6715c2a2852ea89a4475ae2
SHA1 4319da27bb462d257abd0d1cc0aaec15d669f255
SHA256 59e987f8f6aba48305c22970867cfc80a2ec7283dd22a3504d10a824fde3fe26
SHA512 c6e91b2dcdc34d856fc81405f2056b4b338a523af5bfbfa136ea76cc188be88765f48fb929d01f2b58fe1c1a5131d8f1523b09b9a9dc1d9a0bd3d12c04616590

C:\Users\Admin\AppData\Local\TempWCUYT.txt

MD5 37d8942a5ffcb254da56c1cd09b6dbb1
SHA1 7675d4b9064da26c2f4b8caa977a6b486071b367
SHA256 442bfbedb2c1887a9a772b7fdc5a054cb086151bcd66bfadc8deee2cd8369cd7
SHA512 c257781d935a2474813176dcec7a7f60616ddce6a1956dec158a1763c16eee624d8b336007d2fafd7715f7a45bf7a2bbbb3652d9228dbfa8c0c04027e1d43324

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 0a642b13e305d30ca155412d35b152af
SHA1 781496d9955791faa48807abc37e66baaf0169f5
SHA256 1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797
SHA512 de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

C:\Users\Admin\AppData\Local\TempXSRAT.txt

MD5 7b71f34c8208404aa2e362f6497994f6
SHA1 a639bcaf7db18b375c7cc0a497398637f607880e
SHA256 22eb4aa65d75d6bcb1a5130d699d34e07c75e3a7dd4f398d46caca8422bf4a51
SHA512 3adc219828e23f0569daeb14fd2f9bfda9f24f8e441a7204fee7003ae13287f873bdb417092b1671c79a8f54836f4969b6b31eac362006094dcc2331f519e165

C:\Users\Admin\AppData\Local\TempSCRSP.txt

MD5 eb7cc1ad6286fc8443777b3813b1220c
SHA1 b1a5fbb6caf2316ee52dd09f487ad347ffc5def7
SHA256 beeaadc6ae05d441e5ca5b64a4208c2f80dda8e18640860d49757abc77825c88
SHA512 5257486001025dee01d7c7a2f91b9b18c29a2f3785d3534d05423b9b89dc2eef643956d843efc869abc5e9d27bde677b238c68f33d034fca92135fd579fb1dd5

C:\Users\Admin\AppData\Local\TempKIQCJ.txt

MD5 3bf0ca3ba9863d35e7db3e7b2cd31b7a
SHA1 ea10955b351348e554138f493d3a22c60c44c2cf
SHA256 c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764
SHA512 d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb

C:\Users\Admin\AppData\Local\TempUGMRD.txt

MD5 b22132539dd436d0b5e7e9332b303beb
SHA1 816341d0d9bcc592a70cbf867c7ffc44b75c0544
SHA256 1f83c1c4e9fe62a8c51b5a794de6ea2a1b46fd3caa7e303c13b398f4c75a3058
SHA512 31ac6658660f0ac369b201e3ce563658ef64a9b1f53307be642acf7efa1c88ddd6ee9208a5a3c2136a60c5717eb63f4ff11d66e1df1ff932a26253493e0c47b1

C:\Users\Admin\AppData\Local\TempCFHQM.txt

MD5 19b5c504d50be17ed858500e872957be
SHA1 20714841324a86dacfed2fdac8089bff4c7a1f48
SHA256 1a6c9ce78a7cb656d62451f28e019cdec09c8e8b0344fa7455a2ee4ca50e3ff8
SHA512 3b312ecca4648d257da7419e8dd6554bf19a6992fca64a578d425f385c44a5352001505916725623603019a4d2ba229a811823ddd23599d85c2018f177c32d8c

C:\Users\Admin\AppData\Local\TempDXBMK.txt

MD5 f2cddf9b4c6dc1c004b21edafc8229cd
SHA1 29cdd639f4c179567cb348866c5f6e3dba09d708
SHA256 8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db
SHA512 e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0

C:\Users\Admin\AppData\Local\TempVLXIH.txt

MD5 38582d0b8684e515acc8a0b855142358
SHA1 091d9a23d9ea9a7fa0a7583fc3233521f038d3f8
SHA256 86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776
SHA512 b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

C:\Users\Admin\AppData\Local\TempYXFGP.txt

MD5 8f13886a6f8f3d09c63c819d864c70a1
SHA1 adad140373f9a9f5c6fce07572c4e610c1b389bd
SHA256 62dd21100ab5ab21968ce7b9984e867875dd229354f5d78cfd2b8cc8a4614434
SHA512 17b3ba19af960f32a632cf16c12e3d5bdfd948c2784bf7d19803bec8d44e7f33e0c59771bcf1ca4f414ee6f68d6ff8001ac22a8b1a57da2a60147af852ac6aa5

memory/1004-1171-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1172-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1177-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1178-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1180-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1181-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1182-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1004-1184-0x0000000000400000-0x0000000000471000-memory.dmp