139c2245e8847acdef08ce8bc768470c27796d0c5b8de957893db36beae5705f

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 10:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe
Size

520KB
MD5

4eed8777402bba9ed5400fbd6f420910
SHA1

2cc3bc0b52ffefb98fa14eaa4fb9113f5aa7db27
SHA256

139c2245e8847acdef08ce8bc768470c27796d0c5b8de957893db36beae5705f
SHA512

a467edf6db9e8db84b05e2868030397874b80836453e9e5cad49565f28fabec71b5968201715008ff912ea8d332f5fee707cc0734a194e945abad2065573823a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX5:zW6ncoyqOp6IsTl/mX5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKNCIVVHP\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 51 IoCs

pid	Process
2744	service.exe
2560	service.exe
2996	service.exe
564	service.exe
2108	service.exe
1632	service.exe
1660	service.exe
2448	service.exe
1564	service.exe
2736	service.exe
2744	service.exe
3000	service.exe
2012	service.exe
1488	service.exe
1468	service.exe
1128	service.exe
1316	service.exe
2356	service.exe
3004	service.exe
2800	service.exe
3008	service.exe
2856	service.exe
284	service.exe
2288	service.exe
1048	service.exe
1804	service.exe
1860	service.exe
828	service.exe
2444	service.exe
2684	service.exe
2244	service.exe
2124	service.exe
884	service.exe
2968	service.exe
380	service.exe
2928	service.exe
1072	service.exe
3024	service.exe
1716	service.exe
2580	service.exe
2852	service.exe
2164	service.exe
868	service.exe
2712	service.exe
1812	service.exe
1920	service.exe
1964	service.exe
2376	service.exe
2884	service.exe
2160	service.exe
2680	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe
2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe
2744	service.exe
2744	service.exe
2560	service.exe
2560	service.exe
2996	service.exe
2996	service.exe
564	service.exe
564	service.exe
2108	service.exe
2108	service.exe
1632	service.exe
1632	service.exe
1660	service.exe
1660	service.exe
2448	service.exe
2448	service.exe
1564	service.exe
1564	service.exe
2736	service.exe
2736	service.exe
2744	service.exe
2744	service.exe
3000	service.exe
3000	service.exe
2012	service.exe
2012	service.exe
1488	service.exe
1488	service.exe
1468	service.exe
1468	service.exe
1128	service.exe
1128	service.exe
1316	service.exe
1316	service.exe
2356	service.exe
2356	service.exe
3004	service.exe
3004	service.exe
2800	service.exe
2800	service.exe
3008	service.exe
3008	service.exe
2856	service.exe
2856	service.exe
284	service.exe
284	service.exe
2288	service.exe
2288	service.exe
1048	service.exe
1048	service.exe
1804	service.exe
1804	service.exe
1860	service.exe
1860	service.exe
828	service.exe
828	service.exe
2444	service.exe
2444	service.exe
2684	service.exe
2684	service.exe
2244	service.exe
2244	service.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQBAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCNTYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUAQLGAFUVT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAUHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWYKOTABHE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\PCGBQVOEEGBIWES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUDDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGOCEWUDD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEWNKEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJTPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMJURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLCMSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDGSTOMPESAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUDDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUELAAVBRMHBGW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDXWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKKWTQVQXMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIXLSBNSCOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLUYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOULIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARLGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBAGCXSFM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPTHKGEVTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCSKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBJUWRPSHVDLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNNVJIJFDKFVJQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OABEQRMKNCQXHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGBUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYYUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECHYUVINUVGAOXK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUFGTAQYNXNJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWHFJEMAXCUSBBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\YXBOESOMRDQTOHK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQCRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKNCIVVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WBTXSPQDIPQYBUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKEYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJANJHXVMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SENEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPLJLBOWFQVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJGPBHMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGBBWRFMHLITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWUXINSAFCRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHDBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVNUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKLGEHWKRAMRBNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDIW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKIKANVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIGOAGLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2572	reg.exe
2864	reg.exe
2816	reg.exe
2744	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2680	service.exe
Token: SeCreateTokenPrivilege	2680	service.exe
Token: SeAssignPrimaryTokenPrivilege	2680	service.exe
Token: SeLockMemoryPrivilege	2680	service.exe
Token: SeIncreaseQuotaPrivilege	2680	service.exe
Token: SeMachineAccountPrivilege	2680	service.exe
Token: SeTcbPrivilege	2680	service.exe
Token: SeSecurityPrivilege	2680	service.exe
Token: SeTakeOwnershipPrivilege	2680	service.exe
Token: SeLoadDriverPrivilege	2680	service.exe
Token: SeSystemProfilePrivilege	2680	service.exe
Token: SeSystemtimePrivilege	2680	service.exe
Token: SeProfSingleProcessPrivilege	2680	service.exe
Token: SeIncBasePriorityPrivilege	2680	service.exe
Token: SeCreatePagefilePrivilege	2680	service.exe
Token: SeCreatePermanentPrivilege	2680	service.exe
Token: SeBackupPrivilege	2680	service.exe
Token: SeRestorePrivilege	2680	service.exe
Token: SeShutdownPrivilege	2680	service.exe
Token: SeDebugPrivilege	2680	service.exe
Token: SeAuditPrivilege	2680	service.exe
Token: SeSystemEnvironmentPrivilege	2680	service.exe
Token: SeChangeNotifyPrivilege	2680	service.exe
Token: SeRemoteShutdownPrivilege	2680	service.exe
Token: SeUndockPrivilege	2680	service.exe
Token: SeSyncAgentPrivilege	2680	service.exe
Token: SeEnableDelegationPrivilege	2680	service.exe
Token: SeManageVolumePrivilege	2680	service.exe
Token: SeImpersonatePrivilege	2680	service.exe
Token: SeCreateGlobalPrivilege	2680	service.exe
Token: 31	2680	service.exe
Token: 32	2680	service.exe
Token: 33	2680	service.exe
Token: 34	2680	service.exe
Token: 35	2680	service.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe
2744	service.exe
2560	service.exe
2996	service.exe
564	service.exe
2108	service.exe
1632	service.exe
1660	service.exe
2448	service.exe
1564	service.exe
2736	service.exe
2744	service.exe
3000	service.exe
2012	service.exe
1488	service.exe
1468	service.exe
1128	service.exe
1316	service.exe
2356	service.exe
3004	service.exe
2800	service.exe
3008	service.exe
2856	service.exe
284	service.exe
2288	service.exe
1048	service.exe
1804	service.exe
1860	service.exe
828	service.exe
2444	service.exe
2684	service.exe
2244	service.exe
2124	service.exe
884	service.exe
2968	service.exe
380	service.exe
2928	service.exe
1072	service.exe
3024	service.exe
1716	service.exe
2580	service.exe
2852	service.exe
2164	service.exe
868	service.exe
2712	service.exe
1812	service.exe
1920	service.exe
1964	service.exe
2376	service.exe
2884	service.exe
2160	service.exe
2680	service.exe
2680	service.exe
2680	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2608	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2608	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2608	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2608	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	28
PID 2608 wrote to memory of 2660	2608	cmd.exe	30
PID 2608 wrote to memory of 2660	2608	cmd.exe	30
PID 2608 wrote to memory of 2660	2608	cmd.exe	30
PID 2608 wrote to memory of 2660	2608	cmd.exe	30
PID 2424 wrote to memory of 2744	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	31
PID 2424 wrote to memory of 2744	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	31
PID 2424 wrote to memory of 2744	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	31
PID 2424 wrote to memory of 2744	2424	4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe	31
PID 2744 wrote to memory of 2232	2744	service.exe	32
PID 2744 wrote to memory of 2232	2744	service.exe	32
PID 2744 wrote to memory of 2232	2744	service.exe	32
PID 2744 wrote to memory of 2232	2744	service.exe	32
PID 2232 wrote to memory of 1976	2232	cmd.exe	34
PID 2232 wrote to memory of 1976	2232	cmd.exe	34
PID 2232 wrote to memory of 1976	2232	cmd.exe	34
PID 2232 wrote to memory of 1976	2232	cmd.exe	34
PID 2744 wrote to memory of 2560	2744	service.exe	35
PID 2744 wrote to memory of 2560	2744	service.exe	35
PID 2744 wrote to memory of 2560	2744	service.exe	35
PID 2744 wrote to memory of 2560	2744	service.exe	35
PID 2560 wrote to memory of 2752	2560	service.exe	36
PID 2560 wrote to memory of 2752	2560	service.exe	36
PID 2560 wrote to memory of 2752	2560	service.exe	36
PID 2560 wrote to memory of 2752	2560	service.exe	36
PID 2752 wrote to memory of 2856	2752	cmd.exe	38
PID 2752 wrote to memory of 2856	2752	cmd.exe	38
PID 2752 wrote to memory of 2856	2752	cmd.exe	38
PID 2752 wrote to memory of 2856	2752	cmd.exe	38
PID 2560 wrote to memory of 2996	2560	service.exe	39
PID 2560 wrote to memory of 2996	2560	service.exe	39
PID 2560 wrote to memory of 2996	2560	service.exe	39
PID 2560 wrote to memory of 2996	2560	service.exe	39
PID 2996 wrote to memory of 1260	2996	service.exe	40
PID 2996 wrote to memory of 1260	2996	service.exe	40
PID 2996 wrote to memory of 1260	2996	service.exe	40
PID 2996 wrote to memory of 1260	2996	service.exe	40
PID 1260 wrote to memory of 2004	1260	cmd.exe	42
PID 1260 wrote to memory of 2004	1260	cmd.exe	42
PID 1260 wrote to memory of 2004	1260	cmd.exe	42
PID 1260 wrote to memory of 2004	1260	cmd.exe	42
PID 2996 wrote to memory of 564	2996	service.exe	43
PID 2996 wrote to memory of 564	2996	service.exe	43
PID 2996 wrote to memory of 564	2996	service.exe	43
PID 2996 wrote to memory of 564	2996	service.exe	43
PID 564 wrote to memory of 1664	564	service.exe	44
PID 564 wrote to memory of 1664	564	service.exe	44
PID 564 wrote to memory of 1664	564	service.exe	44
PID 564 wrote to memory of 1664	564	service.exe	44
PID 1664 wrote to memory of 2288	1664	cmd.exe	46
PID 1664 wrote to memory of 2288	1664	cmd.exe	46
PID 1664 wrote to memory of 2288	1664	cmd.exe	46
PID 1664 wrote to memory of 2288	1664	cmd.exe	46
PID 564 wrote to memory of 2108	564	service.exe	47
PID 564 wrote to memory of 2108	564	service.exe	47
PID 564 wrote to memory of 2108	564	service.exe	47
PID 564 wrote to memory of 2108	564	service.exe	47
PID 2108 wrote to memory of 532	2108	service.exe	48
PID 2108 wrote to memory of 532	2108	service.exe	48
PID 2108 wrote to memory of 532	2108	service.exe	48
PID 2108 wrote to memory of 532	2108	service.exe	48

C:\Users\Admin\AppData\Local\Temp\4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4eed8777402bba9ed5400fbd6f420910_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempJSEER.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBTXSPQDIPQYBUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe
  "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempFSAON.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLCMSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQBAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YXBOESOMRDQTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2288
      - C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        7⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHDBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SENEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        9⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
        10⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXAMYJ.bat" "
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJUWRPSHVDLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        12⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        13⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEWNKEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
        14⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        15⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNNVJIJFDKFVJQK\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\VNNVJIJFDKFVJQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNNVJIJFDKFVJQK\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJWWI.bat" "
        16⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPTHKGEVTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
        17⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHUFDI.bat" "
        18⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OABEQRMKNCQXHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
        19⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOK.bat" "
        20⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUDDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        21⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXNIR.bat" "
        22⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCNTYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYNJS.bat" "
        23⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        24⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        25⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        26⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSP.bat" "
        27⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKLGEHWKRAMRBNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        28⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFGPL.bat" "
        29⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJANJHXVMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "
        30⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIXLSBNSCOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        31⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKIKANVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "
        32⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYYUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRDLCG.bat" "
        33⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGBQVOEEGBIWES" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        34⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPLJLBOWFQVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
        35⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDXWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        36⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        37⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXJHLG.bat" "
        38⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJTPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOK.bat" "
        39⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUDDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGW\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGW\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRRGP.bat" "
        40⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKKWTQVQXMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWDUM.bat" "
        41⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECHYUVINUVGAOXK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        42⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWYKOTABHE\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\IVRAUYWYKOTABHE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRAUYWYKOTABHE\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
        43⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBBWRFMHLITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
        44⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
        45⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        46⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
        47⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
        48⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOWKKL.bat" "
        49⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMJURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQH.bat" "
        50⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGOCEWUDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        51⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQCRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        53⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe:*:Enabled:Windows Messanger" /f
        53⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe:*:Enabled:Windows Messanger" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        53⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        53⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBTXSP.bat

Filesize
163B

MD5
afe60a6197e17174681e7687e985ff76

SHA1
785c6847282cca426974b4afc83092b5458524a9

SHA256
670a843fdadfc6140bdc90d8698a80dbd99be9d7b03803573515a5ceafd18019

SHA512
d9d580905b197d19891f708282b0d6338495658dfe6a34a69cd5d3ae200a3946da7574aa4248e46bb21f422b7ce547be7a9ee9e02d73c6536333cc8d3779861e

Download Submit
C:\Users\Admin\AppData\Local\TempCFGPL.bat

Filesize
163B

MD5
6960746ab8f72bc91336e651aa68cf69

SHA1
33f742c4d12a695f0d00fb9e068862ea2fed7564

SHA256
f7c924382a15ac2b62a40aa8b03e3376ed39ff282f44e3bf664770874b864be9

SHA512
de13deba09aeb2446ee13159d012250ec79b29ef34f402fec1c0bf3963a99c78fde806652717cb62724c6e0b6da85fb7f3a846ecbe2de78eb1d4480ad7ae9533

Download Submit
C:\Users\Admin\AppData\Local\TempCUYTQ.bat

Filesize
163B

MD5
46f19fd0c708b38dcea1eaf6a92f0c50

SHA1
c48b7c70aba151004bd4bfecd6888c3a7bf628e4

SHA256
3ccc4288690f3ace49bfcfd1faaa011fc300f00cddedbba9004d1750e08fa966

SHA512
fe08992afbf445b47ab9c052c12bb75f6916b2ee6b28fa6af4668cec15afa0d484539f78ed01fa70a45084128e9401c1b216dd024afab0d70be8548be2bc7653

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
eb1981947d081f28fe8eefe71ba83464

SHA1
518f6efa878b2ceffc45965cee66ebc1358beeca

SHA256
ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be

SHA512
27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.bat

Filesize
163B

MD5
6df101e5793392a3a4687cb3f0d05d43

SHA1
8bde684a4b0df6d745ccf82ac144b7f10552c5f0

SHA256
89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc

SHA512
d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9

Download Submit
C:\Users\Admin\AppData\Local\TempEXNIR.bat

Filesize
163B

MD5
dc9dc289aef72df1c62144393c3a9dd7

SHA1
48b3ce4f7c50e7a4efaa91c0507693b65e30767a

SHA256
0e8072edfd6c45b33dddcb971d0f18d0746d07a0b9982a207905de63e7746a48

SHA512
43e47abef516d4926a493320c7f1783877a6722dc46679d791e603f1865fb8c212cd80a31f846719e8e6614ec48f5bddccee914c6d1464e9325be1661ad17f92

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOK.bat

Filesize
163B

MD5
e71a248e232e4bc980a11389f6b20179

SHA1
4171614e6e90f8445faab6e7265195f1a72af26b

SHA256
c654375a44d24603fcd9ca243234e6127101e49390ac3cbbd52713211cf00adb

SHA512
d6b1e6a100e2071513a574864ea251b5b0b5444fe5adba1434b90486adc9ac197b0903575685c4481faa73f887ea2fe103b06ac1f62414411909143c22df0681

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOK.bat

Filesize
163B

MD5
53db95311dd7504fc4d4924e5e085e3b

SHA1
0dd522635a7e85b63b3a79fc81262ff48f08973b

SHA256
746bcdb0224097664ab06c62bd8a2cdd365f72c3ce6e020823be652e7589b4a5

SHA512
1a2e3b561d97748df36c77fd5c775216ff607793968b78dc99d9b854938a292ef487ff36a1bf950f738928b5c87867bff8206339b6d933003877880b1ab47643

Download Submit
C:\Users\Admin\AppData\Local\TempFSAON.bat

Filesize
163B

MD5
74617bfcdeef6b6c917afe3606f98e6e

SHA1
874c4ed626c76c58006c79457183e0c13f47e7ec

SHA256
f5bc9d2b184c888e80f30e9ec8a54f63a9b2873609d1552061638d0a081c5243

SHA512
026b68f81ebc7ba6098533c313645efc40ddd4a4860b5806b5bf1a0257baa234b471adce9c6dbfdc868db7f1f0476899ff460683590284de51e65132c5129ab7

Download Submit
C:\Users\Admin\AppData\Local\TempFYNJS.bat

Filesize
163B

MD5
29be58812a799c4a492a02f39ecb4c84

SHA1
0e551d46a4db2e5bcdb6e3779f8f1338f45bb840

SHA256
f1e498c3c7f338b153a9b9d548a56e60cdc749efc4d4d7711851b1ccc00cb054

SHA512
681abd8cc7179e46370c913d43b4440b66766dab1a47cdcd89b2761cb482e7493d994155ba75c351c70a198f7e27a9910bd4a3d7e8bdcf1b21568d5e63f631c7

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.bat

Filesize
163B

MD5
a3fa5b704e9a07cf42f47adbe6790a64

SHA1
6e5722d42c852c2eaa08330707c69819d747b7bd

SHA256
11cc2c4ed9c99550bc3ef3705fda1f5d7deef3e1ac1fc274e2c8a1d5bd824a74

SHA512
18904941ddbe9bff83c10ab403f4dd4c81309fae4a01c57e2bf2a2413c96188cef27e5480bb8df8751104b9c4e3334e8c9cc2b4b73243dd7787eb5bce1653d6f

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.bat

Filesize
163B

MD5
3786cfd57242098be44ee837d34d0fcd

SHA1
c1b81af50bc2975d403311c3f407c6b0f4473533

SHA256
28d76069b67581d8ed6977a874325881b5d6156833b11b7a9d589c27d96d7e15

SHA512
a9f91bfbd8ccc584a057428b4047c5f1937dc52158b5247ab60d55e671f1dc099d1f95b8f6eab30bcb820bf7d00b13d7cce9af228bcc70f91d84b6727cb8451c

Download Submit
C:\Users\Admin\AppData\Local\TempGYXUU.bat

Filesize
163B

MD5
fd5694efaf2c6554304de2e815bae5bd

SHA1
99666b647cd5d2d90b385ebf09f5309cebdf603d

SHA256
782adde119da1692e215623a4bceb0ee1eb9e107428069e68c4809da4d501feb

SHA512
cb647362e661f08b394bead3d269a6f4e117556104495692a2febdffb8c8e0c433d73ac17da0d2026f507f2c9690bada9d7827f725c8876f3b9f0d109cba55fe

Download Submit
C:\Users\Admin\AppData\Local\TempHGTAX.bat

Filesize
163B

MD5
173c0a948abb5af61c7147f52aa13d1c

SHA1
df39328557233e5517f0fd1d0db9c556985cc48b

SHA256
75ae10d0f5ca23fd1d147349408f01cf3f7e929b3ae4e283baf0b6f03b91260e

SHA512
13199d7b609bed448746878d609920d49fa9af06c483b7a450bf8cb70551f905af6339ebfcc1674258ff603fb53e1e5d097dd777d6a48faa4b78ec40cad7d512

Download Submit
C:\Users\Admin\AppData\Local\TempHUFDI.bat

Filesize
163B

MD5
5da4edbb989708d2fa5839cd169b0698

SHA1
7c87cfdb0ee01619c4c658aef77f0e226d6627db

SHA256
2431109ab179f2cc2d325b6d13ef7c3b3010341f815dd9efff7adfb3797a67aa

SHA512
f9c70b4bc89314254419a52e1fd1a1606a10805599847b7d7bfb1bc2d1563c23a5a5cdc34922b0ca29311c5bb80ee88ea44d8624aac7b961d902b8fb070c28b0

Download Submit
C:\Users\Admin\AppData\Local\TempIBCQM.bat

Filesize
163B

MD5
4ee0ac9fd9906f6947aa07400a0c6eb0

SHA1
889019ae0da9a4ec8a4c26f350266d5fe66d87d8

SHA256
f984d52f2337b3ac2be55c808a5f8745e0b284db69e3c083240622ae1066908d

SHA512
cd0e092b24c306e789073cc14985587631ef1864128c403751515356f2e4ccf2a246aa7f0b119e77f93bf9b9637755b661dbf82815c41595e8256dd7f0c8594f

Download Submit
C:\Users\Admin\AppData\Local\TempJSEER.bat

Filesize
163B

MD5
d33bb9f4cc039e17efbdd7cb88caf63f

SHA1
761d8f23c37e391cbab49bf44f576214133c0877

SHA256
ed81d917dd28e5a8d77c29c0d6ac9b174692bb1476ee0b7e11b1675aed38a44f

SHA512
f4dc663170dbcd08f297583747c50cecf4db6c4dac30c259785b5c5ba8a8848277441d3f98c170232fa96f9874410bbb4d2e182cee1f22de367f1537dd5e5357

Download Submit
C:\Users\Admin\AppData\Local\TempJWDUM.bat

Filesize
163B

MD5
dcf7e7e41e818eddc50a3d256c07fca5

SHA1
c4f21941052fc484291ba4e13bf251624ef94004

SHA256
fde551cf7626c3bf5768cc1e6826ab1dfe06af198093631da4355e75a900b6f8

SHA512
71978eb11983bef87056dfa1880727484d1c6e74d59c1dd07cae949cb58b935861d8dd0306c6769ade2f128e51c56abaf2494091dc0a76fe750c75af2bfc0728

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.bat

Filesize
163B

MD5
11ba06449b0fed6f98191316260722e7

SHA1
7954fbe57520cb3d858059ccd373e28c3a87b5d0

SHA256
5b2bbe6fa1d404c9835ed1bac8aae3c9d0118c0cc9b6e3a70ad625a14d4478e0

SHA512
1c9bca04351ee2a84beb0c2b52440b36e20985798401d4c6de3c22b8a846120f4ce7b339893dea64b2a4d10b966a52cc64cd7dc14eac41f1c9cf84d0800f85b4

Download Submit
C:\Users\Admin\AppData\Local\TempKYGOF.bat

Filesize
163B

MD5
d045e334e544bcbb03bc06c6826a3669

SHA1
208470d91b843cf1c5c15863d8a7e746debf2990

SHA256
0028ebcdf30b526f8b48c089bf8ae15e9d48999898e8a06954a94b71cb91aaf5

SHA512
7187e05f55acb096f9b0f2a54ef81c3b822bfeee11fc686e03035ab8243083b7c5e47322b681f9b0069c73e49a148b9aff9e1e5c23ff3d7c18d8d63ef2c1205e

Download Submit
C:\Users\Admin\AppData\Local\TempLIQDJ.bat

Filesize
163B

MD5
fd2e1ac873abdcf75d414027ffc438af

SHA1
031fc7c7a45c88e0122241cbb6d2d8f5be1a12be

SHA256
397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb

SHA512
9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDA.bat

Filesize
163B

MD5
61e13a05f42aa812c28eed93c6898bdd

SHA1
1cb3397367ab50ce010cf5669418329b19389edf

SHA256
37886f190631474c7d7a0e5ad44ca0c26ff78ed97532bfc60c5b14ae77cd79fe

SHA512
1a3c36f06861cb4635e4f79284f1b3d219fb15032011eeaa918b5bfd94f606b7155bbbb12621d78c8683d0aca8ad071c393c9a298891305d8de0a2ec0a50f57a

Download Submit
C:\Users\Admin\AppData\Local\TempMJRDK.bat

Filesize
163B

MD5
22edd2e5b814b8a48238457e9eaa458f

SHA1
de9135a97c6e976de887c1acc3c3ac55ac6344dd

SHA256
0c02ada924e44b30e8d742287f0df8685fde155925f0dc44257ee33eec9cd0a9

SHA512
c40434c243412d6201a5d7835d06472744eea06c65d2e5ec9d07df0823d09250659dca0eae55ef3175c77eb1bedf65b344fb8618213d8f874e3fe057f97d3bb1

Download Submit
C:\Users\Admin\AppData\Local\TempMPRWC.bat

Filesize
163B

MD5
5826b21bd1acd9827aab11fa4ae96f80

SHA1
70dbcf9b36551660a8101cf41b3d223306a8a912

SHA256
4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f

SHA512
961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6

Download Submit
C:\Users\Admin\AppData\Local\TempMPRWC.bat

Filesize
163B

MD5
59ee0c29e17c6fa0d488bfd48da404cb

SHA1
b89e25abfdb941d951da5f86e84de9a919b612f4

SHA256
b6a6e5972e784ca9c8bfefd8fe83495ae50e6c47ab375b1970fe613e3ea70124

SHA512
ba3366cbe9ea39374c4584e6a44ae1f86e01347a3891292a8ac2c36e5833fb831422790d76d44a28d418252048741a136133f9ce82a9426477ac07db4a3e2d6d

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.bat

Filesize
163B

MD5
4315aff7f4843155958ede86c6e543fe

SHA1
ff9f6d9b1aa7140295457626b521b7fdf60fb6ac

SHA256
28e89ddd9c68556cfccbfa30b5576f7a86ce44db130e43dbbf31adde1fd82a6d

SHA512
3da0b2f3725ffa62e439712625e46628fd7953bbdb1fb085691ac734c1ef59d4a56962c69357bdb8e36a55c75e2a94175b4a9bbc73c22e21916c640ef647b28f

Download Submit
C:\Users\Admin\AppData\Local\TempNJWWI.bat

Filesize
163B

MD5
324ca6aafb522de26cdf6d67eaccbecc

SHA1
0b73280e142d1e07864dfd6470f2f5d47f738b29

SHA256
248c578e8c7242e3c139471322a6229273a014c7ccc2368a3e3c7cf12e2eadf3

SHA512
8a241085918f596a5eb2674168757b87f4779105dd6dc4ce0c23f55afe33710a2578eaba427c4cfabcddd8a02f6784bdf9dc85a18aaf2a5348518f538e0be946

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
d72906914d95f83f5d43fff4e0bc2e70

SHA1
139f2ec75ea9d78f46ea77a1a2599dc22bfcca6e

SHA256
c7fb4560636f57f527e9c409b3ae05b174badd5926668dc897471b20a757b763

SHA512
cfe7b2db6c39f6a97f6b56dbac87fcb86fb7a0c667d2317d63cceb6e0cc6c5ece9208142c9e60b33d5ba9a537ad94a71e4503aa4d50bd4a569a752a5dd0f9fe3

Download Submit
C:\Users\Admin\AppData\Local\TempNVJKK.bat

Filesize
163B

MD5
0edb0ab4b7c786e54ac8cfbb7b878f9d

SHA1
b144b49660a3628eb94992b6233b7b9fe43aaeb3

SHA256
f52e283de13d7e683da2c150123b2df687b96e691e0b2d5a2cde6eaa5a9afcf8

SHA512
3709e65974cfd5d8771fe17db1b7a868da8bf55c5dd9bfeef4f4a1bc95043d525bc9bd3fb137266c70b667c22dbfd73ddeb9d3c3c8442f3c0880747c6ffd667d

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
5fc4d2a2a40634008c3b5f2dd10a48b2

SHA1
966f7effc0195b38e556d872fc859fc82c78fb77

SHA256
66a4b677520e62165f4df03cafa89ec4f07578dc6b9257bce118ac1d2a3dfbed

SHA512
b89d3de8c1a32308311d9319bc321084ef235b56a22a9a31cdcba501cf8ecab0e0f2298e979b076c60efdcc2d103e0ada1061feed051418a96112e8c5c1bacd0

Download Submit
C:\Users\Admin\AppData\Local\TempOWKKL.bat

Filesize
163B

MD5
4578bdf21588c4ec22d6239c4ef47cdb

SHA1
c4ff0891e82a5c06a10c62568202fc5f12681679

SHA256
a39bb7ea785e6349eda9f0ef0ae59917c4d7417b848d7a0bbb8ab59ebca09362

SHA512
33b9ed10d4c2d63750852289f2d6f0336ef372175bcacb123f45fd2cd9fe99a521e969fa820479660265dd65e598137517f8049e601e0451312bab51490a2be8

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.bat

Filesize
163B

MD5
df3f74377aec59dc61c6a8bc9c1f7096

SHA1
14aaa687959c8452bfb805ddb131619e0f6d12be

SHA256
c5bf8fef43ab907f3a4ba686a1f5623d00512e7a369f6e9a424935d1018e18dd

SHA512
b93160a307bb0a99f3ae31d307823c81a6540155b9c0b74479caa0f6f3b340f58128552bb99a56148470d144ee4765e883d26cca212ecee00c6fb4bb792cedb8

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
0d2615ed4bd9003ee0929afc21dcca18

SHA1
919020c644672b87b8989aa884a2dab33b961eea

SHA256
b996a7f6d47650c21d9eb020fd005b807e3cc7521a974257d914d4e969daf04b

SHA512
55b63f341681d1c414af61e5ab9ee48485322f534eeafa7180eaf539a3bc401ed52efbbd1550112e5890ba07606c3cd7dc9a29f1c8427ba5ff452cc32c20666d

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
b5f8ec269fc0de7aa996551d56670248

SHA1
5f6260e975556b01ac76c759652236f3bdaeeee7

SHA256
c0071f2d226621e6583ddd77410564cc3f46d4b8000bdaa47825f866559de898

SHA512
d4b337b0b7477992be9f4f968a19c15fdc7aeec744f9a2829fdd2477798208a581da78e702316fe98238a8e7b2c5bbc3a0bb4b7dd8b4dd1d1430da2f4b390d9b

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
5d0d5ad40d6fd09a0d716640cbfa1ac8

SHA1
ccaf0e23a3cff154b4863714b904dde9f3a05e47

SHA256
7e9d503b5dcf215ce570cee881dbf382d056c6d601e8859ff668b1348cce0159

SHA512
8b6a6f15623f84655016c2877899c30d5b3e475d666c3f08a175f1efcdd08231927338c839d2d3f4d9fb7ab6c58c68df1c09b8e28277ca9bc8b1a92d8961d4f2

Download Submit
C:\Users\Admin\AppData\Local\TempRDLCG.bat

Filesize
163B

MD5
86bd231d1c9a7f2af1799129f48daf9d

SHA1
bd2cdc01da952209ed4db07d556bee5f9cb831a5

SHA256
0f19d151c62910375512336d3c67c96be4eec1e3a18a93164393c4c4e503d9b4

SHA512
663d0046629ff4abb0369ef1f7b17f3e8eebcbc3cc8d467b2b4530dcbd047edd78a8c1906fe6064eb9e609cade531ab90e43076e2a53c69dd00105018f08c93f

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
9011633853bef6a0f9b96c296cf872d6

SHA1
ddba6cc73ae875c79374b2e1fb1a2177de41f653

SHA256
1f3d96b6be86188220dcbe190aa898547e968865b2a912f471b665c90972344a

SHA512
805e2a01ef76162a9351d524e6aca20599b7077b1b49cf65ba05bae46140f27edce2063ac3fc83bec98839d80e0fb7b498f70bed7f2f816660e6d84c429945e1

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
6ad063a0efd3c87f4c438a1827652b06

SHA1
4d67aeb3190618090823f912e0058a818dca278f

SHA256
7d001c530fab699b19b39cd34cb64517edc57d6a17dba96304e801e0bad23caf

SHA512
27b958fabde1f39ceeb89b1eb801109232d8a55ee0a751f6def3a5a07e5cfdb3144d18c004aa2f3f1cda371a503185d24451cc655f411941fd88a7f3e8e2307f

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOX.bat

Filesize
163B

MD5
c2a4762e032cbbe793d4bc3802349b03

SHA1
a267ba061ff095b053a2db506c206783b8d35160

SHA256
8d3d719e2acdbbd0d8aabf115abb5249b263b539a0f1370a24f7c32d39568391

SHA512
4f27c5af33eae2f129b5560034d134c9e5eacb389378eb0ff5daa7eaec7e35d7ad28d0fedac064334e2a528fe310c45386aeecf5b65954d68924ea9eb74e0be1

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJX.bat

Filesize
163B

MD5
ea269f25ae5997e7ee7bd2b64a5a6712

SHA1
6d5dbcd8eda3422d6ad82a24e9a1b4702d6a4162

SHA256
5b630afcc89478dd3c57b171f3d7fde37aa35f6ab3e3f91e4e12c08d726e5f29

SHA512
11cf2ae16054f1660854f89553823c250ac10dc6625ac6ddb938ae004f2a875802bd522d2f65ea531d2f6f71b21f36acd267cf1ffe12f6b8f827c5cd04bd5357

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.bat

Filesize
163B

MD5
bd032580b7effbda479aa5f35e128787

SHA1
50508bb841bfd66058e19d4d0d971214fe972095

SHA256
a9692075f56f7d52e431da2ac5574b7c74a01dde78bd823e0c4796483c39fad8

SHA512
3530dcd2586f93cf7061be08b75951e8350e9df9153c0619f9f7b06f7448ca59893777576a5c0fee503a22d83147a6e4a56614d549b9c685c1f4730c2032944c

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.bat

Filesize
163B

MD5
01a423dc9819ee71e3d9625b2dd40190

SHA1
20d2a4436f8afa87aa2abc177c739fce78b45b50

SHA256
70c9d210307f850d4ce4186ee292a4cacc82948c3298b1b627b7022a6ff31e6d

SHA512
cabd65183e8f6c3d8c2e5580147ce83671f7f0ef4eddafa396045e84fa058fc3d0e005cd7b83360b687e908973964ea8cea50cf6b44dfd93c07784f90e5052fe

Download Submit
C:\Users\Admin\AppData\Local\TempVRRGP.bat

Filesize
163B

MD5
991bb44ce9a36859c4ee1fb05404900c

SHA1
0da34c4be7e039cd09d3418a4c28dc31f7fbb2a4

SHA256
5ee4a55b0050633cb040f164d56008c9c94f160529cd6fae00c39759b96566e1

SHA512
461369e90d5927a742979c6ad11c952d325eab83b76401ff03e503e5e9cf53fa7f67d98e6ba516427e4ff34cfdafda08f94b2d86841c070974164d4f6bfe18af

Download Submit
C:\Users\Admin\AppData\Local\TempWVSST.bat

Filesize
163B

MD5
86550c4045ded27f9bfcc444dbc3fe24

SHA1
01b7dcdc9ee8c7ff89d01066db04249a81eeff91

SHA256
36dadacba29ee174b5948d034f9c17ab59afaeb3e6b696f7633f2e4c717a3d78

SHA512
90794a8e5f439b0771d24a3e84800e5340d42e184fa232b0395e809a9ef6953a68e8347c49a8074ce31014100319eb7a6fe80d9557e169f75bd8b60795bd1dad

Download Submit
C:\Users\Admin\AppData\Local\TempXAMYJ.bat

Filesize
163B

MD5
fb7816acc848d9d1cb68ddf5661767ea

SHA1
c043e360f28a59a1d0fa645b8eaab02d37ab4513

SHA256
c6f2ca3d4cee2364b8fc03b59081b02e8e8d096a4f243c6c3e5ab09c84bf9cc2

SHA512
f35733eed3e50e889bc7c811874b4aec45101fc0894a9e5fbdf251de02a6b4c41ad84b12f741dfd182412afcdebf00adf5f22d441f374cfd072fe3d39d2e9edb

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.bat

Filesize
163B

MD5
5a6dcd900579cc4deed21c70484d98d9

SHA1
baa71148bac7fd3b5462851aaf3575b5d20dcfa6

SHA256
01f215143f045880fecb613b9dbccb74a4badf268cace67ce50063f54bee3140

SHA512
3d3b332d76e9041e688c62b3b5c71ceb6176121c89ae2ac133732071d977e75abfb547c2db790951a0bf7cc0ff07dd5002de786355391fde813792aac4faa39f

Download Submit
C:\Users\Admin\AppData\Local\TempXJHLG.bat

Filesize
163B

MD5
89329da6cb84f567f49130dd845e5218

SHA1
d5d6ded7f3a30c951b829fceb0e4daa90abd5249

SHA256
8a2c14a91a49e2ec5f7023a678538ed4f3f7c9dc513f83081666b4b97a375cf8

SHA512
1e726c20c60564aedded61da995a6bf54810c6dbd8e8d764f2b3ab7d5d25f28133b476c7d096e181e77b0eaee434a6ffd260936bac5e3ee517b900dbcf366d06

Download Submit
C:\Users\Admin\AppData\Local\TempXMIQH.bat

Filesize
163B

MD5
6191f11ce0488defe2ee2b8a2596fc12

SHA1
ed1efa0598caa0ba19f7d7ed371e1d316ff6c81c

SHA256
36778e4a38054c149c70b46effbe0068c56adff10f1a141337c143ed1c992fa3

SHA512
5a776f4e64b7a50e5d88234d3b079fc2eb128fe4332c1aa3ce680c3557c6c639e1c7e11c9fe53d96f5c914ddc456a16eb044cd6ef6b89a45e78b3bc154981865

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.bat

Filesize
163B

MD5
b5222e9cba223858ef966e37fecf32db

SHA1
c343007688852be9da3377ec114fa7e3d4a19e50

SHA256
eec7d128cb2b64b791f25b5b050d2047f854b61fde1c9980dc0769efd99acef5

SHA512
01989cb469554105fd330d53ae100a3bb71dd547651f39916904bc431b39a7c53a0a6e6a8ce1dba28874bfffcfd11519e96bd7c0f47eaea561fe7e9d0a4b38f8

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.bat

Filesize
163B

MD5
601e13abe3a7c6c4ba9ec5974385f941

SHA1
11d3359c26ba1b2a30ac5fd86771641fd3480c35

SHA256
e6914e4e8ff8bbdbb6bcd169d24885e364f75ffcfbe5e0bebd345d55a50e0f38

SHA512
9b2f07abe4efa44cb181f5b6c6f80a2e52c0cc536d38d4ba77ce0b98fb6b4d78adf2c5247fdbff966aef67bdfb67805cb9862e5eb36cde513d4e666ab4eb9572

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe

Filesize
520KB

MD5
fe424439a5e316abd48670fdb8fe945b

SHA1
214a5ecfd2074c217a4ba6eb0f2e8617b351fe15

SHA256
7d505206fd1a06cb96f4a0ae566aebb248a78bd315e4a4fb4ed3606c3bc7a052

SHA512
4592a123676cd63a5df649b4b5dd07ff93a0976164e7c502d185d18b96ed76719da3c7b98ad656105ba41d64aa8a43de981e7341cc537c3cf76e40d6e11385ff

Download Submit
\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

Filesize
520KB

MD5
338f8b1300135fe2479aeddfd807d00f

SHA1
0adaa8750dda9d62e7fb3f7b58c6c8bb190c207f

SHA256
2207c2e30422d4466e683a14f10ceec6587ab49e25ffad8666ff223e1c1cff2d

SHA512
48f46e03373b3da45f3caa2d3ecd33a530ee2bba3de810b9d6dbf76c8b5ac236418985dccf2ca408719295a44014d23b86a0458fc528fa5a7ea4510ed73ddd23

Download Submit
\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe

Filesize
520KB

MD5
09fb9c226c576adef2ab524fedef91a4

SHA1
13f5a5fca53a496bcc6e8447cc0af58bd508c80b

SHA256
78d741d245c89a857f051ff461df16b93a825e70031ba5fe7d7093fc5225a8dc

SHA512
ffdb2ee423f5a97bf6e361b54c5763b71dc398c10db6a6929d63636d0abaa8f6bcd0329591bba984e88fc93af25efbd1af61f6f143a5841cfda695bcfd58d8bc

Download Submit
\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe

Filesize
520KB

MD5
47e7b1d076342ea9ef9e39851c4dfcc3

SHA1
8ccb97b37fe97522f6eb57b3b08263833ceb2235

SHA256
70396b6969a598a7474c45d8fb0c3aa89bc6ed886b3ad9b5c622fe367c219592

SHA512
08c6e0c29c5fd341fe3461a1798ef5457ade3f0c8e326959b4fce5ec56cb30208f0912870d53662408c392373882df1886148df18916dfbd09ff9ade7c955a16

Download Submit
\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe

Filesize
520KB

MD5
3ed66f71141c263f5a3e5fa77c6d3b7b

SHA1
40c0bffe5252834146f7eb31998a7dcccf72ce9e

SHA256
d051df5ab756f8c96092c6efc0eea62d21eb87e06b5de7e234f714d9edceda3e

SHA512
5c3a739589c8e08d3d0e9ce8264878a248fdbaa1b90b802c56596a23b399d29785ff473c8e060776b09b4ec6782a3bdc2a7c9d43b922dd84c2a335466d1e4d89

Download Submit
\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe

Filesize
520KB

MD5
e9483aa816fe595832022fbfd5432570

SHA1
f8486b700783cbaadfcde1f1df9c994438e54904

SHA256
806cd548bdcf8c4bfcd1971ee0a366f6ace2f99ef8c4a4eeb8b2405421af31ff

SHA512
1541f4399ed3df80b05846773c97d17d64388f70e0422f973aa056fafce445cae9ef14c069a47e834377c2ebe2fa9e16597ead922fb0575b455248a0bd001b0b

Download Submit
\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe

Filesize
520KB

MD5
a3257fa233d301bb0b09cb254d2ff52d

SHA1
3ea7165c17fd9160ac17ec878737b20cc35dac5e

SHA256
fea485368d7bf4db1f812200f2348b374103c414ade78e3b8c09ec197d64c5f3

SHA512
97e74b0a027ac6661780f49260285472c0750db9a827a840537c8f5df0d9837df55670679e16d1a65812dc1a8656236b5de0309ec0fa9f1062799d18d78ba05f

Download Submit
\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe

Filesize
520KB

MD5
cda07c7848a5c69ff97956bbe156106f

SHA1
52bf6c53253a1e98188120e7658cc0748f8d0bd0

SHA256
63e1749a1eaafc90d6c19766b7f04701a717032286ebc01750f8bb124f7146f1

SHA512
91b58277dd1fd0d7aeb02aa1e4dde2757294c091e39a2f5620c4e0ce265e8419b4584d57399c0f65d35940fc597661502c2699735aaeca0802e465da2cf1997a

Download Submit
\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe

Filesize
520KB

MD5
8f7364e988e6ce728b612c4bb51f3648

SHA1
e8df66525a86dbfcd25b46a88a066a6fd4a6ff5d

SHA256
1d918a9d0bd506c5115e91ab36180a15a7f27a55eb6b32d270cc84bbaf481b4a

SHA512
b022a03b2904b8fbf2b073fbaea8c706d3f01389fc7ef2e7c05d1a8cd85b6f6ee7af26a0ea14fcba74350662c476eee401d9a87207342a704989864938cdd361

Download Submit
\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

Filesize
520KB

MD5
84cf102dedbcec7af44859741b8ee876

SHA1
d9322f45cfd2e97be77e4ffbb96ce812cc04c8af

SHA256
339aa06926902a96979f45a962d849d52072f0c234af6c27296d3ec399625f7e

SHA512
bc8b29291cd81fade797f2891ac9a70ceda4f0caf5b545ebf1ac30fcfbb4f67b15930488e93c3011d4d9003d123efd98995be8dcf6c38291b9f851e84712b66e

Download Submit
\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

Filesize
520KB

MD5
c1655090bc4e36cc183a9b97fc39a17c

SHA1
54253384b0a35fe95da48e6c2cf9b8033f4ab5bb

SHA256
bc6f4361f8799fa5a2df74440da305e82ddf18aa307b7c4160e14aafb7bb05ef

SHA512
1e66a818a8e066fb4ba1667ba67985df2990a7829bb503e3140bca2d4ec220bcc72dc1974ddf08c69bccdee47b970d8f2deda11646902015d75c634084c46835

Download Submit
\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

Filesize
520KB

MD5
1ebd219af55427fd4426e8767257a8cc

SHA1
7fdca13ca724587530fa57fb1fabf7295d7d8ce8

SHA256
be024c5a28c03b4df1092078551c6a0dedd03e317467993425842d72af3e97d8

SHA512
9d8dc5dfa7e8416fa1934014d9f1aa052c78c1b01520c3e6314d0ae6b108a01734aeb03143521578e21f3767872b5eeca8faae88002033e12999e38363738348

Download Submit
\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe

Filesize
520KB

MD5
d0a6f3fca84a3a6c089e83faa750e94c

SHA1
0ee1f75df28a89c399cb9aa864b3e25446dc998f

SHA256
6fed5605565630cf0cd8b631551010d45eeaec2f6c37f4513477975f01b9aa45

SHA512
3ee3388ae93bbc16fcc61a5fbd9312fda53d902ce3d05305a24730dea635ea77eb73013f4f4b01f9174d2ebe76c69abb0b092d9864a21325a79ed1eef3703ebf

Download Submit
memory/2196-750-0x00000000770C0000-0x00000000771DF000-memory.dmp

Filesize
1.1MB

Download
memory/2196-751-0x0000000076FC0000-0x00000000770BA000-memory.dmp

Filesize
1000KB

Download
memory/2680-1268-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1273-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1276-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1277-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1278-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1280-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2680-1281-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads