4cdd09eb4865cdf8b9366b97da5a46f5d1c5e66506f0f04fca1569c5ef5366e0

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 10:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe
Size

520KB
MD5

b8061dcf4b55a0d745e6113cb63ad750
SHA1

474d51150a862cf210f6b2e175b2ed41385957ae
SHA256

4cdd09eb4865cdf8b9366b97da5a46f5d1c5e66506f0f04fca1569c5ef5366e0
SHA512

278a994f5971fb5cb6799766ecae9d9beade38e31e75117b6698b07d34ab0129eb4f1ef7bfb85a3764d4a64c280456ad240365a94c57e550f3570d77d0faeef8
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXr:zW6ncoyqOp6IsTl/mXr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 24 IoCs

pid	Process
2912	service.exe
2532	service.exe
2872	service.exe
1316	service.exe
2168	service.exe
2924	service.exe
2320	service.exe
2376	service.exe
1432	service.exe
896	service.exe
2660	service.exe
3012	service.exe
2032	service.exe
2076	service.exe
380	service.exe
716	service.exe
1044	service.exe
1708	service.exe
2616	service.exe
2136	service.exe
2696	service.exe
2828	service.exe
1800	service.exe
1860	service.exe

Loads dropped DLL 47 IoCs

pid	Process
2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe
2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe
2912	service.exe
2912	service.exe
2532	service.exe
2532	service.exe
2872	service.exe
2872	service.exe
1316	service.exe
1316	service.exe
2168	service.exe
2168	service.exe
2924	service.exe
2924	service.exe
2320	service.exe
2320	service.exe
2376	service.exe
2376	service.exe
1432	service.exe
1432	service.exe
896	service.exe
896	service.exe
2660	service.exe
2660	service.exe
3012	service.exe
3012	service.exe
2032	service.exe
2032	service.exe
2076	service.exe
2076	service.exe
380	service.exe
380	service.exe
716	service.exe
716	service.exe
1044	service.exe
1044	service.exe
1708	service.exe
1708	service.exe
2616	service.exe
2616	service.exe
2136	service.exe
2136	service.exe
2696	service.exe
2696	service.exe
2828	service.exe
2828	service.exe
1800	service.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHGJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQJKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CGMLTKUQLUGVAFU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVJJKFEKGWJQA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTWYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUNSLBLFDGWSTBO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPFQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOHISVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\VUYMCPLJYOAOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMYUASWROPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKGVJQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKXBLRYYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUPFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSOCPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFLHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOYPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWJANJHXVMMOJCF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVUCWMCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAQROWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTQAL\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2104	reg.exe
376	reg.exe
2836	reg.exe
1032	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1860	service.exe
Token: SeCreateTokenPrivilege	1860	service.exe
Token: SeAssignPrimaryTokenPrivilege	1860	service.exe
Token: SeLockMemoryPrivilege	1860	service.exe
Token: SeIncreaseQuotaPrivilege	1860	service.exe
Token: SeMachineAccountPrivilege	1860	service.exe
Token: SeTcbPrivilege	1860	service.exe
Token: SeSecurityPrivilege	1860	service.exe
Token: SeTakeOwnershipPrivilege	1860	service.exe
Token: SeLoadDriverPrivilege	1860	service.exe
Token: SeSystemProfilePrivilege	1860	service.exe
Token: SeSystemtimePrivilege	1860	service.exe
Token: SeProfSingleProcessPrivilege	1860	service.exe
Token: SeIncBasePriorityPrivilege	1860	service.exe
Token: SeCreatePagefilePrivilege	1860	service.exe
Token: SeCreatePermanentPrivilege	1860	service.exe
Token: SeBackupPrivilege	1860	service.exe
Token: SeRestorePrivilege	1860	service.exe
Token: SeShutdownPrivilege	1860	service.exe
Token: SeDebugPrivilege	1860	service.exe
Token: SeAuditPrivilege	1860	service.exe
Token: SeSystemEnvironmentPrivilege	1860	service.exe
Token: SeChangeNotifyPrivilege	1860	service.exe
Token: SeRemoteShutdownPrivilege	1860	service.exe
Token: SeUndockPrivilege	1860	service.exe
Token: SeSyncAgentPrivilege	1860	service.exe
Token: SeEnableDelegationPrivilege	1860	service.exe
Token: SeManageVolumePrivilege	1860	service.exe
Token: SeImpersonatePrivilege	1860	service.exe
Token: SeCreateGlobalPrivilege	1860	service.exe
Token: 31	1860	service.exe
Token: 32	1860	service.exe
Token: 33	1860	service.exe
Token: 34	1860	service.exe
Token: 35	1860	service.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe
2912	service.exe
2532	service.exe
2872	service.exe
1316	service.exe
2168	service.exe
2924	service.exe
2320	service.exe
2376	service.exe
1432	service.exe
896	service.exe
2660	service.exe
3012	service.exe
2032	service.exe
2076	service.exe
380	service.exe
716	service.exe
1044	service.exe
1708	service.exe
2616	service.exe
2136	service.exe
2696	service.exe
2828	service.exe
1800	service.exe
1860	service.exe
1860	service.exe
1860	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1776	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1776	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1776	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1776	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	28
PID 1776 wrote to memory of 1768	1776	cmd.exe	30
PID 1776 wrote to memory of 1768	1776	cmd.exe	30
PID 1776 wrote to memory of 1768	1776	cmd.exe	30
PID 1776 wrote to memory of 1768	1776	cmd.exe	30
PID 2956 wrote to memory of 2912	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 2912	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 2912	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 2912	2956	b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe	31
PID 2912 wrote to memory of 2560	2912	service.exe	32
PID 2912 wrote to memory of 2560	2912	service.exe	32
PID 2912 wrote to memory of 2560	2912	service.exe	32
PID 2912 wrote to memory of 2560	2912	service.exe	32
PID 2560 wrote to memory of 2572	2560	cmd.exe	34
PID 2560 wrote to memory of 2572	2560	cmd.exe	34
PID 2560 wrote to memory of 2572	2560	cmd.exe	34
PID 2560 wrote to memory of 2572	2560	cmd.exe	34
PID 2912 wrote to memory of 2532	2912	service.exe	35
PID 2912 wrote to memory of 2532	2912	service.exe	35
PID 2912 wrote to memory of 2532	2912	service.exe	35
PID 2912 wrote to memory of 2532	2912	service.exe	35
PID 2532 wrote to memory of 1832	2532	service.exe	36
PID 2532 wrote to memory of 1832	2532	service.exe	36
PID 2532 wrote to memory of 1832	2532	service.exe	36
PID 2532 wrote to memory of 1832	2532	service.exe	36
PID 1832 wrote to memory of 2832	1832	cmd.exe	38
PID 1832 wrote to memory of 2832	1832	cmd.exe	38
PID 1832 wrote to memory of 2832	1832	cmd.exe	38
PID 1832 wrote to memory of 2832	1832	cmd.exe	38
PID 2532 wrote to memory of 2872	2532	service.exe	39
PID 2532 wrote to memory of 2872	2532	service.exe	39
PID 2532 wrote to memory of 2872	2532	service.exe	39
PID 2532 wrote to memory of 2872	2532	service.exe	39
PID 2872 wrote to memory of 2328	2872	service.exe	40
PID 2872 wrote to memory of 2328	2872	service.exe	40
PID 2872 wrote to memory of 2328	2872	service.exe	40
PID 2872 wrote to memory of 2328	2872	service.exe	40
PID 2328 wrote to memory of 1064	2328	cmd.exe	42
PID 2328 wrote to memory of 1064	2328	cmd.exe	42
PID 2328 wrote to memory of 1064	2328	cmd.exe	42
PID 2328 wrote to memory of 1064	2328	cmd.exe	42
PID 2872 wrote to memory of 1316	2872	service.exe	43
PID 2872 wrote to memory of 1316	2872	service.exe	43
PID 2872 wrote to memory of 1316	2872	service.exe	43
PID 2872 wrote to memory of 1316	2872	service.exe	43
PID 1316 wrote to memory of 3044	1316	service.exe	44
PID 1316 wrote to memory of 3044	1316	service.exe	44
PID 1316 wrote to memory of 3044	1316	service.exe	44
PID 1316 wrote to memory of 3044	1316	service.exe	44
PID 3044 wrote to memory of 1772	3044	cmd.exe	46
PID 3044 wrote to memory of 1772	3044	cmd.exe	46
PID 3044 wrote to memory of 1772	3044	cmd.exe	46
PID 3044 wrote to memory of 1772	3044	cmd.exe	46
PID 1316 wrote to memory of 2168	1316	service.exe	47
PID 1316 wrote to memory of 2168	1316	service.exe	47
PID 1316 wrote to memory of 2168	1316	service.exe	47
PID 1316 wrote to memory of 2168	1316	service.exe	47
PID 2168 wrote to memory of 1732	2168	service.exe	48
PID 2168 wrote to memory of 1732	2168	service.exe	48
PID 2168 wrote to memory of 1732	2168	service.exe	48
PID 2168 wrote to memory of 1732	2168	service.exe	48

C:\Users\Admin\AppData\Local\Temp\b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b8061dcf4b55a0d745e6113cb63ad750_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempVSCNT.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGMLTKUQLUGVAFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVJJKFEKGWJQA\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1768
- C:\Users\Admin\AppData\Local\Temp\WONVJJKFEKGWJQA\service.exe
  "C:\Users\Admin\AppData\Local\Temp\WONVJJKFEKGWJQA\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
    "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHISNB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VUYMCPLJYOAOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMYUASWROPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
        7⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTWYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGQLYK.bat" "
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWJANJHXVMMOJCF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
        12⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        13⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHGJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        14⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAACDR.bat" "
        15⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKXBLRYYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
        16⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        17⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        18⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        19⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIQCJ.bat" "
        20⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQJKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCVV.bat" "
        21⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        22⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        23⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
        24⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOHISVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        26⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe:*:Enabled:Windows Messanger" /f
        26⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        26⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        26⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAACDR.bat

Filesize
163B

MD5
a4e0810c98b777c5cf1a24c7c263c697

SHA1
d5cfda46b318196a5023f4f50a3a23afe9cfd856

SHA256
b60d3e45f1ce42452509c5496958ca661af93704311d0e674c5f8d9f95901756

SHA512
38e95cb787025e08d4af45ba3c3c4d9ed281525af5e6c60e57c5dd8ac1c36a06daed18ca1837c25a889d13215e99d94b1c5470d0e8ded9eaf23195e74d28619a

Download Submit
C:\Users\Admin\AppData\Local\TempCIWES.bat

Filesize
163B

MD5
ba429fd56ff7582c4de4880c49452a09

SHA1
f39ab13e597a4092461eb550a4a343404828677d

SHA256
15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf

SHA512
83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

Download Submit
C:\Users\Admin\AppData\Local\TempDYBNK.bat

Filesize
163B

MD5
5c4c29a410bd00bbacd2611f885a013e

SHA1
aefca89f9eae0e39d6b8c72f03268ed6fc908092

SHA256
1f481099fa4b0c87b95a68a86c643ff38f4840353624b518904e42b634869c83

SHA512
e4b7b19b4cfd65140b315b5c8ff204c0919e4af50febc215e3a5d67c780ccfa157e78f891cc1f44c928bd472aa1d749ec2a6b46d8e0da13baa707b1220ed4195

Download Submit
C:\Users\Admin\AppData\Local\TempFGDME.bat

Filesize
163B

MD5
a4e079fc1c7dfab5dec4d6c6cabc404d

SHA1
54dfb72eca895f6fbcc750ce8919df4a1eff9c8c

SHA256
079860580f33ec79576d28872c0a65d1d18daa5e656c96640540f21c1e61ac52

SHA512
ed8ff202731d7ad276b37e85dafd64772879cff086511f99f2989526aae738f3d566e77b7c9f68265fd01dde38b02c851380a1f8c30707622c2dbef81cc752cc

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
c50c7621112fa1afb44904390e54c3c7

SHA1
7b090097af1e5ac92d212cbcf0b687ee773dee78

SHA256
5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737

SHA512
c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a

Download Submit
C:\Users\Admin\AppData\Local\TempGQLYK.bat

Filesize
163B

MD5
7207d626ad5f1a16894930cccddc373b

SHA1
54c4ec81869adf5178ad7b0e529b8f4fc008bcc9

SHA256
30267bfb6c87a3693d50bab6d266c23e53afd5ca88bb24ef60680c3f46a52281

SHA512
3a82a271e92f9e26031ed17f9d58e0913b70ffcac5cbff9b776eeef7f1e4cae5fa3c8b74dc85049f2de0e953eaa7282db02193f935f83d1884d7f6718727bdb4

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
9d8c823aa9d6fc3f009d667a0b5c2aeb

SHA1
9cc26bc83d1c543b737c4880b73e40a6ed254bce

SHA256
980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4

SHA512
66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

Download Submit
C:\Users\Admin\AppData\Local\TempHISNB.bat

Filesize
163B

MD5
2caf0c12ba33232194b8a5d487492115

SHA1
502f9a37914312da7366ddb00fceb0eeaa2919f2

SHA256
df466f5f65cf75515b00342590d80139c4371577e36825a0bbfc911af5703378

SHA512
d87bb5f95b38389a776c5e82a4def9ee060ebab248309cd7fdb5b6b2a716abcf48f63fb2d899916de468220a95bb1239ba98ae2d739200899f2fc533a764cefd

Download Submit
C:\Users\Admin\AppData\Local\TempJGOAH.bat

Filesize
163B

MD5
c74edd6c4ce203f00a70a6b1de6310a9

SHA1
1fc7a4e39e6aa74af9a6b3c29c8798a305a4c11b

SHA256
dcfc7e09ab970a0e0852b5554848a8fb6303f2d996e4267d27c3f65f72ad5840

SHA512
4f1da00d63ee409221835c8262d9516d005267cd2ab85f2d8f894038287e537466ecb1b14b17ad5d7ea27ab90aaa759e8dd3c64c31727783ab76191c32d0d66a

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.bat

Filesize
163B

MD5
8c5d9b01c07b728308d64e7cc1b8bf85

SHA1
88e327f0cb020d5871b6f1b3ccea832338674153

SHA256
f08ec19e50239cb99b2968aaa854affcaec2b0d2361db5ce996a9cf9acd111d2

SHA512
89721d0cf706c0a411dac2e912895c503dd2f5a7631a9364077de8fac24ec799b5bb0e51dcec4f5c640af963a4b9171ac4377c7860ecbef699f6d98925b0a2f6

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.bat

Filesize
163B

MD5
ce2e3255d1dd1632a52d3e52ae4a9afc

SHA1
53c909a7bb564c58fb660518521354e29a50d77d

SHA256
9a8fea966160dfc90d87c182e1d70d8c294dc668ac81d0c8996ead2a06cb26fb

SHA512
585d58fd10fe274cbd418ae92fe2f4b79b41453ac0836df6343b739f0e1f02020cac015404f8c0a43ee2e17b5e298e692be9838670f067e6e0c65204a1e84d58

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.bat

Filesize
163B

MD5
0a7ee4880156ac1cced7bf84c4438e63

SHA1
b9b00c8e76d6f3e4d27bb2ca9fd94c5c65916f16

SHA256
7cb2e5532f99868606ddf711205ca3b80ec7427683ee4809eff0b92b732417dc

SHA512
3e40f160dea8017d09491c70f4bd0cd383a4b76e885535f6464727cb9252b55fc8d7db27d55fbb93183f96f105999621d73c578bf82d1fe233673dfc4abc7b0a

Download Submit
C:\Users\Admin\AppData\Local\TempLIQCJ.bat

Filesize
163B

MD5
09b0b692e0161e387e4d8389de91ced9

SHA1
72a446cebeb8b614e8224559f8b32c02b7660dff

SHA256
7b2a846ac73ee8b473d5335ff188f4da0795ad82066a78df3ac4f483f85a5a51

SHA512
3bb86af2da82afae6d0711e95059478e6fc96e7b21c02ebef7570a913f06da14bdf1acb893db48c2fd7334f7e7ef041d04d37cc16eb3f5cd88762b85adb12c14

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
e6d1b7b11d36abb427256f7c3f9cb74a

SHA1
52b9959c5beb82f2154ab147007a7578c2db3925

SHA256
3bfa79d2034b53889392b86ef25f15da7865aa9da24e0329cb6214e2eb410d99

SHA512
0957d8751565f724b4487fca6899599607c140d7d68a120d03303e4c021d49d86b17c83b3e1b03d439f8a8bda95a3a90dcd5703133bbb5b5e6eeab83ebcf0468

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.bat

Filesize
163B

MD5
e65890858f7fb8dad52e80356b191005

SHA1
2c6e3801a0cc15203581fe5fef35fbe2883edc74

SHA256
54f999d041ba8ca3afddfbe7d58063ea4c3b83fd7463b3216b5e7b0aaa20336d

SHA512
0e8e3164328b88513002fd82fb81dfea8e91e3e08e1f80fbbd47e395409ac56c6ee2847bbdead49d0cceaa33231c415ee570a30ccf90b047e1b44212296f35fd

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
f3b8ddc4d4fad0bc32f84eac08e8b5bf

SHA1
e01268ff601b676b24a9523067c804a7acd5685e

SHA256
645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b

SHA512
d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865

Download Submit
C:\Users\Admin\AppData\Local\TempPXATT.bat

Filesize
163B

MD5
eba320f7217763b5686308ee79a80a2b

SHA1
6a8066c15ec0ede8498333cf5f9f3daa5a14697c

SHA256
f58c7a044b684ce88a471bce4a13784db4a61d17fb16ba69812db70251ee0f2b

SHA512
05130c458b22a72ee18be7daf47a2e7c55a5d4dd56b386374bd03064c1233777fae86644f8632d4ae9f6d9f6d4d40dd7ef7a134d5900d902c0f5f170c7136abb

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.bat

Filesize
163B

MD5
03774a5b331fddd430de8a4bda2de667

SHA1
4aed1d3ac48ac1c34a3a0cf0ca665c4e398eef20

SHA256
241a8ad3b44ff1a584d36d52002b8a5d722bad8ade416f484ea35a646c48b818

SHA512
46c32b5583f7b17b6bd431ab73e19da674b6747c7efb385cdf118727dce83ce80e10cc4cd5452a81e786c8f3e521ff470826452668162d916c2c00da15b4d1f8

Download Submit
C:\Users\Admin\AppData\Local\TempRRCVV.bat

Filesize
163B

MD5
6fd117f208423d249769655802c3be2a

SHA1
3ee3d49980f8c042989a99b98355f141a34f194a

SHA256
1c2ba2205211bd08851020aa7e4e858f766c23cd1f7a9edfc88aac533f454f7b

SHA512
9e2eddfb57523bd138b73dd4f3a59912f0727be0e5fb6141f7532c94478083aba7f102e5d4afbc6a098b7c6bf6ff1006a4d69a875287c985cae87c54e5b4235c

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
012997a6b29f4be215639a6dc38f1bae

SHA1
084fb01e80abdeb2c7febd564062488238a9229b

SHA256
a0dda3dce2f03606114b8d4d8dbde8159e9f73f6282d1984ef449823837e2f49

SHA512
7cf25d312f8aa7da637da2df94b4c61bda90366e2aac7b7f82282a2e4c35d6f61cc9dd3d92fe16ac1b00b5d0bc5a846355e6c18e334c8fdde832e463369433ec

Download Submit
C:\Users\Admin\AppData\Local\TempVSCNT.bat

Filesize
163B

MD5
52ae70cf4b4fd585373e6087c98c80b0

SHA1
c30a657760b1153a57151eb45658e8813af86759

SHA256
353d1fde75acbffdd88b25ccc71fc378b963604941691c31169fcde5f970e9e6

SHA512
b9fbbc38823e27173b56aaa92f72417d29145627d27fe8c6c15fa2dfaf2771b499f1c8b5daca4a2f9e60a9116e488e4deec5a3f7207051d92c80940aead5b3e9

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.bat

Filesize
163B

MD5
beb7827ed78d003005c06a6e75d39ca8

SHA1
b53687b4ebf0261ab24f931cbe49fdcd4462254f

SHA256
eadc4a0bd95f17102c5a1e0f5395919eaba58e5c21a9dc773f89d3621b1f8ff4

SHA512
02e1fb2f87d0c388c7f55e6de1a3b78c505e53cec5722753e0ebf950c9de247252e723adace937912bf4ae8954fabe9e31f070e311d7a2b38c01fcc962cbab72

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
4004805be9425a828f1421bab4a3a78b

SHA1
b8a6fc4e959fdff961ce6aab8090fd1809c19590

SHA256
967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7

SHA512
37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WONVJJKFEKGWJQA\service.exe

Filesize
520KB

MD5
03c7114219074bc76e5b28058b591e89

SHA1
d8e4fb5bae5bfeea6ba5df5a402df073afc5ee26

SHA256
d198894b9abbd3c8b4a16fafeb0ed40a9ac7831e48c9c3c37d315ad84c52d529

SHA512
2d4b7464e9cccbe9e08e83bf0e7d02be7f93a985f6f6776c86855ce0ecaf67e8ae1acccf141de67b1cfd1fcd27989164258dd82f53851c2d93845cf2ac0ddb63

Download Submit
\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe

Filesize
520KB

MD5
0f7058a94968b03795c721a8d5feb1c5

SHA1
4cdd601906c9ebae23b0c26841d4256714e1c493

SHA256
1236d2b24106cf174fcba7e72d692069e185f5a6c7d89d43cee94c05823ef817

SHA512
f11bec2ed7448524852f0b9f7b2bbcac492db731e968d71686723dae6339ce365891f5833070af5a96fac10f6da689a06d17878a2346ecdc83f14dda1b0507e9

Download Submit
\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe

Filesize
520KB

MD5
7e355cd2779863ddd76f0a7cf823bbea

SHA1
f28c2d9d41c87aeb091db6d6037294b04b7ad3f0

SHA256
d5b6174902a100b2b2061063a20f94e458599325a1457c0552dfede06f16270a

SHA512
6e7d93e035e879fb60f56ebfba8c9d84b015c7aad380926fba39bfbc87cfc75f64d424de5721a683adcfc472d041e5e21eb944ffff6c1781caa191f40b544533

Download Submit
\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

Filesize
520KB

MD5
b2c4f45ba2bacbf8aacb00b363067106

SHA1
88bf4b547ebc2d9d4c67b2f5afc8fc64048a4323

SHA256
c92aa3dcff81b85bc6fcda52107d5064e506bd85f852277b1a9aac3156dedb35

SHA512
ef98da0a57b71367168c5945648451af414422cb3a84a8768846ff40afd7184a2bd8a0897fb1121c19280f2ba10e4775a86f9dc00da6a3459dbce9cf16aaa8a5

Download Submit
\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

Filesize
520KB

MD5
6d6691b8a287f1cffd552621344b53e3

SHA1
ed2b9268d5f7009a04a93d5566f5f34c14456de7

SHA256
7f07494753aa9c635091dbd2b5411ee5ec7310cee323b8d6a1ad26a1dc73be5e

SHA512
c04b9b9c5a917b5712b881494fd7a1c6a96d59e9492cbd5a6d97375c8f0cb94eb7c29a3c5416bf783f1bb57aa3b4e0293e68d4a169ecb408816ebe638d87d791

Download Submit
\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe

Filesize
520KB

MD5
fe3397fe6149ad3ae01ed7bb030c79fa

SHA1
defea8699f4860b2cf59c2ed81281241785fdd13

SHA256
e820b7356e3849e64292ed815413ba8e12860d33d1322726936292762a7ca05e

SHA512
3ce94e7a23874e743d30e6fecd366de422208513286d6ab61e10d2f4d5e7cc1f4e32abca1fcdaad7759e118734a4648ad799486d201ac712bcff85d0d2357c44

Download Submit
\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

Filesize
520KB

MD5
092f287dfa5bbff6087b4b4e9b692049

SHA1
d147c9e90b803c6e1dbe6685d68ed47fab8f735d

SHA256
de015577f738d212a12d52915cafa5ef2fbc3137631c488a55e5332c5fa2d786

SHA512
ec49f4d76be01d59241f88e014124e69c5bb78294d27e0b255087f26386604097c57cdf2a7862dba765cb8e55bd1a10679b1956e09f21d02974cb6141e5d05ea

Download Submit
\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe

Filesize
520KB

MD5
c3fcb7bc3682bda4b0ff8da7eb1d33d7

SHA1
2b67cc724c1ad32423301ec4cd4f78d192a5cba9

SHA256
b82a52a63145944b74f696c579834008c2d2075e9fede3ac3e1000734a231904

SHA512
036768f514fb3a6b491e6509a033acca609a6edf97c18ea3a60d4b08c52a69e90740ec4350e1193a0fde52eb460e862b09b83d8981c86c3da429f1062460d066

Download Submit
\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe

Filesize
520KB

MD5
ec9d61e4234357ae2fd480691f434cea

SHA1
6cc1dc901ab4caac46e9a6f851c66ea2d5999b19

SHA256
4f25705eef79c3d76631ca3fb44c1ed3d12a1778389261d9a9f16b9507041f5b

SHA512
a7ac3369557f046b304cf940fc1da0071f6a64977226eadfa638eda9b1ba5ea6a52f64b37f020e25c73765a904bc406096705700cedd0b0eee4d1741d1c947d2

Download Submit
\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe

Filesize
520KB

MD5
9390977ca298702ca9e4e8e2e6ad1cef

SHA1
6e153bdfcf9e76a6bb75c8c4695df12119e587ce

SHA256
f6fd5fec60bfed67dcc7e1d68040c473e47d932bc526cafe964cfca1ecfdae57

SHA512
6362099aba9993812578d2c23d1c11c0715c30dcdc8417a2003596791882266ca17cc35da83c803bae6867e3a029c1ac068a9d4cbc1e8ae038c72dd0f7bd08e4

Download Submit
\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
a2cf50b0526e6f49965cdf567563ca2e

SHA1
00e4cb637826fd0e4f883258fd2d128eeb87a3b3

SHA256
1f1a649e065fb38990a211f9c4a41861cfd73b9390a945a61f7012feda63012e

SHA512
e3bd55e39316ab1e9959e56ccf9060f824260a2e9d102f74bf27b3f0bc637f9190b7d6e2ff211b4f1dd1897fbcfe5d701498483ac276d4bb4d6846b411ddb2a4

Download Submit
\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

Filesize
520KB

MD5
0e3a228541073d32faf9e55031654096

SHA1
0e693002fc223a7f5f128419d279cb3776c5a238

SHA256
3e656d8366ddda4eb32d8560131b2b11495c1beef859e7cc9584fe9f11a7b71f

SHA512
3ee1943a40c749e580dfc1410d6ab9de484331fed83cc01f39532576abf92f98db835adfac9899d3258a67767ef8c0b388c5135408a4a8149267c40704c53505

Download Submit
\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe

Filesize
520KB

MD5
0c55a8c222c9b78bc55dc0eb21d90b7a

SHA1
3bc4f482fc9af21acf276d1f4656892cfcbe9bea

SHA256
6c3e6bed3266f74fff36edf0069b796992c423bb5e223f7c05506293e86f0199

SHA512
846fb8ac0f0e682ae1975d6afd776d8d325a0db9bb24fbf00d2a04b1a792d0b9cff8e124dd30715498a3e571ab3663b222167b869e48cadc9cb8f07732261939

Download Submit
memory/1860-618-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-623-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-626-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-627-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-628-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-630-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-631-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-632-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-634-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1860-635-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads