fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe
Size

520KB
MD5

8c9fddc17a7de922e69b989855af4cd7
SHA1

d5f9ef3823700e5d105d383ad3c65e0efb7bb45b
SHA256

fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036
SHA512

0a3f284b21939e5632a878deffb38add71bd781fc337104d052ce12add682dace8c44b2341dcedd769b1f406e88341d15a6b97cbcaf1a2a2af1923f568f41892
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXZ:zW6ncoyqOp6IsTl/mXZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 19 IoCs

pid	Process
2604	service.exe
2668	service.exe
2688	service.exe
2480	service.exe
3036	service.exe
580	service.exe
2268	service.exe
1116	service.exe
2156	service.exe
2700	service.exe
2524	service.exe
2848	service.exe
752	service.exe
1300	service.exe
2024	service.exe
1012	service.exe
1388	service.exe
2936	service.exe
2276	service.exe

Loads dropped DLL 37 IoCs

pid	Process
1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe
1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe
2604	service.exe
2604	service.exe
2668	service.exe
2668	service.exe
2688	service.exe
2688	service.exe
2480	service.exe
2480	service.exe
3036	service.exe
3036	service.exe
580	service.exe
580	service.exe
2268	service.exe
2268	service.exe
1116	service.exe
1116	service.exe
2156	service.exe
2156	service.exe
2700	service.exe
2700	service.exe
2524	service.exe
2524	service.exe
2848	service.exe
2848	service.exe
752	service.exe
752	service.exe
1300	service.exe
1300	service.exe
2024	service.exe
2024	service.exe
1012	service.exe
1012	service.exe
1388	service.exe
1388	service.exe
2936	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDRHUQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYABOULTIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXENXVFBMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSOPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKFEKGWJRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\BMTYJHLGOCEWUDD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYUPDKFJXGSYOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIKFDFVJQLPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWDDBJC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\KTQKUFVAEUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAURLVGWBGVWTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLPDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNMPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBPVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOAGNOWSSHPCXBP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1972	reg.exe
1932	reg.exe
1968	reg.exe
1944	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2276	service.exe
Token: SeCreateTokenPrivilege	2276	service.exe
Token: SeAssignPrimaryTokenPrivilege	2276	service.exe
Token: SeLockMemoryPrivilege	2276	service.exe
Token: SeIncreaseQuotaPrivilege	2276	service.exe
Token: SeMachineAccountPrivilege	2276	service.exe
Token: SeTcbPrivilege	2276	service.exe
Token: SeSecurityPrivilege	2276	service.exe
Token: SeTakeOwnershipPrivilege	2276	service.exe
Token: SeLoadDriverPrivilege	2276	service.exe
Token: SeSystemProfilePrivilege	2276	service.exe
Token: SeSystemtimePrivilege	2276	service.exe
Token: SeProfSingleProcessPrivilege	2276	service.exe
Token: SeIncBasePriorityPrivilege	2276	service.exe
Token: SeCreatePagefilePrivilege	2276	service.exe
Token: SeCreatePermanentPrivilege	2276	service.exe
Token: SeBackupPrivilege	2276	service.exe
Token: SeRestorePrivilege	2276	service.exe
Token: SeShutdownPrivilege	2276	service.exe
Token: SeDebugPrivilege	2276	service.exe
Token: SeAuditPrivilege	2276	service.exe
Token: SeSystemEnvironmentPrivilege	2276	service.exe
Token: SeChangeNotifyPrivilege	2276	service.exe
Token: SeRemoteShutdownPrivilege	2276	service.exe
Token: SeUndockPrivilege	2276	service.exe
Token: SeSyncAgentPrivilege	2276	service.exe
Token: SeEnableDelegationPrivilege	2276	service.exe
Token: SeManageVolumePrivilege	2276	service.exe
Token: SeImpersonatePrivilege	2276	service.exe
Token: SeCreateGlobalPrivilege	2276	service.exe
Token: 31	2276	service.exe
Token: 32	2276	service.exe
Token: 33	2276	service.exe
Token: 34	2276	service.exe
Token: 35	2276	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe
2604	service.exe
2668	service.exe
2688	service.exe
2480	service.exe
3036	service.exe
580	service.exe
2268	service.exe
1116	service.exe
2156	service.exe
2700	service.exe
2524	service.exe
2848	service.exe
752	service.exe
1300	service.exe
2024	service.exe
1012	service.exe
1388	service.exe
2936	service.exe
2276	service.exe
2276	service.exe
2276	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2252	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	28
PID 1700 wrote to memory of 2252	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	28
PID 1700 wrote to memory of 2252	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	28
PID 1700 wrote to memory of 2252	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	28
PID 2252 wrote to memory of 2588	2252	cmd.exe	30
PID 2252 wrote to memory of 2588	2252	cmd.exe	30
PID 2252 wrote to memory of 2588	2252	cmd.exe	30
PID 2252 wrote to memory of 2588	2252	cmd.exe	30
PID 1700 wrote to memory of 2604	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	31
PID 1700 wrote to memory of 2604	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	31
PID 1700 wrote to memory of 2604	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	31
PID 1700 wrote to memory of 2604	1700	fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe	31
PID 2604 wrote to memory of 2672	2604	service.exe	32
PID 2604 wrote to memory of 2672	2604	service.exe	32
PID 2604 wrote to memory of 2672	2604	service.exe	32
PID 2604 wrote to memory of 2672	2604	service.exe	32
PID 2672 wrote to memory of 2220	2672	cmd.exe	34
PID 2672 wrote to memory of 2220	2672	cmd.exe	34
PID 2672 wrote to memory of 2220	2672	cmd.exe	34
PID 2672 wrote to memory of 2220	2672	cmd.exe	34
PID 2604 wrote to memory of 2668	2604	service.exe	35
PID 2604 wrote to memory of 2668	2604	service.exe	35
PID 2604 wrote to memory of 2668	2604	service.exe	35
PID 2604 wrote to memory of 2668	2604	service.exe	35
PID 2668 wrote to memory of 2100	2668	service.exe	36
PID 2668 wrote to memory of 2100	2668	service.exe	36
PID 2668 wrote to memory of 2100	2668	service.exe	36
PID 2668 wrote to memory of 2100	2668	service.exe	36
PID 2100 wrote to memory of 2764	2100	cmd.exe	38
PID 2100 wrote to memory of 2764	2100	cmd.exe	38
PID 2100 wrote to memory of 2764	2100	cmd.exe	38
PID 2100 wrote to memory of 2764	2100	cmd.exe	38
PID 2668 wrote to memory of 2688	2668	service.exe	39
PID 2668 wrote to memory of 2688	2668	service.exe	39
PID 2668 wrote to memory of 2688	2668	service.exe	39
PID 2668 wrote to memory of 2688	2668	service.exe	39
PID 2688 wrote to memory of 3000	2688	service.exe	40
PID 2688 wrote to memory of 3000	2688	service.exe	40
PID 2688 wrote to memory of 3000	2688	service.exe	40
PID 2688 wrote to memory of 3000	2688	service.exe	40
PID 3000 wrote to memory of 1952	3000	cmd.exe	42
PID 3000 wrote to memory of 1952	3000	cmd.exe	42
PID 3000 wrote to memory of 1952	3000	cmd.exe	42
PID 3000 wrote to memory of 1952	3000	cmd.exe	42
PID 2688 wrote to memory of 2480	2688	service.exe	43
PID 2688 wrote to memory of 2480	2688	service.exe	43
PID 2688 wrote to memory of 2480	2688	service.exe	43
PID 2688 wrote to memory of 2480	2688	service.exe	43
PID 2480 wrote to memory of 292	2480	service.exe	44
PID 2480 wrote to memory of 292	2480	service.exe	44
PID 2480 wrote to memory of 292	2480	service.exe	44
PID 2480 wrote to memory of 292	2480	service.exe	44
PID 292 wrote to memory of 1428	292	cmd.exe	46
PID 292 wrote to memory of 1428	292	cmd.exe	46
PID 292 wrote to memory of 1428	292	cmd.exe	46
PID 292 wrote to memory of 1428	292	cmd.exe	46
PID 2480 wrote to memory of 3036	2480	service.exe	47
PID 2480 wrote to memory of 3036	2480	service.exe	47
PID 2480 wrote to memory of 3036	2480	service.exe	47
PID 2480 wrote to memory of 3036	2480	service.exe	47
PID 3036 wrote to memory of 2676	3036	service.exe	48
PID 3036 wrote to memory of 2676	3036	service.exe	48
PID 3036 wrote to memory of 2676	3036	service.exe	48
PID 3036 wrote to memory of 2676	3036	service.exe	48

C:\Users\Admin\AppData\Local\Temp\fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe
"C:\Users\Admin\AppData\Local\Temp\fd62e3b116620bdab24a5f6a7025651875fbea969b713c74d21e22e236aa6036.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDRHUQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOULTIS\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2588
- C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOULTIS\service.exe
  "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOULTIS\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempGHEMF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXVFBMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2220
- - C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe
    "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQLPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe
      "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQH.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BMTYJHLGOCEWUDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1428
      - C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
        7⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
        8⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
        9⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTQKUFVAEUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempULIMH.bat" "
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAURLVGWBGVWTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        11⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWDR.bat" "
        13⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBPVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCJXFT.bat" "
        14⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLPDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
        15⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "
        16⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGSYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        17⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
        18⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSTMFL.bat" "
        19⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOAGNOWSSHPCXBP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDQ.bat

Filesize
163B

MD5
3e90970df67721a1ab6c1de072aed8f4

SHA1
5281c3fe45e13e8c803463bd960d78a1c3fb9a91

SHA256
3080fa10e98cfb25be34ea00c30106314c83ef301e2f7427a5678d6f0171f3ea

SHA512
bd817c6acffe7a8ba380530e9d09a035c9c42c78b6afd51079548dd76f6c4f834a948150e4043c8b1b1fa825168b4c638b3f52de3deab191ab6ad4ba6e2f931a

Download Submit
C:\Users\Admin\AppData\Local\TempBIWDR.bat

Filesize
163B

MD5
07bdcc8f46797f3abf73a8a329437fc1

SHA1
ca4c65dd543c0f6c8e5c96a5582949865e01d368

SHA256
d9a2385369660d031efcddbc26c701e0681299544687b01ad8989c1e427b273f

SHA512
96fbf3d9762704250b922fa3b942cba41a8404c117060d66b726317428841f16088d018c3d3b4386dc2ba5a56df59114ba3369daadd7bbec82ef5397d85a6a04

Download Submit
C:\Users\Admin\AppData\Local\TempCJXFT.bat

Filesize
163B

MD5
2f95f2a96658de6587b87e60c3a5cbe2

SHA1
adc5aba721622c629fd84f0c493bb2afdb9c58fd

SHA256
0bc51d72d47501bf212eee4c04d487fc7db5efadf1a2373ca5907c833b3633d8

SHA512
2fb9e6872702aa9ce979dbd5596796b6df4b24ece974ffe1a766b238cfe71a9ba2927806fe71ecbbe52e14797bdd3d5cc69b95d2f04e41b43ebc4907b7cee188

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
c1e9cc859b16b9aaf13c7abbc8695e56

SHA1
fb49c82be270cefd43f9154a833d9f1fd2b811dd

SHA256
fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027

SHA512
dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114

Download Submit
C:\Users\Admin\AppData\Local\TempGHEMF.bat

Filesize
163B

MD5
6ad2fdb2cb2e9751b3f87623415b2c1e

SHA1
f60a9be5ca20760142ceca80d23379bc1c3e8c85

SHA256
c1049faa10744eca932c04804ba0f59b3947559d457cfedf98e6287e22d422fe

SHA512
a8326d6801d375b30e6e4080e3b3c1be4ef7bfa8833f7c1d0feef6f5495fa5038ed22e44096191431709909109ef7b8f6c93c87f9ae8bea2a6e9365bb164bb56

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
9d8c823aa9d6fc3f009d667a0b5c2aeb

SHA1
9cc26bc83d1c543b737c4880b73e40a6ed254bce

SHA256
980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4

SHA512
66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

Download Submit
C:\Users\Admin\AppData\Local\TempJBDRN.bat

Filesize
163B

MD5
557fa2fa33afb66eda036be8498d62be

SHA1
1e6934f06628a91bb0caeb02bc9b0cba7ce4af9d

SHA256
cd08c2a2d004338565de275b26fd31f88ea7f07816add82a687b100d21ca1d46

SHA512
86200222cff4bd3d75e4ed305ef9fcfcb7447d66524ca2d8429fabe3815a15c3040cc20453eee80534e90de9ff78225b744cb74ca9a15005f5cb854778f7a56c

Download Submit
C:\Users\Admin\AppData\Local\TempMNXTA.bat

Filesize
163B

MD5
159aa4c58ede32a6dda4cece697de79e

SHA1
873647ae2df9262f00ff5a5c9da39e95a3ea6aa6

SHA256
fa05ea8dbad49aa75115748d1691aa255a35928e4f3eb23fb351cc4fc2799a35

SHA512
67a1062ff6c26552c05eefb41745fec7372bfa4d633205c74eb578fcee212b6b12ae425f3b89e5bf60b7569189a5deff74a680528ca47fbd1336942442d7d3d9

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.bat

Filesize
163B

MD5
cc9c1ada7fdaed2a52818e157e3ca8fd

SHA1
e6ea5f02eff96b7692c6f518f009309955d7f301

SHA256
289234e410e83bacbaa477af94ce1c1432c34558b17c6a5287f5dd07e65f26a8

SHA512
0a697f07b9c0c4157564d2b3bf1b8454c1cd85d0fed9eba5c4f790aeb029664617eb4a0ae80c7894a779b13d1eff84e3b1e91bbb93689cf990fd286a3f5026d1

Download Submit
C:\Users\Admin\AppData\Local\TempQLTHI.bat

Filesize
163B

MD5
6e85fbc144897c7616d0669158d00370

SHA1
b30f3301126b79f535072fa8290fb5cfbc231d7d

SHA256
b98c2e9dbf9c3dc40042e14c547b672a32ce6a8c7426623945a770bb96f723bf

SHA512
e2c039c4f2c95a6910767685894b57928877ec125198169c43852af2f4977effe71fb94b11b739a1c476e2a5ea5964bde77a1954d7dbcffc2b42200e74061d29

Download Submit
C:\Users\Admin\AppData\Local\TempQUPWL.bat

Filesize
163B

MD5
608ee5680b0efcb54ce68f13e4dbdded

SHA1
b24ea2e1dfad3981363d6d947177f7e55dca9b68

SHA256
79d6ccd2d33cd27984aab983eb4662d762eda7dde6eedd63993237506a6f7b92

SHA512
85d1d40793b775e5356250fe38dfceadae45fec7b53151903d7009507cb0c39c3026f4071f1c9bcbf6a3bbc246af2e6998cf539aa9f091ba4b25cfc8459e8fac

Download Submit
C:\Users\Admin\AppData\Local\TempSTMFL.bat

Filesize
163B

MD5
e17cbc6fef4aa34c3552650655d444cf

SHA1
d95d6f8b2d50e03e12bdbfac1612a1129df8cd89

SHA256
221d5f22483cb31868eed3493edd23017367e304e50cf2aa86296e6b1ef5abbf

SHA512
c14a8542e60c813741e8dbd82d906d938832cd6afe204ef86cbadf6562b9f270ce2407b2da0041924d954b813bfa374a636f658f696d709adc20d54283aac1bd

Download Submit
C:\Users\Admin\AppData\Local\TempTFLQC.bat

Filesize
163B

MD5
2a203fa95c511f4fb3b42526e9c38269

SHA1
08fdb577504ba55a11d89dbda642ec864b792b51

SHA256
ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301

SHA512
c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
61101519a3da1228d0e0498cf23f87f5

SHA1
23984750bbaf6fceb0c0fbeb529e99639b05e8be

SHA256
9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac

SHA512
26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

Download Submit
C:\Users\Admin\AppData\Local\TempULIMH.bat

Filesize
163B

MD5
7ab5146c52055f85a6a89ba0929eedc9

SHA1
ae5794372820c6932d32bc226443508d161121aa

SHA256
740a38e4c0e4b82bde7158077331718c3c529739351cb488b9130342d02927a1

SHA512
028fa5bb8728f7409bb8e22d4fc9e256a530d037fb99498ab4ab9c9d132e9c98ccbb0bb5ce7a48cc0fd388b8a736390895369fd0bc01618e206069805883007a

Download Submit
C:\Users\Admin\AppData\Local\TempXMIQH.bat

Filesize
163B

MD5
2411329a3522e7df359ee508ed51f38d

SHA1
5f977e7df7906a596b90105419e4c24e4fd479f1

SHA256
873f09964ef06d0735a53400a86840e62ffdcde5ea5d1cf7a71295eb20c29efa

SHA512
14856cf19d599913f660b8697869ac0a9ee502bfee20559fd5abeef198b9ba8eaada8b7cec6e53cb61fccef36893beaa762d055058e743da788863b498bbb190

Download Submit
C:\Users\Admin\AppData\Local\TempXUASW.bat

Filesize
163B

MD5
bdfbabb59da0c0f082b0abf34064587c

SHA1
4104a8557989294df10373b2c3699fd637fdf8ec

SHA256
850057eaa2d3c9b3688724ec94aa0e25935859e7772f7eac85ba0e74b6d1c67b

SHA512
6f9bc0f40abdcb17deb72d58739e785f140fcf39bd443b510c685bc04fdb30986d17ec3584d81f66110ddd7125379442131d802677088a825ef63cf2beb05527

Download Submit
C:\Users\Admin\AppData\Local\TempYJHLG.bat

Filesize
163B

MD5
0523126af7c1d073076b08cc8d4ca412

SHA1
d2ffc62ea5d14aa706f5928645ec5eb3d6e7f075

SHA256
8566a088582aa346e0e898a0484244794a84ae239f56f07ca1601d7c91971649

SHA512
9f8e6c0564f8780c51f38e4b39fd0e96fec7b9b42e2863adfcf1041f8fb9304ba47ae796ab63eeab7466997cb1793ebcef4c059615f1b53b9ec8a2f7a48d5a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

Filesize
520KB

MD5
250df0bc015a656d141de9a156984fa6

SHA1
7cda142e6e949e3e6d806d7e1c0d52442cccfae5

SHA256
1c33d2433de8964a0ed86a1b1a787cbb6a390e5e50cb54a3d002628435c73fee

SHA512
02bdba1eb9908697bdfabfff1d5013b1d8f21ae76e32587e6887a2468b3c00d14f35cb7abd9039a7226727851a238caf111f5a91fe7574523b751296ba234771

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

Filesize
520KB

MD5
22f5849474623fff73827a7ed3fde078

SHA1
54f4e51de426cddfa433f6d37c3f914b19c57697

SHA256
935c13edd9a4ab564b6893ade258ac3193065d0469ec271ecf10f55c2f72e8c7

SHA512
66d990aa86f78c6a764441eb189adfa68e7d4fd4a36dca31e366dd377aae91186c2aa89a647cfdc1a6bc0d6feebcc68796d0be89b39a850d7107a1d8d8514fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

Filesize
520KB

MD5
d8999dba440838157922769ebad533b2

SHA1
1db3edf6b5436b02700bcc2a7b8cf9e2956af615

SHA256
9979e842baa3197cc04f9bcb0424a253a62cfbfc80c56a3686cba8249ddf97c3

SHA512
e81c682c7b9a3368fa1d9f87be9450923683e870da49a62bcc638613d11b701d92302ee1c17028b5971534199f3ee076f7234fe80163d3a6a179dddded0525e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe

Filesize
520KB

MD5
ba65f10452555ec6b94b46454d7d942c

SHA1
ff7c05d605271903f73ee881d5730dc53cdc49ff

SHA256
98ec59445b1b34179a190273096006680124351ebe7caae4c5f7d513a3c47be3

SHA512
d550c9e00c56a5a83649951eae86fd0c29861a51a6edce682a97a9f590f56fe4c4b21de4ba1c6f6aa66b8144ee1650cd36846a76da8e29a07b4931446bbfbff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOULTIS\service.exe

Filesize
520KB

MD5
d7f33e11a11cbf8ccf6d5018e009a24e

SHA1
19c2a361bf04737ac10d33649e3a714d38b998af

SHA256
9003e10e66592545b19c0bbce08e53f9127d04fa6013b14d947051d490c70190

SHA512
547901387b2fea7521ceb8587fc786c11a4b2190a9841a201ce014c42dc2d10f762162a63db61229c2280276434aff4b0a6ebcc40d22bd8836e3b18d9a79f932

Download Submit
\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe

Filesize
520KB

MD5
cba4b027d60920e05b53a10b2d3ec588

SHA1
f075cbaa9026cb378beff497ac8617271fb69d6e

SHA256
fdd9eb5d3e27bbfb368fc22c916f22f2817c01f80564e5b5d89691c1984ecbd1

SHA512
d499c048d1d778d16196cf836ee6e1c346f282ab974af68d0ed0d5ab0c08b4fc291d4687a466881fadfa418df9c8ff7be5ccfcbd35b5aa4a60d75784a2420d19

Download Submit
\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

Filesize
520KB

MD5
230f158868d5dc6518b4e3bdf5606971

SHA1
6d77b3bea7f9d4520b30fd62aa46ffc78dd16485

SHA256
e372a0c9f374d5d9c81bb07f3d8ffb3a35575f0814dcf192bd74c730683c253e

SHA512
20d69746857351a2acf7b9767fff9b8ffaa76dd030b969aac34549219bf90dc73c588db1b181bab92f45af6cb4a4d52db1475feca9df327e2ac56c28c79598bc

Download Submit
\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe

Filesize
520KB

MD5
94092179fb1d1903e763cac5aaf14d31

SHA1
33ee09af03409a18fab2d362d5ff4a48772daff1

SHA256
7af120775c91a050cca541c8798e149f8c09dc605b4997d8e0441e559face767

SHA512
2d7bfb1f3b099a4366e4d1f38e7e8ba2e41b6a50f66d441e9127634d7961dcd98227fb27907f0a05e9db653ad190798263091cf567ce485d4ff29af6e80d9b76

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
0122b56e2e0fcd39e6af6136ab52668f

SHA1
b446bf651cb4f9da93d06d4598928855daeb0630

SHA256
b74bfe22ee162fbc506e469e39e28fac00486497dff4ccf95e239b33fff76fd4

SHA512
8c68f252f571ef0216531bcea6d7c2d76b82a3dd44c042b52d2bb53aec2383acf5581af84508b6291347627450d6036d25d8ad60a3e5a3d5123238e11757f25f

Download Submit
\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

Filesize
520KB

MD5
689bc66afdbc88d7b65420a5b6fbc01b

SHA1
8b1344466690b4c1e029273a7d029d87d5eb7e6f

SHA256
002cd0d8c0aa3d530fbd3cf9b3ad87048262d7f6184c9065f6de8affc32dc20a

SHA512
c081033b607cf3109cc149cad847076394f88988f1b0ddf2817bfcd698b9af76c04202d5d4b4d359d3a65fa771fb9c1986ebec66af170062870df0c4316ad05c

Download Submit
\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe

Filesize
520KB

MD5
0f39dea7ae5eb2c475e2e4da44d17503

SHA1
375822d1362e8414505b4c3848f82e7a7e7d1f61

SHA256
3969035847ddde85e1b7215cc3ba4a72d7487f1ccc860cd2744a7b82ff6fb894

SHA512
09446217fb845c8d0927324285d8539af9bfe10218231056b17517d7816f19bd56e817960de22556555a7739776189dae25ac4a39e39de4f10a408294f4e5b3b

Download Submit
\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe

Filesize
520KB

MD5
b8d8c67d66ac64519bf53081c8d40736

SHA1
faa83e8b3d95d3513218ee78a044e57183d6919e

SHA256
94a4d490bf126909e6bcd55d30e0630ca2b7777d4eb6ab6c281a8697c2f34ff7

SHA512
5db38f546ccdc1858350df57e4a89a2ad308bebafe4337112522bd2ea8931d3660394ecae1051932357c8efdf760c20a030b828d5012d868b6913c999f61ebe3

Download Submit
\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe

Filesize
520KB

MD5
6e86c98d338539cc5e9df9166590c962

SHA1
1bacdd8db92c7e1e458b0715a76dfa2985e1cc38

SHA256
632881d9a66cc0cedc9c116634cc51d82bff52cc3b3c3147a933492a64aeca74

SHA512
e01211dc07a2bf263ffbb5e348c78c508bddee08ba735a954c99851ff1e9ba0ac115ae990d4189433cd0b0af2c3d821e52b759a0e2ddbd1b485ab335ab3f0e4d

Download Submit
memory/1944-503-0x00000000774A0000-0x000000007759A000-memory.dmp

Filesize
1000KB

Download
memory/1944-502-0x0000000077380000-0x000000007749F000-memory.dmp

Filesize
1.1MB

Download
memory/2276-509-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-505-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-513-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-518-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2276-520-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads