a27f124079e01e21cbfcb1e629b578e9911bf2f4c740e014943e8b3be0085ed9

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
Size

232KB
MD5

7669d1b70e1cf454973ee3900ab86ae0
SHA1

8ae969470bb90d7b5985fbd12a69090d589e710c
SHA256

a27f124079e01e21cbfcb1e629b578e9911bf2f4c740e014943e8b3be0085ed9
SHA512

2a28af7537e37388e64db35f04398ec5dc9f52a4ef8eb93ce19d122fd36ba5bd8911f7bac32222539b7b9b7777fd716b94a504c6d032998d5489252699ffe98d
SSDEEP

3072:GavK2KH6iehCjG8G3GbGVGBGfGuGxGWYcrf6Kadk:GaC2u4AYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
1960	vrpos.exe
2632	bauuyo.exe
2360	geaniy.exe
592	daiixe.exe
2588	yoelaa.exe
1840	geabo.exe
764	mauuje.exe
3048	fqluem.exe
1064	zeaanog.exe
1328	yujeq.exe
908	mioruw.exe
1764	feodi.exe
1516	daiicen.exe
2608	daiicen.exe
2964	zmjeg.exe
2388	jauug.exe
2232	feaqii.exe
2848	daiice.exe
2744	ydnoj.exe
2724	loisee.exe
1156	lauuje.exe
3008	vaooqi.exe
588	cgqod.exe
1836	foqiy.exe
1620	soayeg.exe
1952	zeanos.exe
2780	taeeji.exe
1984	xbvair.exe
2864	qolef.exe
2292	miaguu.exe
1960	brjug.exe
2500	xusap.exe
548	buafos.exe
2984	xusip.exe
2712	nauuye.exe
2764	qoemaav.exe
804	cmweov.exe
2068	xeuus.exe
844	bauuyo.exe
1724	roemuus.exe
1480	loiikux.exe
1124	nzqif.exe
2164	diafuv.exe
832	ceuur.exe
2780	jiafuw.exe
2896	qoiizur.exe
2680	kiejuuh.exe
1824	miagoo.exe
2684	geavot.exe
2660	lieju.exe
2696	chxoim.exe

Loads dropped DLL 64 IoCs

pid	Process
2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
1960	vrpos.exe
1960	vrpos.exe
2632	bauuyo.exe
2632	bauuyo.exe
2360	geaniy.exe
2360	geaniy.exe
592	daiixe.exe
592	daiixe.exe
2588	yoelaa.exe
2588	yoelaa.exe
1840	geabo.exe
1840	geabo.exe
764	mauuje.exe
764	mauuje.exe
3048	fqluem.exe
3048	fqluem.exe
1064	zeaanog.exe
1064	zeaanog.exe
1328	yujeq.exe
1328	yujeq.exe
908	mioruw.exe
908	mioruw.exe
1764	feodi.exe
1764	feodi.exe
2608	daiicen.exe
2608	daiicen.exe
2964	zmjeg.exe
2964	zmjeg.exe
2388	jauug.exe
2388	jauug.exe
2232	feaqii.exe
2232	feaqii.exe
2848	daiice.exe
2848	daiice.exe
2744	ydnoj.exe
2744	ydnoj.exe
2724	loisee.exe
2724	loisee.exe
1156	lauuje.exe
1156	lauuje.exe
3008	vaooqi.exe
3008	vaooqi.exe
588	cgqod.exe
588	cgqod.exe
1836	foqiy.exe
1836	foqiy.exe
1620	soayeg.exe
1620	soayeg.exe
1952	zeanos.exe
1952	zeanos.exe
2780	taeeji.exe
2780	taeeji.exe
1984	xbvair.exe
1984	xbvair.exe
2864	qolef.exe
2864	qolef.exe
2292	miaguu.exe
2292	miaguu.exe
1960	brjug.exe
1960	brjug.exe
2500	xusap.exe
2500	xusap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
1960	vrpos.exe
2632	bauuyo.exe
2360	geaniy.exe
592	daiixe.exe
2588	yoelaa.exe
1840	geabo.exe
764	mauuje.exe
3048	fqluem.exe
1064	zeaanog.exe
1328	yujeq.exe
908	mioruw.exe
1764	feodi.exe
1516	daiicen.exe
2608	daiicen.exe
2964	zmjeg.exe
2388	jauug.exe
2232	feaqii.exe
2848	daiice.exe
2744	ydnoj.exe
2724	loisee.exe
1156	lauuje.exe
3008	vaooqi.exe
588	cgqod.exe
1836	foqiy.exe
1620	soayeg.exe
1952	zeanos.exe
2780	taeeji.exe
1984	xbvair.exe
2864	qolef.exe
2292	miaguu.exe
1960	brjug.exe
2500	xusap.exe
548	buafos.exe
2984	xusip.exe
2712	nauuye.exe
2764	qoemaav.exe
804	cmweov.exe
2068	xeuus.exe
844	bauuyo.exe
1724	roemuus.exe
1480	loiikux.exe
1124	nzqif.exe
2164	diafuv.exe
832	ceuur.exe
2780	jiafuw.exe
2896	qoiizur.exe
2680	kiejuuh.exe
1824	miagoo.exe
2684	geavot.exe
2660	lieju.exe
2696	chxoim.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
1960	vrpos.exe
2632	bauuyo.exe
2360	geaniy.exe
592	daiixe.exe
2588	yoelaa.exe
1840	geabo.exe
764	mauuje.exe
3048	fqluem.exe
1064	zeaanog.exe
1328	yujeq.exe
908	mioruw.exe
1764	feodi.exe
1516	daiicen.exe
2608	daiicen.exe
2964	zmjeg.exe
2388	jauug.exe
2232	feaqii.exe
2848	daiice.exe
2744	ydnoj.exe
2724	loisee.exe
1156	lauuje.exe
3008	vaooqi.exe
588	cgqod.exe
1836	foqiy.exe
1620	soayeg.exe
1952	zeanos.exe
2780	taeeji.exe
1984	xbvair.exe
2864	qolef.exe
2292	miaguu.exe
1960	brjug.exe
2500	xusap.exe
548	buafos.exe
2984	xusip.exe
2712	nauuye.exe
2764	qoemaav.exe
804	cmweov.exe
2068	xeuus.exe
844	bauuyo.exe
1724	roemuus.exe
1480	loiikux.exe
1124	nzqif.exe
2164	diafuv.exe
832	ceuur.exe
2780	jiafuw.exe
2896	qoiizur.exe
2680	kiejuuh.exe
1824	miagoo.exe
2684	geavot.exe
2660	lieju.exe
2696	chxoim.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1960	2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 2632	1960	vrpos.exe	29
PID 1960 wrote to memory of 2632	1960	vrpos.exe	29
PID 1960 wrote to memory of 2632	1960	vrpos.exe	29
PID 1960 wrote to memory of 2632	1960	vrpos.exe	29
PID 2632 wrote to memory of 2360	2632	bauuyo.exe	30
PID 2632 wrote to memory of 2360	2632	bauuyo.exe	30
PID 2632 wrote to memory of 2360	2632	bauuyo.exe	30
PID 2632 wrote to memory of 2360	2632	bauuyo.exe	30
PID 2360 wrote to memory of 592	2360	geaniy.exe	31
PID 2360 wrote to memory of 592	2360	geaniy.exe	31
PID 2360 wrote to memory of 592	2360	geaniy.exe	31
PID 2360 wrote to memory of 592	2360	geaniy.exe	31
PID 592 wrote to memory of 2588	592	daiixe.exe	32
PID 592 wrote to memory of 2588	592	daiixe.exe	32
PID 592 wrote to memory of 2588	592	daiixe.exe	32
PID 592 wrote to memory of 2588	592	daiixe.exe	32
PID 2588 wrote to memory of 1840	2588	yoelaa.exe	33
PID 2588 wrote to memory of 1840	2588	yoelaa.exe	33
PID 2588 wrote to memory of 1840	2588	yoelaa.exe	33
PID 2588 wrote to memory of 1840	2588	yoelaa.exe	33
PID 1840 wrote to memory of 764	1840	geabo.exe	36
PID 1840 wrote to memory of 764	1840	geabo.exe	36
PID 1840 wrote to memory of 764	1840	geabo.exe	36
PID 1840 wrote to memory of 764	1840	geabo.exe	36
PID 764 wrote to memory of 3048	764	mauuje.exe	37
PID 764 wrote to memory of 3048	764	mauuje.exe	37
PID 764 wrote to memory of 3048	764	mauuje.exe	37
PID 764 wrote to memory of 3048	764	mauuje.exe	37
PID 3048 wrote to memory of 1064	3048	fqluem.exe	38
PID 3048 wrote to memory of 1064	3048	fqluem.exe	38
PID 3048 wrote to memory of 1064	3048	fqluem.exe	38
PID 3048 wrote to memory of 1064	3048	fqluem.exe	38
PID 1064 wrote to memory of 1328	1064	zeaanog.exe	39
PID 1064 wrote to memory of 1328	1064	zeaanog.exe	39
PID 1064 wrote to memory of 1328	1064	zeaanog.exe	39
PID 1064 wrote to memory of 1328	1064	zeaanog.exe	39
PID 1328 wrote to memory of 908	1328	yujeq.exe	40
PID 1328 wrote to memory of 908	1328	yujeq.exe	40
PID 1328 wrote to memory of 908	1328	yujeq.exe	40
PID 1328 wrote to memory of 908	1328	yujeq.exe	40
PID 908 wrote to memory of 1764	908	mioruw.exe	41
PID 908 wrote to memory of 1764	908	mioruw.exe	41
PID 908 wrote to memory of 1764	908	mioruw.exe	41
PID 908 wrote to memory of 1764	908	mioruw.exe	41
PID 1764 wrote to memory of 1516	1764	feodi.exe	42
PID 1764 wrote to memory of 1516	1764	feodi.exe	42
PID 1764 wrote to memory of 1516	1764	feodi.exe	42
PID 1764 wrote to memory of 1516	1764	feodi.exe	42
PID 1516 wrote to memory of 2608	1516	daiicen.exe	43
PID 1516 wrote to memory of 2608	1516	daiicen.exe	43
PID 1516 wrote to memory of 2608	1516	daiicen.exe	43
PID 1516 wrote to memory of 2608	1516	daiicen.exe	43
PID 2608 wrote to memory of 2964	2608	daiicen.exe	44
PID 2608 wrote to memory of 2964	2608	daiicen.exe	44
PID 2608 wrote to memory of 2964	2608	daiicen.exe	44
PID 2608 wrote to memory of 2964	2608	daiicen.exe	44
PID 2964 wrote to memory of 2388	2964	zmjeg.exe	45
PID 2964 wrote to memory of 2388	2964	zmjeg.exe	45
PID 2964 wrote to memory of 2388	2964	zmjeg.exe	45
PID 2964 wrote to memory of 2388	2964	zmjeg.exe	45

C:\Users\Admin\AppData\Local\Temp\7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7669d1b70e1cf454973ee3900ab86ae0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\vrpos.exe
  "C:\Users\Admin\vrpos.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\bauuyo.exe
    "C:\Users\Admin\bauuyo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\geaniy.exe
      "C:\Users\Admin\geaniy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\daiixe.exe
        
        "C:\Users\Admin\daiixe.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Users\Admin\yoelaa.exe
        
        "C:\Users\Admin\yoelaa.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\geabo.exe
        
        "C:\Users\Admin\geabo.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\mauuje.exe
        
        "C:\Users\Admin\mauuje.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\fqluem.exe
        
        "C:\Users\Admin\fqluem.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\zeaanog.exe
        
        "C:\Users\Admin\zeaanog.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\yujeq.exe
        
        "C:\Users\Admin\yujeq.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\mioruw.exe
        
        "C:\Users\Admin\mioruw.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\feodi.exe
        
        "C:\Users\Admin\feodi.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\daiicen.exe
        
        "C:\Users\Admin\daiicen.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\daiicen.exe
        
        "C:\Users\Admin\daiicen.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Users\Admin\zmjeg.exe
        
        "C:\Users\Admin\zmjeg.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\jauug.exe
        
        "C:\Users\Admin\jauug.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Users\Admin\feaqii.exe
        
        "C:\Users\Admin\feaqii.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Users\Admin\daiice.exe
        
        "C:\Users\Admin\daiice.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Users\Admin\ydnoj.exe
        
        "C:\Users\Admin\ydnoj.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Users\Admin\loisee.exe
        
        "C:\Users\Admin\loisee.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\lauuje.exe
        
        "C:\Users\Admin\lauuje.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Users\Admin\vaooqi.exe
        
        "C:\Users\Admin\vaooqi.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\cgqod.exe
        
        "C:\Users\Admin\cgqod.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Users\Admin\foqiy.exe
        
        "C:\Users\Admin\foqiy.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Users\Admin\soayeg.exe
        
        "C:\Users\Admin\soayeg.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\zeanos.exe
        
        "C:\Users\Admin\zeanos.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\taeeji.exe
        
        "C:\Users\Admin\taeeji.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\xbvair.exe
        
        "C:\Users\Admin\xbvair.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Users\Admin\qolef.exe
        
        "C:\Users\Admin\qolef.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\miaguu.exe
        
        "C:\Users\Admin\miaguu.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Users\Admin\brjug.exe
        
        "C:\Users\Admin\brjug.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\xusap.exe
        
        "C:\Users\Admin\xusap.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Users\Admin\buafos.exe
        
        "C:\Users\Admin\buafos.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Users\Admin\xusip.exe
        
        "C:\Users\Admin\xusip.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Users\Admin\nauuye.exe
        
        "C:\Users\Admin\nauuye.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Users\Admin\qoemaav.exe
        
        "C:\Users\Admin\qoemaav.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Users\Admin\cmweov.exe
        
        "C:\Users\Admin\cmweov.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Users\Admin\xeuus.exe
        
        "C:\Users\Admin\xeuus.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\bauuyo.exe
        
        "C:\Users\Admin\bauuyo.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Users\Admin\roemuus.exe
        
        "C:\Users\Admin\roemuus.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Users\Admin\loiikux.exe
        
        "C:\Users\Admin\loiikux.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Users\Admin\nzqif.exe
        
        "C:\Users\Admin\nzqif.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Users\Admin\diafuv.exe
        
        "C:\Users\Admin\diafuv.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Users\Admin\ceuur.exe
        
        "C:\Users\Admin\ceuur.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Users\Admin\jiafuw.exe
        
        "C:\Users\Admin\jiafuw.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\qoiizur.exe
        
        "C:\Users\Admin\qoiizur.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Users\Admin\kiejuuh.exe
        
        "C:\Users\Admin\kiejuuh.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Users\Admin\miagoo.exe
        
        "C:\Users\Admin\miagoo.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Users\Admin\geavot.exe
        
        "C:\Users\Admin\geavot.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Users\Admin\lieju.exe
        
        "C:\Users\Admin\lieju.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Users\Admin\chxoim.exe
        
        "C:\Users\Admin\chxoim.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Users\Admin\pienuu.exe
        
        "C:\Users\Admin\pienuu.exe"
        53⤵
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vrpos.exe

Filesize
232KB

MD5
479b13a85e2f843c2bd149378de19e6c

SHA1
f6294ffa6e16ebfd6e1e7f03c48a1bccec733f46

SHA256
eebefe65f41907f4f8848185b47ccf3a7b580f261a755c9860e5da842e5b29e0

SHA512
edaadc8615ea9935cf9dd739ecb235b55b227346ed6411517d8c99a75de5a38fa87cae09d478a8f754d0a77ca8841f911b76dd429ae0bf048fbe2a30c2ae7742

Download Submit
\Users\Admin\bauuyo.exe

Filesize
232KB

MD5
717ad6356db5459957575e0759a63e3c

SHA1
818558fb10e14398d9aef7e6d32159a45201b897

SHA256
41715c61520a8eb50461e19e1c8741396635c1736a2e027356dc5dd87fb4d7d6

SHA512
0ae2a56d5685fec04a928302e498ec108d818a23435f8631b7b1385b6254b7f6d7c733fe66cce8133ab9ae89160937ddd36326a6684647e47eafaeab12419e1a

Download Submit
\Users\Admin\daiicen.exe

Filesize
232KB

MD5
4d9006450f8583a70628099683058ea7

SHA1
ae61b0941fce027171eb3f6de1e6c52a17537203

SHA256
de0b9e8b3c36a84227c37e926905a782510e70ba4802c8edae60bb391247775f

SHA512
9d2ff99b4f1ce682fdfc144563fd08e604c698794cb2c041f7f862d9a1c075a8e716ae6660c0a865f2845102e59847ee9f005a986ce55887c375def974e748c4

Download Submit
\Users\Admin\daiixe.exe

Filesize
232KB

MD5
ad775ebb0fdac28104f6c4980faa4b71

SHA1
6cd088f3484c63d1784521d816de3dd80b7cab13

SHA256
2d6219996f9313975ffcceb2cef38a6ac8981325bd9a83e0dd4fdce773f103ad

SHA512
6febb931e952df02773900bc9c117d13bfd59ce4834e981ad2dd39a9ba99024fbd0dc4f496b7c95228a4e5e80e987d5eec586c32b2190938b38a7182ed984ae8

Download Submit
\Users\Admin\feaqii.exe

Filesize
232KB

MD5
ed3104df69ca084092c38abfcdfdc69b

SHA1
415d13513a1c4062a6ffe493c9c26b1b6d5c329c

SHA256
08301a0597304e7f78c7e2aa4a9e4ed0b4718d16b2d05368c1575d11b6f09ab7

SHA512
7dbe0b38d0e74817ddd20f7270b7eed33afe690176b0b080f7c8c2feb1304d02a8ff70b5b62ffc364a5622cc87ae5ef8e824f46a34db2409068d29f6d42aa472

Download Submit
\Users\Admin\feodi.exe

Filesize
232KB

MD5
24a3aa984d76b7e6bea7fd960a9dadfb

SHA1
f872ce91fc79809d3b5827df053681410e60f73d

SHA256
e8afa1d01b1dc084cf8bd55964bb0195bc3823764f4ef97bdf1349483f911df6

SHA512
b7a99e5f11016b34583a8994cdbb859216cb862258266351e092992681e77538ca8f9c8eaa8b6c1741f638b595420c67a9d36e8bc79104984f15248f40a98c09

Download Submit
\Users\Admin\fqluem.exe

Filesize
232KB

MD5
d621ad43ec05448100e70897e7a479e6

SHA1
1f2c52128d7ac7c4c900be4b64009e6d00edbec7

SHA256
7b53328fac467bff11360e9ff3e1b34b80282aaf47a9fe61a0efa3b1b49b7f59

SHA512
d31828cba4156fe465c4fb2abe38910c594fab5ea195cc8ac1d7c0d9235fb0f53b6f78a9b1b49b8d29831a7b47ab894cee1766457eb00f6be6555f59dbca0863

Download Submit
\Users\Admin\geabo.exe

Filesize
232KB

MD5
84980c0dd7d2c81dbfeb13e8f7d7b528

SHA1
b217649bcd684150ad319669fde1292894070902

SHA256
ef5e2cd468a7bac44a228fc5462476aa5821e44326c7c83d3d0a0f6786952a46

SHA512
dc0ee49db21c643e15f1435f13cad377553e3ec872fc0c4f44dba4283f1a565e59f4413eea1ba96906463f30fbe64773863d753f704f42cf22cd8227b75fa6b1

Download Submit
\Users\Admin\geaniy.exe

Filesize
232KB

MD5
c15e9a97c13056a99e29f90b719f9fbd

SHA1
3ac7c257846e9915168f8f235d02b1a4015ec744

SHA256
1ac7acb1b41a317fad3f5c5191b293e8740b5546653481983d1eac60636c2fb9

SHA512
53d378d976c242e9e788186510222a681621effc03c2ec019027776594da7832dc88510d2da7e046369d986f57a195368d55a814932cc63b200ceade5968247a

Download Submit
\Users\Admin\jauug.exe

Filesize
232KB

MD5
d47b771f36ebda9c169d73f4255517f2

SHA1
d9a4ea25f76a19b44ff41158d99c1ac3131499d4

SHA256
a16fda350904ac30637ab8750f75a466e899b45d92bcec1fcc7e3db776f1f9ff

SHA512
f59bcd003fd4168c0608c4f14abe10810829946fcfc9fde4f2f79f0647893bbe8725219d74da2ed85593d63b4d4ea758ec5862b0cec61d47a9e64cf449270d06

Download Submit
\Users\Admin\mauuje.exe

Filesize
232KB

MD5
5c36edf8897437aee91da01bf0ea26e1

SHA1
2a63493119e09a2546f213ea31183cc6763b2503

SHA256
7f4036bc612198d05b8eae9bd4acc849a25714ce715450b956847bb44b906a80

SHA512
a8f6fd8b915dc8fccf32778960b40937d206f221810ffa28078148e009969e7187921bb09431607b05540aa11390344f81549b87138613799a80a6315491b61a

Download Submit
\Users\Admin\mioruw.exe

Filesize
232KB

MD5
8befef92d587ac16271a0ded036f9641

SHA1
809d804ab74c3dd54c96ae61e18db1b0208bdaba

SHA256
d5f4e872b691e9872c8e01adaddcc8e59408362cc79d50a9655cc9bfaeb4495b

SHA512
48796313568bf35b06a72e77b5af4842094d7e35f4e10cb98772269843e72c5a273476978f0fb049269a8c476f865c3338903a4a32f1b63ed173d7dd0debbecf

Download Submit
\Users\Admin\yoelaa.exe

Filesize
232KB

MD5
83b5bdced691251f9b969e64111fa535

SHA1
b6c7f4897313e4d8270e6f2cf0724e63fc6de0fe

SHA256
ff7329981364677ef6d01ff9f80e239c7af17bf9e6bb9c182b5f864ffc0315a8

SHA512
d1365687f0e3a3863b409b0c91e4f99cd2caf337c7c78087b47e2093b77f9812a6cb72753fef56ff607ba5edcf50cc18b26658ddc05c3abcead322fa2ea3802b

Download Submit
\Users\Admin\yujeq.exe

Filesize
232KB

MD5
7f40a5f3b7e963deb70b79158332fd34

SHA1
4d0de5f445369ab1981ca1b6d1b73db82c436339

SHA256
6281399248af0a9147c175dc52d62cdef90015d7dc999e8814651eb9c802ce44

SHA512
ff4ac51c9f0b68a4460ed362cb2a573fc4da98cd73edefdaeb0b7b7568b0421346014e38b983ca161482cc104be1167fcd876df7ac5ad177a56501b9617d2072

Download Submit
\Users\Admin\zeaanog.exe

Filesize
232KB

MD5
4e86ea2cdaa8a027fba60fe1693360f9

SHA1
9080ff0e2ebec86cba506bbec3d15d24765e5da7

SHA256
a46d6c0d424d65581bd9a44ef2cd39b8188987d80a96cca6db40efda518038ca

SHA512
7ab5fea6b75d781191fd2814291c26ef25d962ed74b53b0a8ac56c3e67e0775d30ea3f68e665675798deb02c41d51e7b8c0fd5fc710919dc7dbd4be13e738565

Download Submit
\Users\Admin\zmjeg.exe

Filesize
232KB

MD5
a4903145e72359286534737d15037d8b

SHA1
254e3de8c1907fd096ff7a4dee70be5d1581a82c

SHA256
2154f0396bd9e9cf10477dd4111c9fd899b6912786dd36aa29747edf5d6b7aa4

SHA512
c6ac452ae90a308669133539d640a26751c65426672b253cbff5faee1988d706f4d5809580129c4048bbcd26290fb22dde562db6f2dd23940de6fca65ef4bf98

Download Submit
memory/548-480-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/588-365-0x0000000003240000-0x000000000327A000-memory.dmp

Filesize
232KB

Download
memory/588-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/588-366-0x0000000003240000-0x000000000327A000-memory.dmp

Filesize
232KB

Download
memory/588-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/592-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/592-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/764-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/764-129-0x0000000003310000-0x000000000334A000-memory.dmp

Filesize
232KB

Download
memory/764-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/908-195-0x0000000003420000-0x000000000345A000-memory.dmp

Filesize
232KB

Download
memory/908-201-0x0000000003420000-0x000000000345A000-memory.dmp

Filesize
232KB

Download
memory/908-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/908-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-166-0x0000000003630000-0x000000000366A000-memory.dmp

Filesize
232KB

Download
memory/1064-167-0x0000000003630000-0x000000000366A000-memory.dmp

Filesize
232KB

Download
memory/1156-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-338-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/1328-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1620-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1620-391-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/1620-380-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-213-0x00000000032E0000-0x000000000331A000-memory.dmp

Filesize
232KB

Download
memory/1764-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-367-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-379-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-118-0x00000000035C0000-0x00000000035FA000-memory.dmp

Filesize
232KB

Download
memory/1840-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-404-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/1952-392-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-405-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-31-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/1960-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-464-0x0000000003410000-0x000000000344A000-memory.dmp

Filesize
232KB

Download
memory/1984-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-283-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/2292-454-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/2292-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-59-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2360-65-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2388-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-468-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-483-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-99-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2588-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-100-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2608-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2608-239-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2608-240-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2632-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-324-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/2744-314-0x00000000032E0000-0x000000000331A000-memory.dmp

Filesize
232KB

Download
memory/2744-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2744-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2744-310-0x00000000032E0000-0x000000000331A000-memory.dmp

Filesize
232KB

Download
memory/2780-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-414-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/2780-420-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-299-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2848-300-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2864-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2864-440-0x0000000002E40000-0x0000000002E7A000-memory.dmp

Filesize
232KB

Download
memory/2864-445-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-9-0x00000000026A0000-0x00000000026DA000-memory.dmp

Filesize
232KB

Download
memory/2892-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-15-0x00000000026A0000-0x00000000026DA000-memory.dmp

Filesize
232KB

Download
memory/2964-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2964-252-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/2964-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-349-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/3048-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-150-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download