5a48ad3b8c2158d82b285db5daff56bf367cd72b9e09f91ebb9e1d5c717c416d

Analysis

max time kernel
152s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
Size

224KB
MD5

8c624074b0191e4f7ace8a4783bec710
SHA1

ad038aa8294a37eca357c274edd441568fd9b60d
SHA256

5a48ad3b8c2158d82b285db5daff56bf367cd72b9e09f91ebb9e1d5c717c416d
SHA512

676bc6db5ed85351ec78ae27b97366f0f0997f86b64ef32e856c5c4a5ee9958d0ceea2dd91e7def5d83c73a0f535a4c6b65e0dc9669d30633cee087a993dd3f2
SSDEEP

3072:GDRKhgB6FhCjG8G3GbGVGBGfGuGxGWYcrf6Kadk:GDghgOAYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
2956	bauusog.exe
2380	cpxeow.exe
2372	neoqi.exe
280	qiepaa.exe
2432	soaneex.exe
1800	piejuuq.exe
2972	liedu.exe
1764	guocaaj.exe
2968	feaqii.exe
1628	moidu.exe
544	ceaawo.exe
2224	zivut.exe
3004	nbfij.exe
2616	huooy.exe
2576	bauudog.exe
1168	yoelaah.exe
1468	weoxii.exe
2204	ceaaso.exe
2320	caooti.exe
924	neiizuq.exe
852	kearii.exe
2732	ziwed.exe
276	zuoopi.exe
1528	yiazo.exe
892	yiaho.exe
2100	veowii.exe
544	rtqin.exe
1704	veajil.exe
1924	zieewus.exe
2508	geabin.exe
2948	dieewum.exe
1052	hiaanol.exe
1624	juton.exe
2148	sogiy.exe
1972	rxhiep.exe
1492	zcriay.exe
2552	caeebuv.exe
2060	xiubaaj.exe
928	zivet.exe
1088	juwob.exe
1528	jixef.exe
1292	ceoopu.exe
2172	soitee.exe
1164	stjial.exe
1620	rnpim.exe
3048	coavii.exe
2428	hoiiw.exe
2372	tuook.exe
804	ceoopu.exe
1052	geanil.exe
2696	xiayoo.exe

Loads dropped DLL 64 IoCs

pid	Process
2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
2956	bauusog.exe
2956	bauusog.exe
2380	cpxeow.exe
2380	cpxeow.exe
2372	neoqi.exe
2372	neoqi.exe
280	qiepaa.exe
280	qiepaa.exe
2432	soaneex.exe
2432	soaneex.exe
1800	piejuuq.exe
1800	piejuuq.exe
2972	liedu.exe
2972	liedu.exe
1764	guocaaj.exe
1764	guocaaj.exe
2968	feaqii.exe
2968	feaqii.exe
1628	moidu.exe
1628	moidu.exe
544	ceaawo.exe
544	ceaawo.exe
2224	zivut.exe
2224	zivut.exe
3004	nbfij.exe
3004	nbfij.exe
2616	huooy.exe
2616	huooy.exe
2576	bauudog.exe
2576	bauudog.exe
1168	yoelaah.exe
1168	yoelaah.exe
1468	weoxii.exe
1468	weoxii.exe
2204	ceaaso.exe
2204	ceaaso.exe
2320	caooti.exe
2320	caooti.exe
924	neiizuq.exe
924	neiizuq.exe
852	kearii.exe
852	kearii.exe
2732	ziwed.exe
2732	ziwed.exe
276	zuoopi.exe
276	zuoopi.exe
1528	yiazo.exe
1528	yiazo.exe
892	yiaho.exe
892	yiaho.exe
2100	veowii.exe
2100	veowii.exe
544	rtqin.exe
544	rtqin.exe
1704	veajil.exe
1704	veajil.exe
1924	zieewus.exe
1924	zieewus.exe
2508	geabin.exe
2508	geabin.exe
2948	dieewum.exe
2948	dieewum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
2956	bauusog.exe
2380	cpxeow.exe
2372	neoqi.exe
280	qiepaa.exe
2432	soaneex.exe
1800	piejuuq.exe
2972	liedu.exe
1764	guocaaj.exe
2968	feaqii.exe
1628	moidu.exe
544	ceaawo.exe
2224	zivut.exe
3004	nbfij.exe
2616	huooy.exe
2576	bauudog.exe
1168	yoelaah.exe
1468	weoxii.exe
2204	ceaaso.exe
2320	caooti.exe
924	neiizuq.exe
852	kearii.exe
2732	ziwed.exe
276	zuoopi.exe
1528	yiazo.exe
892	yiaho.exe
2100	veowii.exe
544	rtqin.exe
1704	veajil.exe
1924	zieewus.exe
2508	geabin.exe
2948	dieewum.exe
1052	hiaanol.exe
1624	juton.exe
2148	sogiy.exe
1972	rxhiep.exe
1492	zcriay.exe
2552	caeebuv.exe
2060	xiubaaj.exe
928	zivet.exe
1088	juwob.exe
1528	jixef.exe
1292	ceoopu.exe
2172	soitee.exe
1164	stjial.exe
1620	rnpim.exe
3048	coavii.exe
2428	hoiiw.exe
2372	tuook.exe
804	ceoopu.exe
1052	geanil.exe
2696	xiayoo.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
2956	bauusog.exe
2380	cpxeow.exe
2372	neoqi.exe
280	qiepaa.exe
2432	soaneex.exe
1800	piejuuq.exe
2972	liedu.exe
1764	guocaaj.exe
2968	feaqii.exe
1628	moidu.exe
544	ceaawo.exe
2224	zivut.exe
3004	nbfij.exe
2616	huooy.exe
2576	bauudog.exe
1168	yoelaah.exe
1468	weoxii.exe
2204	ceaaso.exe
2320	caooti.exe
924	neiizuq.exe
852	kearii.exe
2732	ziwed.exe
276	zuoopi.exe
1528	yiazo.exe
892	yiaho.exe
2100	veowii.exe
544	rtqin.exe
1704	veajil.exe
1924	zieewus.exe
2508	geabin.exe
2948	dieewum.exe
1052	hiaanol.exe
1624	juton.exe
2148	sogiy.exe
1972	rxhiep.exe
1492	zcriay.exe
2552	caeebuv.exe
2060	xiubaaj.exe
928	zivet.exe
1088	juwob.exe
1528	jixef.exe
1292	ceoopu.exe
2172	soitee.exe
1164	stjial.exe
1620	rnpim.exe
3048	coavii.exe
2428	hoiiw.exe
2372	tuook.exe
804	ceoopu.exe
1052	geanil.exe
2696	xiayoo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2956	2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe	28
PID 2888 wrote to memory of 2956	2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe	28
PID 2888 wrote to memory of 2956	2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe	28
PID 2888 wrote to memory of 2956	2888	8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2380	2956	bauusog.exe	29
PID 2956 wrote to memory of 2380	2956	bauusog.exe	29
PID 2956 wrote to memory of 2380	2956	bauusog.exe	29
PID 2956 wrote to memory of 2380	2956	bauusog.exe	29
PID 2380 wrote to memory of 2372	2380	cpxeow.exe	30
PID 2380 wrote to memory of 2372	2380	cpxeow.exe	30
PID 2380 wrote to memory of 2372	2380	cpxeow.exe	30
PID 2380 wrote to memory of 2372	2380	cpxeow.exe	30
PID 2372 wrote to memory of 280	2372	neoqi.exe	31
PID 2372 wrote to memory of 280	2372	neoqi.exe	31
PID 2372 wrote to memory of 280	2372	neoqi.exe	31
PID 2372 wrote to memory of 280	2372	neoqi.exe	31
PID 280 wrote to memory of 2432	280	qiepaa.exe	32
PID 280 wrote to memory of 2432	280	qiepaa.exe	32
PID 280 wrote to memory of 2432	280	qiepaa.exe	32
PID 280 wrote to memory of 2432	280	qiepaa.exe	32
PID 2432 wrote to memory of 1800	2432	soaneex.exe	33
PID 2432 wrote to memory of 1800	2432	soaneex.exe	33
PID 2432 wrote to memory of 1800	2432	soaneex.exe	33
PID 2432 wrote to memory of 1800	2432	soaneex.exe	33
PID 1800 wrote to memory of 2972	1800	piejuuq.exe	36
PID 1800 wrote to memory of 2972	1800	piejuuq.exe	36
PID 1800 wrote to memory of 2972	1800	piejuuq.exe	36
PID 1800 wrote to memory of 2972	1800	piejuuq.exe	36
PID 2972 wrote to memory of 1764	2972	liedu.exe	37
PID 2972 wrote to memory of 1764	2972	liedu.exe	37
PID 2972 wrote to memory of 1764	2972	liedu.exe	37
PID 2972 wrote to memory of 1764	2972	liedu.exe	37
PID 1764 wrote to memory of 2968	1764	guocaaj.exe	38
PID 1764 wrote to memory of 2968	1764	guocaaj.exe	38
PID 1764 wrote to memory of 2968	1764	guocaaj.exe	38
PID 1764 wrote to memory of 2968	1764	guocaaj.exe	38
PID 2968 wrote to memory of 1628	2968	feaqii.exe	39
PID 2968 wrote to memory of 1628	2968	feaqii.exe	39
PID 2968 wrote to memory of 1628	2968	feaqii.exe	39
PID 2968 wrote to memory of 1628	2968	feaqii.exe	39
PID 1628 wrote to memory of 544	1628	moidu.exe	40
PID 1628 wrote to memory of 544	1628	moidu.exe	40
PID 1628 wrote to memory of 544	1628	moidu.exe	40
PID 1628 wrote to memory of 544	1628	moidu.exe	40
PID 544 wrote to memory of 2224	544	ceaawo.exe	41
PID 544 wrote to memory of 2224	544	ceaawo.exe	41
PID 544 wrote to memory of 2224	544	ceaawo.exe	41
PID 544 wrote to memory of 2224	544	ceaawo.exe	41
PID 2224 wrote to memory of 3004	2224	zivut.exe	42
PID 2224 wrote to memory of 3004	2224	zivut.exe	42
PID 2224 wrote to memory of 3004	2224	zivut.exe	42
PID 2224 wrote to memory of 3004	2224	zivut.exe	42
PID 3004 wrote to memory of 2616	3004	nbfij.exe	43
PID 3004 wrote to memory of 2616	3004	nbfij.exe	43
PID 3004 wrote to memory of 2616	3004	nbfij.exe	43
PID 3004 wrote to memory of 2616	3004	nbfij.exe	43
PID 2616 wrote to memory of 2576	2616	huooy.exe	44
PID 2616 wrote to memory of 2576	2616	huooy.exe	44
PID 2616 wrote to memory of 2576	2616	huooy.exe	44
PID 2616 wrote to memory of 2576	2616	huooy.exe	44
PID 2576 wrote to memory of 1168	2576	bauudog.exe	45
PID 2576 wrote to memory of 1168	2576	bauudog.exe	45
PID 2576 wrote to memory of 1168	2576	bauudog.exe	45
PID 2576 wrote to memory of 1168	2576	bauudog.exe	45

C:\Users\Admin\AppData\Local\Temp\8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c624074b0191e4f7ace8a4783bec710_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\bauusog.exe
  "C:\Users\Admin\bauusog.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\cpxeow.exe
    "C:\Users\Admin\cpxeow.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\neoqi.exe
      "C:\Users\Admin\neoqi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Users\Admin\qiepaa.exe
        
        "C:\Users\Admin\qiepaa.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:280
      - C:\Users\Admin\soaneex.exe
        
        "C:\Users\Admin\soaneex.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\piejuuq.exe
        
        "C:\Users\Admin\piejuuq.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\liedu.exe
        
        "C:\Users\Admin\liedu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\guocaaj.exe
        
        "C:\Users\Admin\guocaaj.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\feaqii.exe
        
        "C:\Users\Admin\feaqii.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\moidu.exe
        
        "C:\Users\Admin\moidu.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\ceaawo.exe
        
        "C:\Users\Admin\ceaawo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\zivut.exe
        
        "C:\Users\Admin\zivut.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\nbfij.exe
        
        "C:\Users\Admin\nbfij.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\huooy.exe
        
        "C:\Users\Admin\huooy.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\bauudog.exe
        
        "C:\Users\Admin\bauudog.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Users\Admin\yoelaah.exe
        
        "C:\Users\Admin\yoelaah.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Users\Admin\weoxii.exe
        
        "C:\Users\Admin\weoxii.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Users\Admin\ceaaso.exe
        
        "C:\Users\Admin\ceaaso.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Users\Admin\caooti.exe
        
        "C:\Users\Admin\caooti.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Users\Admin\neiizuq.exe
        
        "C:\Users\Admin\neiizuq.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Users\Admin\kearii.exe
        
        "C:\Users\Admin\kearii.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Users\Admin\ziwed.exe
        
        "C:\Users\Admin\ziwed.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Users\Admin\zuoopi.exe
        
        "C:\Users\Admin\zuoopi.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Users\Admin\yiazo.exe
        
        "C:\Users\Admin\yiazo.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Users\Admin\yiaho.exe
        
        "C:\Users\Admin\yiaho.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Users\Admin\veowii.exe
        
        "C:\Users\Admin\veowii.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Users\Admin\rtqin.exe
        
        "C:\Users\Admin\rtqin.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Users\Admin\veajil.exe
        
        "C:\Users\Admin\veajil.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Users\Admin\zieewus.exe
        
        "C:\Users\Admin\zieewus.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Users\Admin\geabin.exe
        
        "C:\Users\Admin\geabin.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Users\Admin\dieewum.exe
        
        "C:\Users\Admin\dieewum.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Users\Admin\hiaanol.exe
        
        "C:\Users\Admin\hiaanol.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\juton.exe
        
        "C:\Users\Admin\juton.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Users\Admin\sogiy.exe
        
        "C:\Users\Admin\sogiy.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Users\Admin\rxhiep.exe
        
        "C:\Users\Admin\rxhiep.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Users\Admin\zcriay.exe
        
        "C:\Users\Admin\zcriay.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Users\Admin\caeebuv.exe
        
        "C:\Users\Admin\caeebuv.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\xiubaaj.exe
        
        "C:\Users\Admin\xiubaaj.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Users\Admin\zivet.exe
        
        "C:\Users\Admin\zivet.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Users\Admin\juwob.exe
        
        "C:\Users\Admin\juwob.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Users\Admin\jixef.exe
        
        "C:\Users\Admin\jixef.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Users\Admin\ceoopu.exe
        
        "C:\Users\Admin\ceoopu.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Users\Admin\soitee.exe
        
        "C:\Users\Admin\soitee.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\stjial.exe
        
        "C:\Users\Admin\stjial.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Users\Admin\rnpim.exe
        
        "C:\Users\Admin\rnpim.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\coavii.exe
        
        "C:\Users\Admin\coavii.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\hoiiw.exe
        
        "C:\Users\Admin\hoiiw.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Users\Admin\tuook.exe
        
        "C:\Users\Admin\tuook.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Users\Admin\ceoopu.exe
        
        "C:\Users\Admin\ceoopu.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Users\Admin\geanil.exe
        
        "C:\Users\Admin\geanil.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\xiayoo.exe
        
        "C:\Users\Admin\xiayoo.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\nbfij.exe

Filesize
224KB

MD5
600a6fcc86c988b616917a67c86b0ad7

SHA1
e97e25a323bb8877bfcc85f76853cb8cd4f3c3cd

SHA256
d6adfecb5665b86800591b30f337f2f838286cbcd8c047f0c9eeedd4392b7475

SHA512
d616588b9522b3416eaa0d96b7be3dbbbc368955f05cc445fc7bba833c915542070251e833764c1ececb1e36fab70d0d49d863d37a9ecf0ff295975ab287cea1

Download Submit
\Users\Admin\bauudog.exe

Filesize
224KB

MD5
710f91ae6d683eb8378d00d0abb416e6

SHA1
283a8dd9ce767e49a35fd954474a3f107b051116

SHA256
c15e39d3716fdca0fed7d6258ccb80b546532fc1f213124c2abbdbf3ff460256

SHA512
ceab95a88e949ec96844ab4f62d9d30cd190734895786dc6b8ed3e0b73dc6a03842d0c0d279111fb0da18eacb9b65d2f6cf73fc0d56f0eab9810fbb085420513

Download Submit
\Users\Admin\bauusog.exe

Filesize
224KB

MD5
566b1bed0190feedbe17ad0bde248262

SHA1
74f7ff99f1b9a8cef958d37e297281d51d089feb

SHA256
5692a770f14c86f74b4d53ca6a1e315889f715eec3755107213b54b69001136c

SHA512
82dc4355737b1994149512886b999f0fa3e036c082ee20dff8779a041eeec42dfa1bc6b977ffb9f8a3540b147d74cbed02475d4eb9e4886f3afbd9222348195d

Download Submit
\Users\Admin\ceaawo.exe

Filesize
224KB

MD5
172dfe205efdc4ce798e3971de455500

SHA1
09deae88105b0f5110326e3d3d375202ab8cd847

SHA256
157c9dcbf3b4b895021700cd957b735e8394455b1536c2afe556ad668028e431

SHA512
c00c4ed8f6df937688da34ffcc35ead259b19efff4788ea99f2c9f97fb98c08b9c6b397147c31632833c0a118a738ade22b5f116aeb1d4d38647d1d3dfc26547

Download Submit
\Users\Admin\cpxeow.exe

Filesize
224KB

MD5
3c9b37aaead1cc26b49f655c7f8426b0

SHA1
e32b10bbe0eb09a570e649003c66fdd898dec3f0

SHA256
916bd6b59665677a85ff22f7cf88e80afc83f41012b4ba37be5a55184f443b5f

SHA512
29665f9a7792ba819afcf0e5bc23728f365f18bd4bd9d39d7ea597e74e5f7d16beab0f9cad433d5e1bae9db971ef8de500f1ff0d8642d3dcc2275936db8ec50d

Download Submit
\Users\Admin\feaqii.exe

Filesize
224KB

MD5
7935900eab1d86f824eae111a5634e07

SHA1
8b36d397dd14c95a24487c2023254e74bc7f5466

SHA256
7a91b1f86e23fba7b371c1e649d0bab85a9d70b70ff60ca7403c6dfbcaaef86d

SHA512
3f448c7d06fe04bb53bf8d2244c47effdb90aa7e3fa2ded016dc34f7a799a5a18b8d24a94cdfbadf8770840838e14e19768156ef2dd8b8f5bc894c02a63a4c04

Download Submit
\Users\Admin\guocaaj.exe

Filesize
224KB

MD5
e32178efd78b8b800c3fd172e24ceac4

SHA1
f850e0c2924550e2eb6a22cc6d85724bb553d22d

SHA256
1ceb89506966981b20a2e83310aad578f41b39b6483ccc6414dba052ae7d9d2c

SHA512
16c614c9969a02d40b599f7043709faf32e7199ecaabd45b8c8a6d7f7a4d2369721c3b2abb5a020ef6f407027ed846fb24ffb8f4f25129c1d302a92380e39381

Download Submit
\Users\Admin\huooy.exe

Filesize
224KB

MD5
e2d6f850d7d1d27f07b306a68d1dfe46

SHA1
aa2e9510e4bbdf7946b39dc00f120600cd05c94f

SHA256
c93b9775efc7e36b416c12daa642488f44b67468bb6128c0b2d349c96c8b9287

SHA512
0a721a93796ccb3f393743c9ce8f994a27df5e4ca9ed16fe3367cc64cd04670190eb319ee49986181ab9c6cdc80f778a95c4be91cd55caeb0e5737cf8bf0bccb

Download Submit
\Users\Admin\liedu.exe

Filesize
224KB

MD5
942d7a55de7df0aff22f9c25b99daa0f

SHA1
cd958a0351d9ebfb0786a0ae941cab09af277031

SHA256
dc88da3dfa8afddb5ac77b068581fc9a60cb2aa56e127d83f4493faa8f097e1e

SHA512
57e6edf8ccca4e06c26f505bf36ebed3e6300f90c30851665b762f8b0814dd609631e2b0427287a9d92ad44c594058255ea7e96769b4828c4ce3b8ff7e5222d0

Download Submit
\Users\Admin\moidu.exe

Filesize
224KB

MD5
aaf088cef5ddecc33d66ecc636d85b50

SHA1
da1599359c09d5cfdfe866762683f93cfa10c744

SHA256
ce26b391bede78d250583cf682f4a6f8162709f6cfeef2ebd057336cc36a7b19

SHA512
c1e7abd364dddef610203455157b07456003470a11e91fa163a87a835ada5d662f90d02c4255c6e1dc89ba499c5d7178a0ae4467847f2ed393be7fdfc92275a3

Download Submit
\Users\Admin\neoqi.exe

Filesize
224KB

MD5
b2fe5f1bdb02949391666a7e97d4d44e

SHA1
bce812eaecf2f2e384393061d99bd2f20ced2cff

SHA256
d420b491f976a0beaeaa251f5329b6c90aec7b0d97ab8b416751f70d4fc9389d

SHA512
331f07ffd82694afe94c2baa02be2568c6848432f9a13e94ef04d385f10e3932706a08cd0d9131e12e1de7131181f5aac2beac22d82d6d75ce4795face0fd35d

Download Submit
\Users\Admin\piejuuq.exe

Filesize
224KB

MD5
10fbf9e797907382a81332ebeedf4990

SHA1
b9b912c974842652ab304381fcbb9e7589c65d82

SHA256
ce086745c5951ac52e36769b5d525c3dce5ad7a56a02aca7778f9f1fd0c5600c

SHA512
b24c52b5a7eab76a16ba5be62781343020ebd95b6475b0dfb19f119c038d8eba91fab85d9417e5cc72b12b9e497ce3f807f5c77f28f213f209b8b6f58223d39e

Download Submit
\Users\Admin\qiepaa.exe

Filesize
224KB

MD5
378bf306d93217d8cd40106ea92603ac

SHA1
5b31f1871bf8f08317bbe54812a78484e3ca8f5f

SHA256
dec54ff88d75fbaf6de268c34a12d4b1a942b64118bd055cdf145af6e9bfccae

SHA512
f9052500ec46c0e4b479ac4f50dca0ae24b3b8517350c3eef91474d889bab496fa66e1a68c1eb51951e6a1b7d35e65d0a8111589935a28771e59a895bd76d3d1

Download Submit
\Users\Admin\soaneex.exe

Filesize
224KB

MD5
17ac790defa0724797206e9df6c687da

SHA1
04e1567064f8affbb88b86cfaf2a463080717434

SHA256
53198725aba495f88d7c953f10b44b338fe3e026591719809abcc9e2b71bb3e2

SHA512
cd75b81f31247750c6059015335424ff39a796ba54dd564241f8aaa88c69c395e49e61058fcdd7aecf8ff0edf723225501d8c008d97a3e0f6d8121e7b5e57011

Download Submit
\Users\Admin\yoelaah.exe

Filesize
224KB

MD5
87b6c1461bd9620c7ad1de8dbad76b51

SHA1
3df087e2d2958e41672d2aeecb56aa949fce6743

SHA256
e6bb5d11aa410cead79bb1b77a4ed6b8c60721204fe0df72df3f5cc0cbdf97cc

SHA512
4c9ddde0fa00c5fec019b10291ed2369a08a3a31786d2e0092f86be0740a78133f51ccc6f1ec0029bb183f2550580cc6ce05214aff72fb288fcdde25fa3da704

Download Submit
\Users\Admin\zivut.exe

Filesize
224KB

MD5
fc314456410452b6f52f54949bc7deec

SHA1
dd36aa73244d7a66897a112db13dcefcc1a3e93c

SHA256
2021175e37051e0af51530e939021412e2fcada6f1d74d9e7353f9f2eb9cbf89

SHA512
678bdf2dbd2b5b52fe1f630b6d1e2ff83a3d0772434eece23e606b605e04ec5cf3a785b63e71c924f628ec626214042e276d08249a9bb8c2f4d4fd5f96004ddb

Download Submit
memory/276-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/276-383-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/276-381-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/280-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/280-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-433-0x0000000003230000-0x000000000326A000-memory.dmp

Filesize
232KB

Download
memory/544-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-422-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-435-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-205-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/852-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/852-353-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/852-354-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/852-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/892-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/892-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/892-407-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/924-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/924-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/924-340-0x0000000003210000-0x000000000324A000-memory.dmp

Filesize
232KB

Download
memory/1168-289-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1168-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-298-0x0000000003590000-0x00000000035CA000-memory.dmp

Filesize
232KB

Download
memory/1528-398-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-394-0x0000000003680000-0x00000000036BA000-memory.dmp

Filesize
232KB

Download
memory/1628-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-188-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/1628-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-187-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/1704-434-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-446-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/1704-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-153-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/1764-154-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/1764-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-118-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/1800-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-117-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/1800-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-459-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/1924-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-420-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/2100-408-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-302-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-314-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2224-223-0x0000000003270000-0x00000000032AA000-memory.dmp

Filesize
232KB

Download
memory/2224-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2320-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2320-325-0x0000000003120000-0x000000000315A000-memory.dmp

Filesize
232KB

Download
memory/2320-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2372-61-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/2372-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2372-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-48-0x0000000003210000-0x000000000324A000-memory.dmp

Filesize
232KB

Download
memory/2380-47-0x0000000003210000-0x000000000324A000-memory.dmp

Filesize
232KB

Download
memory/2432-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-94-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2432-100-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2576-273-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2576-274-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2576-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2576-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-256-0x0000000003220000-0x000000000325A000-memory.dmp

Filesize
232KB

Download
memory/2732-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-364-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2732-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-368-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2888-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-13-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2888-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-29-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/2956-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-166-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2972-136-0x00000000033E0000-0x000000000341A000-memory.dmp

Filesize
232KB

Download
memory/2972-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2972-129-0x00000000033E0000-0x000000000341A000-memory.dmp

Filesize
232KB

Download
memory/2972-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-239-0x0000000003450000-0x000000000348A000-memory.dmp

Filesize
232KB

Download
memory/3004-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download