d17e954ef3f1f81982ed0a9ce44b8ef37f16fa523fc04736e6e97067cc383087

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
Size

224KB
MD5

10239debc1afdcb45323f18205524e70
SHA1

7f2a9a728215ca8d654be78c0df1ccfbfec17dde
SHA256

d17e954ef3f1f81982ed0a9ce44b8ef37f16fa523fc04736e6e97067cc383087
SHA512

2fc1f05e5c47bdf427b4470f44faa05d96e203a597c49789376516fd4a6c24e41f5ed62b744cfa621ba1b236fcf2967c3be6ab09ffeced29f9b1e5d7d80ffc13
SSDEEP

3072:G4pKwyPhCjG8G3GbGVGBGfGuGxGWYcrf6Kadk:G4owqAYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
2896	wxgov.exe
2644	yuvos.exe
2664	hfnoz.exe
868	reuus.exe
1588	roiitus.exe
940	moelaa.exe
1696	leaqot.exe
1656	roiizus.exe
1060	reuus.exe
2984	piatuz.exe
1824	raiif.exe
828	kauur.exe
1488	roiitus.exe
2304	kiejuuv.exe
2540	liadov.exe
2756	qaiij.exe
2588	lioxuu.exe
1476	hfwoc.exe
1888	vieju.exe
2688	tbvoil.exe
2232	siayeg.exe
2200	kcyeuj.exe
1696	daiije.exe
1320	daiijub.exe
1352	cbvois.exe
980	soayeg.exe
2788	wbvoij.exe
528	feati.exe
1872	sbjeok.exe
3048	svnor.exe
2552	folex.exe
2196	hfwoz.exe
752	kiuug.exe
1984	seuunom.exe
572	gofik.exe
2004	beodi.exe
2000	miugaa.exe
2720	geaanok.exe
2256	zmjeg.exe
1444	zianuu.exe
1560	puijaav.exe
2116	nolef.exe
684	cbvois.exe
828	cbvois.exe
2280	geapih.exe
2352	xealin.exe
2748	jiafos.exe
2612	vuoojew.exe
2872	biaguu.exe
2364	wbyuis.exe
2560	peuvob.exe

Loads dropped DLL 64 IoCs

pid	Process
1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
2896	wxgov.exe
2896	wxgov.exe
2644	yuvos.exe
2644	yuvos.exe
2664	hfnoz.exe
2664	hfnoz.exe
868	reuus.exe
868	reuus.exe
1588	roiitus.exe
1588	roiitus.exe
940	moelaa.exe
940	moelaa.exe
1696	leaqot.exe
1696	leaqot.exe
1656	roiizus.exe
1060	reuus.exe
1060	reuus.exe
2984	piatuz.exe
2984	piatuz.exe
1824	raiif.exe
1824	raiif.exe
828	kauur.exe
1488	roiitus.exe
1488	roiitus.exe
2304	kiejuuv.exe
2304	kiejuuv.exe
2540	liadov.exe
2540	liadov.exe
2756	qaiij.exe
2756	qaiij.exe
2588	lioxuu.exe
2588	lioxuu.exe
1476	hfwoc.exe
1476	hfwoc.exe
1888	vieju.exe
1888	vieju.exe
2688	tbvoil.exe
2688	tbvoil.exe
2232	siayeg.exe
2232	siayeg.exe
2200	kcyeuj.exe
2200	kcyeuj.exe
1696	daiije.exe
1696	daiije.exe
1320	daiijub.exe
1320	daiijub.exe
1352	cbvois.exe
1352	cbvois.exe
980	soayeg.exe
980	soayeg.exe
2788	wbvoij.exe
2788	wbvoij.exe
528	feati.exe
528	feati.exe
1872	sbjeok.exe
1872	sbjeok.exe
3048	svnor.exe
3048	svnor.exe
2552	folex.exe
2552	folex.exe
2196	hfwoz.exe
2196	hfwoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
2896	wxgov.exe
2644	yuvos.exe
2664	hfnoz.exe
868	reuus.exe
1588	roiitus.exe
940	moelaa.exe
1696	leaqot.exe
1656	roiizus.exe
1060	reuus.exe
2984	piatuz.exe
1824	raiif.exe
828	kauur.exe
1488	roiitus.exe
2304	kiejuuv.exe
2540	liadov.exe
2756	qaiij.exe
2588	lioxuu.exe
1476	hfwoc.exe
1888	vieju.exe
2688	tbvoil.exe
2232	siayeg.exe
2200	kcyeuj.exe
1696	daiije.exe
1320	daiijub.exe
1352	cbvois.exe
980	soayeg.exe
2788	wbvoij.exe
528	feati.exe
1872	sbjeok.exe
3048	svnor.exe
2552	folex.exe
2196	hfwoz.exe
752	kiuug.exe
1984	seuunom.exe
572	gofik.exe
2004	beodi.exe
2000	miugaa.exe
2720	geaanok.exe
2256	zmjeg.exe
1444	zianuu.exe
1560	puijaav.exe
2116	nolef.exe
684	cbvois.exe
828	cbvois.exe
2280	geapih.exe
2352	xealin.exe
2748	jiafos.exe
2612	vuoojew.exe
2872	biaguu.exe
2364	wbyuis.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
2896	wxgov.exe
2644	yuvos.exe
2664	hfnoz.exe
868	reuus.exe
1588	roiitus.exe
940	moelaa.exe
1696	leaqot.exe
1656	roiizus.exe
1060	reuus.exe
2984	piatuz.exe
1824	raiif.exe
828	kauur.exe
1488	roiitus.exe
2304	kiejuuv.exe
2540	liadov.exe
2756	qaiij.exe
2588	lioxuu.exe
1476	hfwoc.exe
1888	vieju.exe
2688	tbvoil.exe
2232	siayeg.exe
2200	kcyeuj.exe
1696	daiije.exe
1320	daiijub.exe
1352	cbvois.exe
980	soayeg.exe
2788	wbvoij.exe
528	feati.exe
1872	sbjeok.exe
3048	svnor.exe
2552	folex.exe
2196	hfwoz.exe
752	kiuug.exe
1984	seuunom.exe
572	gofik.exe
2004	beodi.exe
2000	miugaa.exe
2720	geaanok.exe
2256	zmjeg.exe
1444	zianuu.exe
1560	puijaav.exe
2116	nolef.exe
684	cbvois.exe
828	cbvois.exe
2280	geapih.exe
2352	xealin.exe
2748	jiafos.exe
2612	vuoojew.exe
2872	biaguu.exe
2364	wbyuis.exe
2560	peuvob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2896	1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 2896	1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 2896	1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 2896	1368	10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2644	2896	wxgov.exe	29
PID 2896 wrote to memory of 2644	2896	wxgov.exe	29
PID 2896 wrote to memory of 2644	2896	wxgov.exe	29
PID 2896 wrote to memory of 2644	2896	wxgov.exe	29
PID 2644 wrote to memory of 2664	2644	yuvos.exe	30
PID 2644 wrote to memory of 2664	2644	yuvos.exe	30
PID 2644 wrote to memory of 2664	2644	yuvos.exe	30
PID 2644 wrote to memory of 2664	2644	yuvos.exe	30
PID 2664 wrote to memory of 868	2664	hfnoz.exe	31
PID 2664 wrote to memory of 868	2664	hfnoz.exe	31
PID 2664 wrote to memory of 868	2664	hfnoz.exe	31
PID 2664 wrote to memory of 868	2664	hfnoz.exe	31
PID 868 wrote to memory of 1588	868	reuus.exe	32
PID 868 wrote to memory of 1588	868	reuus.exe	32
PID 868 wrote to memory of 1588	868	reuus.exe	32
PID 868 wrote to memory of 1588	868	reuus.exe	32
PID 1588 wrote to memory of 940	1588	roiitus.exe	33
PID 1588 wrote to memory of 940	1588	roiitus.exe	33
PID 1588 wrote to memory of 940	1588	roiitus.exe	33
PID 1588 wrote to memory of 940	1588	roiitus.exe	33
PID 940 wrote to memory of 1696	940	moelaa.exe	34
PID 940 wrote to memory of 1696	940	moelaa.exe	34
PID 940 wrote to memory of 1696	940	moelaa.exe	34
PID 940 wrote to memory of 1696	940	moelaa.exe	34
PID 1696 wrote to memory of 1656	1696	leaqot.exe	35
PID 1696 wrote to memory of 1656	1696	leaqot.exe	35
PID 1696 wrote to memory of 1656	1696	leaqot.exe	35
PID 1696 wrote to memory of 1656	1696	leaqot.exe	35
PID 1656 wrote to memory of 1060	1656	roiizus.exe	38
PID 1656 wrote to memory of 1060	1656	roiizus.exe	38
PID 1656 wrote to memory of 1060	1656	roiizus.exe	38
PID 1656 wrote to memory of 1060	1656	roiizus.exe	38
PID 1060 wrote to memory of 2984	1060	reuus.exe	39
PID 1060 wrote to memory of 2984	1060	reuus.exe	39
PID 1060 wrote to memory of 2984	1060	reuus.exe	39
PID 1060 wrote to memory of 2984	1060	reuus.exe	39
PID 2984 wrote to memory of 1824	2984	piatuz.exe	40
PID 2984 wrote to memory of 1824	2984	piatuz.exe	40
PID 2984 wrote to memory of 1824	2984	piatuz.exe	40
PID 2984 wrote to memory of 1824	2984	piatuz.exe	40
PID 1824 wrote to memory of 828	1824	raiif.exe	41
PID 1824 wrote to memory of 828	1824	raiif.exe	41
PID 1824 wrote to memory of 828	1824	raiif.exe	41
PID 1824 wrote to memory of 828	1824	raiif.exe	41
PID 828 wrote to memory of 1488	828	kauur.exe	42
PID 828 wrote to memory of 1488	828	kauur.exe	42
PID 828 wrote to memory of 1488	828	kauur.exe	42
PID 828 wrote to memory of 1488	828	kauur.exe	42
PID 1488 wrote to memory of 2304	1488	roiitus.exe	43
PID 1488 wrote to memory of 2304	1488	roiitus.exe	43
PID 1488 wrote to memory of 2304	1488	roiitus.exe	43
PID 1488 wrote to memory of 2304	1488	roiitus.exe	43
PID 2304 wrote to memory of 2540	2304	kiejuuv.exe	44
PID 2304 wrote to memory of 2540	2304	kiejuuv.exe	44
PID 2304 wrote to memory of 2540	2304	kiejuuv.exe	44
PID 2304 wrote to memory of 2540	2304	kiejuuv.exe	44
PID 2540 wrote to memory of 2756	2540	liadov.exe	45
PID 2540 wrote to memory of 2756	2540	liadov.exe	45
PID 2540 wrote to memory of 2756	2540	liadov.exe	45
PID 2540 wrote to memory of 2756	2540	liadov.exe	45

C:\Users\Admin\AppData\Local\Temp\10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10239debc1afdcb45323f18205524e70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\wxgov.exe
  "C:\Users\Admin\wxgov.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\yuvos.exe
    "C:\Users\Admin\yuvos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\hfnoz.exe
      "C:\Users\Admin\hfnoz.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\reuus.exe
        
        "C:\Users\Admin\reuus.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Users\Admin\roiitus.exe
        
        "C:\Users\Admin\roiitus.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\moelaa.exe
        
        "C:\Users\Admin\moelaa.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Users\Admin\leaqot.exe
        
        "C:\Users\Admin\leaqot.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\roiizus.exe
        
        "C:\Users\Admin\roiizus.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\reuus.exe
        
        "C:\Users\Admin\reuus.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\piatuz.exe
        
        "C:\Users\Admin\piatuz.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\raiif.exe
        
        "C:\Users\Admin\raiif.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\kauur.exe
        
        "C:\Users\Admin\kauur.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\roiitus.exe
        
        "C:\Users\Admin\roiitus.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\kiejuuv.exe
        
        "C:\Users\Admin\kiejuuv.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\liadov.exe
        
        "C:\Users\Admin\liadov.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\qaiij.exe
        
        "C:\Users\Admin\qaiij.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Users\Admin\lioxuu.exe
        
        "C:\Users\Admin\lioxuu.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Users\Admin\hfwoc.exe
        
        "C:\Users\Admin\hfwoc.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Users\Admin\vieju.exe
        
        "C:\Users\Admin\vieju.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Users\Admin\tbvoil.exe
        
        "C:\Users\Admin\tbvoil.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Users\Admin\siayeg.exe
        
        "C:\Users\Admin\siayeg.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Users\Admin\kcyeuj.exe
        
        "C:\Users\Admin\kcyeuj.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Users\Admin\daiije.exe
        
        "C:\Users\Admin\daiije.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Users\Admin\daiijub.exe
        
        "C:\Users\Admin\daiijub.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Users\Admin\cbvois.exe
        
        "C:\Users\Admin\cbvois.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Users\Admin\soayeg.exe
        
        "C:\Users\Admin\soayeg.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Users\Admin\wbvoij.exe
        
        "C:\Users\Admin\wbvoij.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\feati.exe
        
        "C:\Users\Admin\feati.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Users\Admin\sbjeok.exe
        
        "C:\Users\Admin\sbjeok.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Users\Admin\svnor.exe
        
        "C:\Users\Admin\svnor.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\folex.exe
        
        "C:\Users\Admin\folex.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\hfwoz.exe
        
        "C:\Users\Admin\hfwoz.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\kiuug.exe
        
        "C:\Users\Admin\kiuug.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Users\Admin\seuunom.exe
        
        "C:\Users\Admin\seuunom.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Users\Admin\gofik.exe
        
        "C:\Users\Admin\gofik.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Users\Admin\beodi.exe
        
        "C:\Users\Admin\beodi.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\miugaa.exe
        
        "C:\Users\Admin\miugaa.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Users\Admin\geaanok.exe
        
        "C:\Users\Admin\geaanok.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Users\Admin\zmjeg.exe
        
        "C:\Users\Admin\zmjeg.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Users\Admin\zianuu.exe
        
        "C:\Users\Admin\zianuu.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Users\Admin\puijaav.exe
        
        "C:\Users\Admin\puijaav.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\nolef.exe
        
        "C:\Users\Admin\nolef.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Users\Admin\cbvois.exe
        
        "C:\Users\Admin\cbvois.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Users\Admin\cbvois.exe
        
        "C:\Users\Admin\cbvois.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Users\Admin\geapih.exe
        
        "C:\Users\Admin\geapih.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Users\Admin\xealin.exe
        
        "C:\Users\Admin\xealin.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Users\Admin\jiafos.exe
        
        "C:\Users\Admin\jiafos.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Users\Admin\vuoojew.exe
        
        "C:\Users\Admin\vuoojew.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Users\Admin\biaguu.exe
        
        "C:\Users\Admin\biaguu.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Users\Admin\wbyuis.exe
        
        "C:\Users\Admin\wbyuis.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Users\Admin\peuvob.exe
        
        "C:\Users\Admin\peuvob.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\hfnoz.exe

Filesize
224KB

MD5
d90812ba5d0268901fd8cad85a8a7ee7

SHA1
de3217f5577597e08c57221d69e06ad38499e275

SHA256
7670c8e71d8551a0638df413e7f546d1cb4291b049d5c3b8cb0feef148ef9439

SHA512
4e0e770f5077e837da43ca038e071fe2707769f751239708bb1e9f83ce0b979dca046a1454e78f41f987178820ce49a013d60db28011667dc7e6934274b244ea

Download Submit
\Users\Admin\kauur.exe

Filesize
224KB

MD5
7b3323effa27e3ab9e65f14268e289b0

SHA1
379cf668c03b6f65abce3f3e07fcffa226a0f533

SHA256
0de9b97ece5fc4400f0afae2e4524ab17ed8007779abfa2d2f2d0740e32fa86f

SHA512
41a2ce0eb3d2dd0bd4aba7006fe27e82b83fed46718285b8a93b930ad4a123d4f2aa6afcdf2d82b814e6496e1a3de38257bec9234adf532c03e4c223e626764b

Download Submit
\Users\Admin\kiejuuv.exe

Filesize
224KB

MD5
2204bb99a89a5bff10d91fe45a45a56c

SHA1
733458ccb995216afe71bb62ba6a5b18d9fe5eae

SHA256
b6a9929d0d773d507f95eabc018710f0b0ed7084e114a18d87b3e91cf8633f3e

SHA512
6306e1227eb4887fb56c461ff839a91b41d7e45feb29b898fc3ac6a29ecf9e7dfcd9f2a6e0803e0c6771d02c8a178b67d9ecaf34e2aeb2482f9c4399f8fafc2b

Download Submit
\Users\Admin\leaqot.exe

Filesize
224KB

MD5
7e7829395a954be3d7ea8aab1320138f

SHA1
8dc3ac200d90956393dc23bc0a2f2298cfe9f407

SHA256
ad495adacdbbc7691c6049a7cbc0146eb1cf6be24279b5b050fcb457bb1a0d76

SHA512
0162fc7f7409e5efd5310a1b5d307a3194a9c132a5b4ad4be3692831bb98fe9fd8f043e4c741c66009c118bff56043dbca9575e12e37b38c37660c657cdce892

Download Submit
\Users\Admin\liadov.exe

Filesize
224KB

MD5
985dc012493a7c845d67fac2821ae971

SHA1
58cddbdc13c8078911abf8b5b286e8be224b5849

SHA256
7cbd01f7222da385d364ee040ef8015cb7eb62fbdf784aa40f2c519cc62e2e09

SHA512
19d90e7c0436a32af1cf155695359e2798459b92e2bf19eba279176b9d4409ee2af7cd1864c2d701819ba2d2f42932b132d7df9d8fe34a627d52dccd890ae5cc

Download Submit
\Users\Admin\lioxuu.exe

Filesize
224KB

MD5
ac15d16e7ab5fef3c4bfe4ec95fbc7a5

SHA1
3b5f2cc393ee1137561efea28cbc523366857570

SHA256
69bc63cc1cbc55f7945b7c20665d8a9353cdd3e80acb6f298127062361699b61

SHA512
2ea192aaee7ef4e5dbe30469fbffb18bc89c436f1af022e113c855c7639782d6d863b14a3f415c97adfb0b83bb470474a0c4f985e1b51ea635f61770d520b0c7

Download Submit
\Users\Admin\moelaa.exe

Filesize
224KB

MD5
5fbc468c15ba1d606c80895fb4486499

SHA1
5f3078f1a496c23108de5dfc7b32f76ebe865a29

SHA256
96bd00ca5e88d225e133c7e4118585840873543bc4514b1e17fd598a0853188a

SHA512
4e624145485b4735a864775d88c60b5295fc1f567c7834697d021d97c1e78f3bbc225036735dfb41e97e8c3a54388f11d13f01cb8899b1816757f0f60f3c6fa7

Download Submit
\Users\Admin\piatuz.exe

Filesize
224KB

MD5
f2263c999ed3b788ac4fa7552c320584

SHA1
add0e9ccdace5398bcf1ab7e545fdc6bfe556030

SHA256
ebaa5e95d92ccb7e838fa145173bfdb5c7dfccec5df5496a966465c18195901d

SHA512
46654da4f0bea510daa90f4daa21189746fa814e062fc34146f588ec4f9eb252a56fcd1a2cf908da610d492ba226ba9af42b3d86f33402f7b754a6e70d98df5e

Download Submit
\Users\Admin\qaiij.exe

Filesize
224KB

MD5
a8c9d66ac9b2dced5b74788ebd845ec1

SHA1
aaa3608a221ce24761f1f48d4751e1bdf5055c89

SHA256
7cf0f5e4339e274a604d41b1c90afd4eeb1519dd84e7115fce09f06c75813a67

SHA512
d9b1e4a422d8dcd0466c1823ad4281e518d39a7d18f0756f03185b87cba3a98bfef74f6295ff428ed01f8164bc339811baf0c5b7e38da7f71ec92f9db299845a

Download Submit
\Users\Admin\raiif.exe

Filesize
224KB

MD5
aadd846d9b104e9c7c7def56a66afc03

SHA1
6574c709dcae4cdb1b2741b77eb33c8af6dff674

SHA256
285682cbfe29f8fb7d9872357503371a73009659f9f3b71bf2ae3250214c4d4c

SHA512
add66b5093987bedf01814d54b6af46855722fa15e6da4dc63400153821c696404c1fe573dbb658ecf1c4de7a14610c148851a01f98f64f0799ed34436b3ae51

Download Submit
\Users\Admin\reuus.exe

Filesize
224KB

MD5
df3cbdbc65203dbb189e87107a39ba15

SHA1
5382e34aabd4de500f7ffc191a6eef939c61d095

SHA256
14c2107942f652d773f86dcac6e39be0bf10891054e175292c6b808734cbcde7

SHA512
e2b8a94ea059d75406a0ef64eaf36d3e57efb7273dfc45808d091e379c18149f9076ac8857f9afc7a1f813df96dfc46d845749ae3bc1c3990bdf7b55d8c3c91c

Download Submit
\Users\Admin\roiitus.exe

Filesize
224KB

MD5
cf4e79f85b8c0a24ea89eac80fc55c12

SHA1
6210554db5e42998a94c289db018205a9444a6fb

SHA256
4f17789962b9190e7858b06008828e047d23863ad6dd54e3b767067624df43d4

SHA512
32fe7e47c901e01e4453250ddb39cd61c329cba01b48c16cc37de03ac25bba74910cac95fd9405a60bc7db727c8b095f2a2ead135f9e209c766011e6c12f5020

Download Submit
\Users\Admin\roiizus.exe

Filesize
224KB

MD5
36f16cd8db7c4c4b42f3ee3a35a27fa5

SHA1
459b160b541c4782d7428b814c9f9c29e9116ac4

SHA256
76150a0dbada404a0158f93a2f0b2dfccf63185732ce7d824251530be19cd022

SHA512
66a8b3efa037a2e94d277b3faacf831bd7fed71621c7ec6a82ddd281110f06f1f519cf0b39b557c889d9f0a092d1a62feafcb8ff31e02c3eda1c5af7ebad99ce

Download Submit
\Users\Admin\wxgov.exe

Filesize
224KB

MD5
56b1a30b188785c797e8e2e81171922f

SHA1
002ab500eadd908fe5db9e8c6cc083bb744b339a

SHA256
7466e2cb65cddbc0f58397bdd824b2aaedcee3d4dc7bce10460b339690f1d876

SHA512
05db3b50dc1414c9872c11278504801e2c3f0caecafcb822aa51c32753b0cef959034f466a1d0d21095607e749325c885269eaff301baa590441faa06a1720ad

Download Submit
\Users\Admin\yuvos.exe

Filesize
224KB

MD5
40717285c6a56ba46447cfdadc5839de

SHA1
b07ab2b7161e859e7aabe3c2a907b636d82fc4f5

SHA256
759bec5ccd26dc64becff92a5c92c12855cecd620b1addbc4884266255a4bd37

SHA512
6901e066059e6bf2d590ea616709e225b29899ece93f604944a959d00c1a36864614ba470d392fa5d4a6c0f7ae09a70bf45b23632e2297b851aa4deb5b4e3c90

Download Submit
memory/528-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/528-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/828-186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/828-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/940-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/940-108-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/980-399-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/980-397-0x00000000032C0000-0x00000000032FA000-memory.dmp

Filesize
232KB

Download
memory/980-396-0x00000000032C0000-0x00000000032FA000-memory.dmp

Filesize
232KB

Download
memory/1060-147-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download
memory/1060-153-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download
memory/1060-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1060-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1320-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1320-367-0x0000000003590000-0x00000000035CA000-memory.dmp

Filesize
232KB

Download
memory/1320-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-383-0x0000000003490000-0x00000000034CA000-memory.dmp

Filesize
232KB

Download
memory/1352-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-384-0x0000000003490000-0x00000000034CA000-memory.dmp

Filesize
232KB

Download
memory/1368-13-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/1368-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1368-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-291-0x0000000003410000-0x000000000344A000-memory.dmp

Filesize
232KB

Download
memory/1476-287-0x0000000003410000-0x000000000344A000-memory.dmp

Filesize
232KB

Download
memory/1488-202-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1488-208-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1488-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1588-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1588-96-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/1588-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-353-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/1696-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-357-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/1696-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1824-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1824-180-0x00000000032E0000-0x000000000331A000-memory.dmp

Filesize
232KB

Download
memory/1824-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-438-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1888-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1888-303-0x00000000030E0000-0x000000000311A000-memory.dmp

Filesize
232KB

Download
memory/1888-304-0x00000000030E0000-0x000000000311A000-memory.dmp

Filesize
232KB

Download
memory/2196-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2196-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-343-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/2200-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-328-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/2304-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-225-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2304-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-226-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2540-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-243-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/2540-242-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/2552-462-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-457-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2552-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-277-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2588-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-276-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2644-43-0x0000000003230000-0x000000000326A000-memory.dmp

Filesize
232KB

Download
memory/2644-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-60-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2688-318-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2688-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-317-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2756-262-0x0000000003310000-0x000000000334A000-memory.dmp

Filesize
232KB

Download
memory/2756-261-0x0000000003310000-0x000000000334A000-memory.dmp

Filesize
232KB

Download
memory/2756-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2756-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-398-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-410-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download
memory/2896-36-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-31-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2896-26-0x0000000003550000-0x000000000358A000-memory.dmp

Filesize
232KB

Download
memory/2896-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-435-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-447-0x00000000032C0000-0x00000000032FA000-memory.dmp

Filesize
232KB

Download
memory/3048-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download