32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
Size

361KB
MD5

6a786d8f70217dfaec233f6345db06d0
SHA1

1836de90928de3d7a6eb0f58d7b9481a5b73d636
SHA256

32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c
SHA512

aa09f8d71e073e5e8e0daf28cca49790743d762dcd7b9d0285fc624fd1f72b89fd13c50a06dee5079afe4e71e359fec679d3623ae3c3b7b69f4a192c3b81ca2a
SSDEEP

6144:vflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:vflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1524	mjecwrojgbvtolga.exe
2540	CreateProcess.exe
2548	kidavpnhfa.exe
2572	CreateProcess.exe
2924	CreateProcess.exe
1912	i_kidavpnhfa.exe
1932	CreateProcess.exe
2568	snkfzxrpke.exe
2800	CreateProcess.exe
2444	CreateProcess.exe
2000	i_snkfzxrpke.exe
1648	CreateProcess.exe
2416	fcxrpjhcwu.exe
1196	CreateProcess.exe
484	CreateProcess.exe
576	i_fcxrpjhcwu.exe
2492	CreateProcess.exe
804	czuomheztr.exe
304	CreateProcess.exe
1244	CreateProcess.exe
2368	i_czuomheztr.exe
1148	CreateProcess.exe
1688	rmjeywrojd.exe
1488	CreateProcess.exe
2220	CreateProcess.exe
1160	i_rmjeywrojd.exe
1364	CreateProcess.exe
2880	gbztolgdys.exe
3036	CreateProcess.exe
2312	CreateProcess.exe
3040	i_gbztolgdys.exe
2140	CreateProcess.exe
2928	trlgdyvqki.exe
2084	CreateProcess.exe
1744	CreateProcess.exe
2268	i_trlgdyvqki.exe
2196	CreateProcess.exe
2488	oigaysnlfd.exe
2668	CreateProcess.exe
2808	CreateProcess.exe
2532	i_oigaysnlfd.exe
2592	CreateProcess.exe
2548	dxvpnicaus.exe
2772	CreateProcess.exe
1644	CreateProcess.exe
1624	i_dxvpnicaus.exe
2580	CreateProcess.exe
2244	snkfcxrpkh.exe
1936	CreateProcess.exe
2816	CreateProcess.exe
2568	i_snkfcxrpkh.exe
2188	CreateProcess.exe
1996	pkhcaupmhf.exe
2004	CreateProcess.exe
2436	CreateProcess.exe
2412	i_pkhcaupmhf.exe
2416	CreateProcess.exe
1648	fcxrpjhcwu.exe
676	CreateProcess.exe
1392	CreateProcess.exe
2432	i_fcxrpjhcwu.exe
896	CreateProcess.exe
304	uomhbztrmg.exe
804	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2548	kidavpnhfa.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2568	snkfzxrpke.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2416	fcxrpjhcwu.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
804	czuomheztr.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1688	rmjeywrojd.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2880	gbztolgdys.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2928	trlgdyvqki.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2488	oigaysnlfd.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2548	dxvpnicaus.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2244	snkfcxrpkh.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1996	pkhcaupmhf.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1648	fcxrpjhcwu.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
304	uomhbztrmg.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2968	jebwqojgbv.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
908	gbztolgeys.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2068	rlgdyvqkid.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1044	gavtnlfaxs.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2940	sqkfcxvpkh.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2500	pnhcausmhf.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2404	icaupmhfzu.exe
1524	mjecwrojgbvtolga.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1616	ipconfig.exe
1684	ipconfig.exe
2780	ipconfig.exe
1300	ipconfig.exe
1992	ipconfig.exe
2056	ipconfig.exe
2236	ipconfig.exe
1640	ipconfig.exe
640	ipconfig.exe
2892	ipconfig.exe
2216	ipconfig.exe
1720	ipconfig.exe
1636	ipconfig.exe
2528	ipconfig.exe
696	ipconfig.exe
2492	ipconfig.exe
2288	ipconfig.exe
1988	ipconfig.exe
2268	ipconfig.exe
2960	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425690217"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2DB9811-34D6-11EF-86BF-CE57F181EBEB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fd81d8e3c8da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000fd1d77f086c026a455c4ea70029a44aff4fe9b328471b8b02d14fb5002bb18b7000000000e800000000200002000000094a118c7b7f740206f3e10b3c8e682d218a75c688ee3d4a38fda07a0efea1ff490000000a4f529715555621218d9b0e07d547f9e8f4ead9d325e24b51747588fc320304dda3daee9018f5bbdd6eec3ea815311f8bdb7b3a5c4dba346f82cb3e1a7156ae3ca97ac95824d001aef1d858231c6698f8eed50d1fdfa6dd727b2d87f3b0fc2d80efc405b48c606b03316d3f624485df8082ad539fc9a58dfc22430148e5c07822fc5f329231d073e345ee02e664a6a634000000056b3014c02c7cf0618e1f8c5568441ef276daf62171ce254aa7c87bf214a691c28a2041d31816ed0ad9ba341e65e7aa2f3b804dc91d5bb4ad8b9a79830ebab86	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000805ed50d96b854a191c8c4bf2a60f3332bce71061a73bf25b530907da6ca4d8a000000000e800000000200002000000020ccb945d3fcc10bbfab0b382fe3e860c2120136b2b942f0c07251c040a62ba820000000fd6b3f0b8a7c13a89d68a5b49fd31f5782246319324e93ce05fb12facaaf150540000000889cf357f9c5332be4dc70b3fdb65ce36ac6feecd65ffd1aded65ab9415cb1c85adac1270738305de22a31773b091ff43403899602cb512520811021170f921a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
1524	mjecwrojgbvtolga.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
2548	kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
1912	i_kidavpnhfa.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2568	snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2000	i_snkfzxrpke.exe
2416	fcxrpjhcwu.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	i_kidavpnhfa.exe
Token: SeDebugPrivilege	2000	i_snkfzxrpke.exe
Token: SeDebugPrivilege	576	i_fcxrpjhcwu.exe
Token: SeDebugPrivilege	2368	i_czuomheztr.exe
Token: SeDebugPrivilege	1160	i_rmjeywrojd.exe
Token: SeDebugPrivilege	3040	i_gbztolgdys.exe
Token: SeDebugPrivilege	2268	i_trlgdyvqki.exe
Token: SeDebugPrivilege	2532	i_oigaysnlfd.exe
Token: SeDebugPrivilege	1624	i_dxvpnicaus.exe
Token: SeDebugPrivilege	2568	i_snkfcxrpkh.exe
Token: SeDebugPrivilege	2412	i_pkhcaupmhf.exe
Token: SeDebugPrivilege	2432	i_fcxrpjhcwu.exe
Token: SeDebugPrivilege	2864	i_uomhbztrmg.exe
Token: SeDebugPrivilege	1096	i_jebwqojgbv.exe
Token: SeDebugPrivilege	2884	i_gbztolgeys.exe
Token: SeDebugPrivilege	1664	i_rlgdyvqkid.exe
Token: SeDebugPrivilege	2088	i_gavtnlfaxs.exe
Token: SeDebugPrivilege	2092	i_sqkfcxvpkh.exe
Token: SeDebugPrivilege	612	i_pnhcausmhf.exe
Token: SeDebugPrivilege	1952	i_icaupmhfzu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1316	iexplore.exe
1316	iexplore.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1524	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1524	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1524	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1524	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1316	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	29
PID 2104 wrote to memory of 1316	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	29
PID 2104 wrote to memory of 1316	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	29
PID 2104 wrote to memory of 1316	2104	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	29
PID 1316 wrote to memory of 2676	1316	iexplore.exe	30
PID 1316 wrote to memory of 2676	1316	iexplore.exe	30
PID 1316 wrote to memory of 2676	1316	iexplore.exe	30
PID 1316 wrote to memory of 2676	1316	iexplore.exe	30
PID 1524 wrote to memory of 2540	1524	mjecwrojgbvtolga.exe	31
PID 1524 wrote to memory of 2540	1524	mjecwrojgbvtolga.exe	31
PID 1524 wrote to memory of 2540	1524	mjecwrojgbvtolga.exe	31
PID 1524 wrote to memory of 2540	1524	mjecwrojgbvtolga.exe	31
PID 2548 wrote to memory of 2572	2548	kidavpnhfa.exe	34
PID 2548 wrote to memory of 2572	2548	kidavpnhfa.exe	34
PID 2548 wrote to memory of 2572	2548	kidavpnhfa.exe	34
PID 2548 wrote to memory of 2572	2548	kidavpnhfa.exe	34
PID 1524 wrote to memory of 2924	1524	mjecwrojgbvtolga.exe	37
PID 1524 wrote to memory of 2924	1524	mjecwrojgbvtolga.exe	37
PID 1524 wrote to memory of 2924	1524	mjecwrojgbvtolga.exe	37
PID 1524 wrote to memory of 2924	1524	mjecwrojgbvtolga.exe	37
PID 1524 wrote to memory of 1932	1524	mjecwrojgbvtolga.exe	39
PID 1524 wrote to memory of 1932	1524	mjecwrojgbvtolga.exe	39
PID 1524 wrote to memory of 1932	1524	mjecwrojgbvtolga.exe	39
PID 1524 wrote to memory of 1932	1524	mjecwrojgbvtolga.exe	39
PID 2568 wrote to memory of 2800	2568	snkfzxrpke.exe	41
PID 2568 wrote to memory of 2800	2568	snkfzxrpke.exe	41
PID 2568 wrote to memory of 2800	2568	snkfzxrpke.exe	41
PID 2568 wrote to memory of 2800	2568	snkfzxrpke.exe	41
PID 1524 wrote to memory of 2444	1524	mjecwrojgbvtolga.exe	44
PID 1524 wrote to memory of 2444	1524	mjecwrojgbvtolga.exe	44
PID 1524 wrote to memory of 2444	1524	mjecwrojgbvtolga.exe	44
PID 1524 wrote to memory of 2444	1524	mjecwrojgbvtolga.exe	44
PID 1524 wrote to memory of 1648	1524	mjecwrojgbvtolga.exe	46
PID 1524 wrote to memory of 1648	1524	mjecwrojgbvtolga.exe	46
PID 1524 wrote to memory of 1648	1524	mjecwrojgbvtolga.exe	46
PID 1524 wrote to memory of 1648	1524	mjecwrojgbvtolga.exe	46
PID 2416 wrote to memory of 1196	2416	fcxrpjhcwu.exe	48
PID 2416 wrote to memory of 1196	2416	fcxrpjhcwu.exe	48
PID 2416 wrote to memory of 1196	2416	fcxrpjhcwu.exe	48
PID 2416 wrote to memory of 1196	2416	fcxrpjhcwu.exe	48
PID 1524 wrote to memory of 484	1524	mjecwrojgbvtolga.exe	51
PID 1524 wrote to memory of 484	1524	mjecwrojgbvtolga.exe	51
PID 1524 wrote to memory of 484	1524	mjecwrojgbvtolga.exe	51
PID 1524 wrote to memory of 484	1524	mjecwrojgbvtolga.exe	51
PID 1524 wrote to memory of 2492	1524	mjecwrojgbvtolga.exe	53
PID 1524 wrote to memory of 2492	1524	mjecwrojgbvtolga.exe	53
PID 1524 wrote to memory of 2492	1524	mjecwrojgbvtolga.exe	53
PID 1524 wrote to memory of 2492	1524	mjecwrojgbvtolga.exe	53
PID 804 wrote to memory of 304	804	czuomheztr.exe	55
PID 804 wrote to memory of 304	804	czuomheztr.exe	55
PID 804 wrote to memory of 304	804	czuomheztr.exe	55
PID 804 wrote to memory of 304	804	czuomheztr.exe	55
PID 1524 wrote to memory of 1244	1524	mjecwrojgbvtolga.exe	58
PID 1524 wrote to memory of 1244	1524	mjecwrojgbvtolga.exe	58
PID 1524 wrote to memory of 1244	1524	mjecwrojgbvtolga.exe	58
PID 1524 wrote to memory of 1244	1524	mjecwrojgbvtolga.exe	58
PID 1524 wrote to memory of 1148	1524	mjecwrojgbvtolga.exe	60
PID 1524 wrote to memory of 1148	1524	mjecwrojgbvtolga.exe	60
PID 1524 wrote to memory of 1148	1524	mjecwrojgbvtolga.exe	60
PID 1524 wrote to memory of 1148	1524	mjecwrojgbvtolga.exe	60

C:\Users\Admin\AppData\Local\Temp\32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Temp\mjecwrojgbvtolga.exe
  C:\Temp\mjecwrojgbvtolga.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kidavpnhfa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2540
  - - C:\Temp\kidavpnhfa.exe
      C:\Temp\kidavpnhfa.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2572
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kidavpnhfa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2924
  - - C:\Temp\i_kidavpnhfa.exe
      C:\Temp\i_kidavpnhfa.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfzxrpke.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1932
  - - C:\Temp\snkfzxrpke.exe
      C:\Temp\snkfzxrpke.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2800
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2892
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfzxrpke.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2444
  - - C:\Temp\i_snkfzxrpke.exe
      C:\Temp\i_snkfzxrpke.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fcxrpjhcwu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1648
  - - C:\Temp\fcxrpjhcwu.exe
      C:\Temp\fcxrpjhcwu.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1196
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fcxrpjhcwu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:484
  - - C:\Temp\i_fcxrpjhcwu.exe
      C:\Temp\i_fcxrpjhcwu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:576
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\czuomheztr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2492
  - - C:\Temp\czuomheztr.exe
      C:\Temp\czuomheztr.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_czuomheztr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1244
  - - C:\Temp\i_czuomheztr.exe
      C:\Temp\i_czuomheztr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmjeywrojd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1148
  - - C:\Temp\rmjeywrojd.exe
      C:\Temp\rmjeywrojd.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1488
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1684
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmjeywrojd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2220
  - - C:\Temp\i_rmjeywrojd.exe
      C:\Temp\i_rmjeywrojd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbztolgdys.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1364
  - - C:\Temp\gbztolgdys.exe
      C:\Temp\gbztolgdys.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2880
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbztolgdys.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2312
  - - C:\Temp\i_gbztolgdys.exe
      C:\Temp\i_gbztolgdys.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trlgdyvqki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2140
  - - C:\Temp\trlgdyvqki.exe
      C:\Temp\trlgdyvqki.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2928
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2084
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trlgdyvqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1744
  - - C:\Temp\i_trlgdyvqki.exe
      C:\Temp\i_trlgdyvqki.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2268
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigaysnlfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2196
  - - C:\Temp\oigaysnlfd.exe
      C:\Temp\oigaysnlfd.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2668
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2236
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigaysnlfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2808
  - - C:\Temp\i_oigaysnlfd.exe
      C:\Temp\i_oigaysnlfd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvpnicaus.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2592
  - - C:\Temp\dxvpnicaus.exe
      C:\Temp\dxvpnicaus.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2548
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2780
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvpnicaus.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1644
  - - C:\Temp\i_dxvpnicaus.exe
      C:\Temp\i_dxvpnicaus.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfcxrpkh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2580
  - - C:\Temp\snkfcxrpkh.exe
      C:\Temp\snkfcxrpkh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2244
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1936
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1300
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfcxrpkh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2816
  - - C:\Temp\i_snkfcxrpkh.exe
      C:\Temp\i_snkfcxrpkh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkhcaupmhf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2188
  - - C:\Temp\pkhcaupmhf.exe
      C:\Temp\pkhcaupmhf.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1996
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2004
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkhcaupmhf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2436
  - - C:\Temp\i_pkhcaupmhf.exe
      C:\Temp\i_pkhcaupmhf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fcxrpjhcwu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2416
  - - C:\Temp\fcxrpjhcwu.exe
      C:\Temp\fcxrpjhcwu.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1648
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:676
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fcxrpjhcwu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1392
  - - C:\Temp\i_fcxrpjhcwu.exe
      C:\Temp\i_fcxrpjhcwu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomhbztrmg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:896
  - - C:\Temp\uomhbztrmg.exe
      C:\Temp\uomhbztrmg.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:304
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:804
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2492
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomhbztrmg.exe ups_ins
    3⤵
    PID:2496
  - - C:\Temp\i_uomhbztrmg.exe
      C:\Temp\i_uomhbztrmg.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jebwqojgbv.exe ups_run
    3⤵
    PID:1620
  - - C:\Temp\jebwqojgbv.exe
      C:\Temp\jebwqojgbv.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2968
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1112
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jebwqojgbv.exe ups_ins
    3⤵
    PID:996
  - - C:\Temp\i_jebwqojgbv.exe
      C:\Temp\i_jebwqojgbv.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbztolgeys.exe ups_run
    3⤵
    PID:1020
  - - C:\Temp\gbztolgeys.exe
      C:\Temp\gbztolgeys.exe ups_run
      4⤵
      Loads dropped DLL
      PID:908
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2896
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbztolgeys.exe ups_ins
    3⤵
    PID:1332
  - - C:\Temp\i_gbztolgeys.exe
      C:\Temp\i_gbztolgeys.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rlgdyvqkid.exe ups_run
    3⤵
    PID:2868
  - - C:\Temp\rlgdyvqkid.exe
      C:\Temp\rlgdyvqkid.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2068
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2392
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1636
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rlgdyvqkid.exe ups_ins
    3⤵
    PID:2140
  - - C:\Temp\i_rlgdyvqkid.exe
      C:\Temp\i_rlgdyvqkid.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gavtnlfaxs.exe ups_run
    3⤵
    PID:1752
  - - C:\Temp\gavtnlfaxs.exe
      C:\Temp\gavtnlfaxs.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1044
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2132
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2268
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gavtnlfaxs.exe ups_ins
    3⤵
    PID:2664
  - - C:\Temp\i_gavtnlfaxs.exe
      C:\Temp\i_gavtnlfaxs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2088
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqkfcxvpkh.exe ups_run
    3⤵
    PID:2632
  - - C:\Temp\sqkfcxvpkh.exe
      C:\Temp\sqkfcxvpkh.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2052
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqkfcxvpkh.exe ups_ins
    3⤵
    PID:1220
  - - C:\Temp\i_sqkfcxvpkh.exe
      C:\Temp\i_sqkfcxvpkh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhcausmhf.exe ups_run
    3⤵
    PID:2640
  - - C:\Temp\pnhcausmhf.exe
      C:\Temp\pnhcausmhf.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2500
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1520
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhcausmhf.exe ups_ins
    3⤵
    PID:2204
  - - C:\Temp\i_pnhcausmhf.exe
      C:\Temp\i_pnhcausmhf.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icaupmhfzu.exe ups_run
    3⤵
    PID:2588
  - - C:\Temp\icaupmhfzu.exe
      C:\Temp\icaupmhfzu.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2404
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1956
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:696
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icaupmhfzu.exe ups_ins
    3⤵
    PID:1932
  - - C:\Temp\i_icaupmhfzu.exe
      C:\Temp\i_icaupmhfzu.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\czuomheztr.exe

Filesize
361KB

MD5
71b2d856de05a6787040834d994a2957

SHA1
0d18471fa3bde3c17c4ebcbf8b1ffe0a124d7da0

SHA256
2281f9cbe174fba61c8432476207286fd7664d0fabcec367eee1a843e7baf6f8

SHA512
da0bd749d4b505ff1502158681cb23d561500481083bceb0219bf9dca791eea7ee447bf0bfd456649bb8e7c5df766a77b076df23fec4a84351c255a1a53e3596

Download Submit
C:\Temp\fcxrpjhcwu.exe

Filesize
361KB

MD5
920e4c61fab86ccfd0171ea4b5406d24

SHA1
0fbddc2e6d90af8ed7b1539921e708b4ebec8df8

SHA256
f06b45be4ee4a9348178519bbcc3df2a88d218f1480633169fd20b2d7ba23eab

SHA512
cd82473fa3c6910b5bd7e37e14c1f03f6fbdf540bffb9bdb00e8f20a20db59e4a20590f2e60617a8e1318f993c709172d4ae926650461b126d1482c806794ee8

Download Submit
C:\Temp\gbztolgdys.exe

Filesize
361KB

MD5
5bc6c202b4ace0a851e988b7223edd94

SHA1
5ffdc1b742a09fee09557ba78a049164a4ea7410

SHA256
253b93388c15ed9aa4bd25cdbff2e20315564b5223801f3ea757438290d9e5bd

SHA512
aa719b810ae7427fdce2c7d4eded84777101f2078de589297abe3863d7bb3b96e12c0b291798ac18793c5c4ac007818548e65dbafe48673c7c55b6fd5adf8f2e

Download Submit
C:\Temp\i_czuomheztr.exe

Filesize
361KB

MD5
b341985b3b4ac00aa08ef9ab8ad5b225

SHA1
2882c9e43abb4be7689bd9272b279c37649995d0

SHA256
451a604fe23d1d98227ea85302daa9e071dea119c955a49ba6c418866d401b96

SHA512
f3a3498578f78006eff47fa0bed5fc4a3da72238f19709ec4daf8228cb440451411b9f5d6824f5215c9874ebc0bda17f08ed22499bc9ed87391cb054cfee30f0

Download Submit
C:\Temp\i_fcxrpjhcwu.exe

Filesize
361KB

MD5
17e8ea3f30582076df183eec1b083651

SHA1
e544e5edaae8cc5150fe7fa2d625ae28b8969b51

SHA256
4542b3430278054c0b26a9899261fa1724db6c87c52840671ce4606b1249855b

SHA512
a089670f6c97c10fe1385e425665b0535cef25573f44935c430ed0949c1f0072b32e86a0c70becb372855b4d43d03c34bdfe9a4c8ad8fef06930ee273d210807

Download Submit
C:\Temp\i_gbztolgdys.exe

Filesize
361KB

MD5
6bd4d8e31bbdf522a8d6f9c094ed0736

SHA1
9d53ed7024852d54846838918327a105a0e2d917

SHA256
86be55ab9323ae40061e32804c1d5c41c656068bd28e9854e5f7396862ad8619

SHA512
90495a250c915d968c64f32fca7d8a0116fa70b4ac6f4c709b9d0ac1a966c8b6c75fa95e622e680f3dfd9809ba8cc513be1b16972a9fd60061910949b89ca380

Download Submit
C:\Temp\i_kidavpnhfa.exe

Filesize
361KB

MD5
cb52a3d5e53e09a07dc87d329087d835

SHA1
ef17dabf7104a6f0a6cc605d4d00d4ce456c4d16

SHA256
0bb8fd8286faff0d151fea278012fc126336cca09d181b266328d6e1ac2792d4

SHA512
cc7b59786813c8bf712193476ec82ac3c7de1aec493f58fbdbc3c5e9103e266643a31318f3299106cb90e88543ebc184c2b428b303ccd78f05491c3dda8a13ce

Download Submit
C:\Temp\i_rmjeywrojd.exe

Filesize
361KB

MD5
679f89dc113d63f40942ea59fc3cac73

SHA1
aef3270fdfdb5a2f763f47d44b41efafa9855b5f

SHA256
0fcfe8491a617fee13c21835891c3bb26c5896819316954ca8c2a4bd3716b74a

SHA512
66d1ce206231cef65619ce6cb00eb44e311b8d3b6a69e98c5bc8307f133335ea754a5ef5719ef6955a194c0750c52b12a85de64ccc7031972779fef2a57f01b6

Download Submit
C:\Temp\i_snkfzxrpke.exe

Filesize
361KB

MD5
02188537e43278b66d005e0b0d6a38d7

SHA1
cbaee756482c50e998b811da0a1c3c368f5bf685

SHA256
a66c827caab284eab377097bc6257e3d15979ad5c9f5176c5581d656d96d6f18

SHA512
d0737d4459661d2f8f5afe9a42a888f3407111511c97f8866ce6c8f33b494358e214d51cb36fb2ee21ba4244beb45e7112ffc2a3d75800aae3e83a7b830cfdb8

Download Submit
C:\Temp\i_trlgdyvqki.exe

Filesize
361KB

MD5
7b3342e4f01b0d57c8d05325235447f3

SHA1
7f07943326985e6ba89ebef0bf307156587ee2b1

SHA256
39abb26f81538427db0ae197553c3de45df71483bc30cebdb6ac475dbe86b317

SHA512
50f0a8c1d95be65dc83f89e9f33d97472488b7744db8c63d2eb9541ec8e109c158c12ec6d05c9c889e91a2d6c77b0518b9798e34df5855a81e3a2fb1e27d2f5d

Download Submit
C:\Temp\kidavpnhfa.exe

Filesize
361KB

MD5
6f28f3ad9391d1ba49055558cf39f2dc

SHA1
a6defca72e4b1b42ed21f9e343b39311bf542bef

SHA256
8f17c5e5935e1e36066b3cbb136b0e43d35a02c80c2ca01212186e01b916c486

SHA512
367a055ebc643a7b7c93721b4d3e303b063d7b1c63769951ae45b578f2f4baecadf2ded4b883263611f64f3676abac62def15f8a95249e200afa5a417144d6f6

Download Submit
C:\Temp\oigaysnlfd.exe

Filesize
361KB

MD5
d2a7ff37460cd6aee563cb812f832a19

SHA1
b88765ef14ea9dbbe8dec0c9080e0e3e104c7c2b

SHA256
cd6d37b9c723d3351f3bff483ff1755844c9d2572ce5bb89a142afffb54af97d

SHA512
5e23d255b3aae2867a912987ba74e78ef7e49c4a4e61cbd43e6409f9a55d105ea18b664ce79b90b23650aa20a4f1e624cb6f2193d191d26a4e2bfc866c9df2af

Download Submit
C:\Temp\rmjeywrojd.exe

Filesize
361KB

MD5
eec630634811c83025eadb913372b1ef

SHA1
ba30924fb94d0f60519443afa763a9b054f0f1a0

SHA256
78e12f2c4e9c03a2ea527c790132e1ec4808c95a5ddda98b66f12adc298428dc

SHA512
a5d406092d71ce2b08849716d77ce88dc8342f5565091e9f75db6562781646aa7f014d51db06e651cd1c5ec3313df387f03a027c2636a1222190546d984ef232

Download Submit
C:\Temp\snkfzxrpke.exe

Filesize
361KB

MD5
5444ea9b7eeb20bb6828fd5528a57b7c

SHA1
820e27a19bf52763c06290e5d5abf8a71a969a6a

SHA256
0d9b042529e9e76117f3bbfba195200d3c0273d323916aa3948babd909548be0

SHA512
4b97efa1b11da1520461c62506abf91b3cd677bf4c36a6a0c30c0fc6649308113e79cab009c09faaa4e6a242bb2c195946133185272604020556b31a9008d403

Download Submit
C:\Temp\trlgdyvqki.exe

Filesize
361KB

MD5
8bb5b0d1082cc207a31874ff4be3f1d4

SHA1
cd5dcda5b93551c8e1df6326454b1d32c22ec93d

SHA256
b45698e6a39d2d65b509d9cd04727c02cdad3da809872a81196c46baad79ea0d

SHA512
2e77426a13c6e20474bc2682d436ad6f6963d4517648dfcb26108ff35d582b8785eb5e6db0de513340a7aff7de6d8a67c8a06c8dd2f7b0895c1d3e01f35165f1

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
c183b84389116af6043345e7c9267408

SHA1
a8f052016985595af75a9b7a4992d47362ddd2dd

SHA256
9303bb85dda6a916e65a311fe939c474ad39a21a662407ce65b8db3970c8e352

SHA512
1dae28738bff9bb987f597bb7abeb94f3afd22800f0eeebcd9c896138ee6cd87ee2fe5f62959ee0001a953d1a5a29f3f73f6ffcf2af7038d83fca2bd81a012a9

Download Submit
\Temp\mjecwrojgbvtolga.exe

Filesize
361KB

MD5
3582fc37370b6903567a1b90174dccf6

SHA1
2f8622ad1aea85589d13e3d50c9fe9dbf6b4aae1

SHA256
4c0cb9d8954f79179b018cda592e50899e3bb759ed82ac22d0eca51e6ab86c27

SHA512
43473aa1e02017193f2e5610ef0d44e18ccd1d82fd547ee2869a87a1ef9d61ec912609a81951e0d80a4a9c63e585d510ee47533055a74dfe817b44f367dd7c1e

Download Submit