b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
Size

224KB
MD5

26007b26eaf3bbeeea225269cd41844c
SHA1

9b6d5b7a0edff0ce0825e35338c6c7f33ba8c951
SHA256

b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5
SHA512

b37b6ae71901c8d9a7062327a7c62102c28025a5f5d5994669b7f5e89db8a874abb72aea570bd21b1b2f4fccd34df53020f3410ad3942e541452dc75d3c29be1
SSDEEP

3072:GD5KJB39OuJwQS3xhCjG8G3GbGVGBGfGuGxGWYcrf6Kad0:GD4JB3fHAAYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
2556	puinaav.exe
2848	szhiem.exe
2956	qutah.exe
440	poemuur.exe
2764	qozef.exe
944	neoohit.exe
2648	coilu.exe
2292	qaiij.exe
1368	chxoim.exe
1344	beodi.exe
1828	dgxoim.exe
2108	peodi.exe
2376	xbsoiq.exe
2680	koejuuh.exe
2824	qdzuas.exe
2948	saeehi.exe
1412	zdkeuy.exe
2808	zaooh.exe
2820	heumaap.exe
2312	zbvoip.exe
832	geuul.exe
1784	miaguu.exe
3052	muatoo.exe
1820	qusik.exe
1220	saoohut.exe
2068	chqog.exe
2020	guave.exe
2108	mianuu.exe
3068	miaguu.exe
2708	seoohit.exe
2456	qiuvab.exe
1396	vplos.exe
580	mioruw.exe
2444	wuabe.exe
1172	doiixab.exe
1752	kiejuuh.exe
1628	wbvoif.exe
2248	feodi.exe
2160	toazeh.exe
1712	daiixe.exe
2256	jiuyaz.exe
2216	ydzuat.exe
1084	wgxom.exe
3028	poemuur.exe
1680	seoohit.exe
2376	loisee.exe
3068	liepuu.exe
2532	bauugex.exe
2136	wupol.exe
276	piuvab.exe

Loads dropped DLL 64 IoCs

pid	Process
2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
2556	puinaav.exe
2556	puinaav.exe
2848	szhiem.exe
2848	szhiem.exe
2956	qutah.exe
2956	qutah.exe
440	poemuur.exe
440	poemuur.exe
2764	qozef.exe
2764	qozef.exe
944	neoohit.exe
944	neoohit.exe
2648	coilu.exe
2648	coilu.exe
2292	qaiij.exe
2292	qaiij.exe
1368	chxoim.exe
1368	chxoim.exe
1344	beodi.exe
1344	beodi.exe
1828	dgxoim.exe
1828	dgxoim.exe
2108	peodi.exe
2108	peodi.exe
2376	xbsoiq.exe
2376	xbsoiq.exe
2680	koejuuh.exe
2680	koejuuh.exe
2824	qdzuas.exe
2824	qdzuas.exe
2948	saeehi.exe
2948	saeehi.exe
1412	zdkeuy.exe
1412	zdkeuy.exe
2808	zaooh.exe
2808	zaooh.exe
2820	heumaap.exe
2820	heumaap.exe
2312	zbvoip.exe
2312	zbvoip.exe
832	geuul.exe
832	geuul.exe
1784	miaguu.exe
1784	miaguu.exe
3052	muatoo.exe
3052	muatoo.exe
1820	qusik.exe
1820	qusik.exe
1220	saoohut.exe
1220	saoohut.exe
2068	chqog.exe
2068	chqog.exe
2020	guave.exe
2020	guave.exe
2108	mianuu.exe
3068	miaguu.exe
3068	miaguu.exe
2708	seoohit.exe
2708	seoohit.exe
2456	qiuvab.exe
2456	qiuvab.exe
1396	vplos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
2556	puinaav.exe
2848	szhiem.exe
2956	qutah.exe
440	poemuur.exe
2764	qozef.exe
944	neoohit.exe
2648	coilu.exe
2292	qaiij.exe
1368	chxoim.exe
1344	beodi.exe
1828	dgxoim.exe
2108	peodi.exe
2376	xbsoiq.exe
2680	koejuuh.exe
2824	qdzuas.exe
2948	saeehi.exe
1412	zdkeuy.exe
2808	zaooh.exe
2820	heumaap.exe
2312	zbvoip.exe
832	geuul.exe
1784	miaguu.exe
3052	muatoo.exe
1820	qusik.exe
1220	saoohut.exe
2068	chqog.exe
2020	guave.exe
2108	mianuu.exe
3068	miaguu.exe
2708	seoohit.exe
2456	qiuvab.exe
1396	vplos.exe
580	mioruw.exe
2444	wuabe.exe
1172	doiixab.exe
1752	kiejuuh.exe
1628	wbvoif.exe
2248	feodi.exe
2160	toazeh.exe
1712	daiixe.exe
2256	jiuyaz.exe
2216	ydzuat.exe
1084	wgxom.exe
3028	poemuur.exe
1680	seoohit.exe
2376	loisee.exe
3068	liepuu.exe
2532	bauugex.exe
2136	wupol.exe
276	piuvab.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
2556	puinaav.exe
2848	szhiem.exe
2956	qutah.exe
440	poemuur.exe
2764	qozef.exe
944	neoohit.exe
2648	coilu.exe
2292	qaiij.exe
1368	chxoim.exe
1344	beodi.exe
1828	dgxoim.exe
2108	peodi.exe
2376	xbsoiq.exe
2680	koejuuh.exe
2824	qdzuas.exe
2948	saeehi.exe
1412	zdkeuy.exe
2808	zaooh.exe
2820	heumaap.exe
2312	zbvoip.exe
832	geuul.exe
1784	miaguu.exe
3052	muatoo.exe
1820	qusik.exe
1220	saoohut.exe
2068	chqog.exe
2020	guave.exe
2108	mianuu.exe
3068	miaguu.exe
2708	seoohit.exe
2456	qiuvab.exe
1396	vplos.exe
580	mioruw.exe
2444	wuabe.exe
1172	doiixab.exe
1752	kiejuuh.exe
1628	wbvoif.exe
2248	feodi.exe
2160	toazeh.exe
1712	daiixe.exe
2256	jiuyaz.exe
2216	ydzuat.exe
1084	wgxom.exe
3028	poemuur.exe
1680	seoohit.exe
2376	loisee.exe
3068	liepuu.exe
2532	bauugex.exe
2136	wupol.exe
276	piuvab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2556	2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe	28
PID 2488 wrote to memory of 2556	2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe	28
PID 2488 wrote to memory of 2556	2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe	28
PID 2488 wrote to memory of 2556	2488	b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe	28
PID 2556 wrote to memory of 2848	2556	puinaav.exe	29
PID 2556 wrote to memory of 2848	2556	puinaav.exe	29
PID 2556 wrote to memory of 2848	2556	puinaav.exe	29
PID 2556 wrote to memory of 2848	2556	puinaav.exe	29
PID 2848 wrote to memory of 2956	2848	szhiem.exe	30
PID 2848 wrote to memory of 2956	2848	szhiem.exe	30
PID 2848 wrote to memory of 2956	2848	szhiem.exe	30
PID 2848 wrote to memory of 2956	2848	szhiem.exe	30
PID 2956 wrote to memory of 440	2956	qutah.exe	31
PID 2956 wrote to memory of 440	2956	qutah.exe	31
PID 2956 wrote to memory of 440	2956	qutah.exe	31
PID 2956 wrote to memory of 440	2956	qutah.exe	31
PID 440 wrote to memory of 2764	440	poemuur.exe	32
PID 440 wrote to memory of 2764	440	poemuur.exe	32
PID 440 wrote to memory of 2764	440	poemuur.exe	32
PID 440 wrote to memory of 2764	440	poemuur.exe	32
PID 2764 wrote to memory of 944	2764	qozef.exe	33
PID 2764 wrote to memory of 944	2764	qozef.exe	33
PID 2764 wrote to memory of 944	2764	qozef.exe	33
PID 2764 wrote to memory of 944	2764	qozef.exe	33
PID 944 wrote to memory of 2648	944	neoohit.exe	34
PID 944 wrote to memory of 2648	944	neoohit.exe	34
PID 944 wrote to memory of 2648	944	neoohit.exe	34
PID 944 wrote to memory of 2648	944	neoohit.exe	34
PID 2648 wrote to memory of 2292	2648	coilu.exe	35
PID 2648 wrote to memory of 2292	2648	coilu.exe	35
PID 2648 wrote to memory of 2292	2648	coilu.exe	35
PID 2648 wrote to memory of 2292	2648	coilu.exe	35
PID 2292 wrote to memory of 1368	2292	qaiij.exe	36
PID 2292 wrote to memory of 1368	2292	qaiij.exe	36
PID 2292 wrote to memory of 1368	2292	qaiij.exe	36
PID 2292 wrote to memory of 1368	2292	qaiij.exe	36
PID 1368 wrote to memory of 1344	1368	chxoim.exe	37
PID 1368 wrote to memory of 1344	1368	chxoim.exe	37
PID 1368 wrote to memory of 1344	1368	chxoim.exe	37
PID 1368 wrote to memory of 1344	1368	chxoim.exe	37
PID 1344 wrote to memory of 1828	1344	beodi.exe	39
PID 1344 wrote to memory of 1828	1344	beodi.exe	39
PID 1344 wrote to memory of 1828	1344	beodi.exe	39
PID 1344 wrote to memory of 1828	1344	beodi.exe	39
PID 1828 wrote to memory of 2108	1828	dgxoim.exe	41
PID 1828 wrote to memory of 2108	1828	dgxoim.exe	41
PID 1828 wrote to memory of 2108	1828	dgxoim.exe	41
PID 1828 wrote to memory of 2108	1828	dgxoim.exe	41
PID 2108 wrote to memory of 2376	2108	peodi.exe	42
PID 2108 wrote to memory of 2376	2108	peodi.exe	42
PID 2108 wrote to memory of 2376	2108	peodi.exe	42
PID 2108 wrote to memory of 2376	2108	peodi.exe	42
PID 2376 wrote to memory of 2680	2376	xbsoiq.exe	43
PID 2376 wrote to memory of 2680	2376	xbsoiq.exe	43
PID 2376 wrote to memory of 2680	2376	xbsoiq.exe	43
PID 2376 wrote to memory of 2680	2376	xbsoiq.exe	43
PID 2680 wrote to memory of 2824	2680	koejuuh.exe	44
PID 2680 wrote to memory of 2824	2680	koejuuh.exe	44
PID 2680 wrote to memory of 2824	2680	koejuuh.exe	44
PID 2680 wrote to memory of 2824	2680	koejuuh.exe	44
PID 2824 wrote to memory of 2948	2824	qdzuas.exe	45
PID 2824 wrote to memory of 2948	2824	qdzuas.exe	45
PID 2824 wrote to memory of 2948	2824	qdzuas.exe	45
PID 2824 wrote to memory of 2948	2824	qdzuas.exe	45

C:\Users\Admin\AppData\Local\Temp\b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe
"C:\Users\Admin\AppData\Local\Temp\b8409494d9b140f95d6a6936599acc03c377600b7fcab60a578d66128e37a7b5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\puinaav.exe
  "C:\Users\Admin\puinaav.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\szhiem.exe
    "C:\Users\Admin\szhiem.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\qutah.exe
      "C:\Users\Admin\qutah.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\poemuur.exe
        
        "C:\Users\Admin\poemuur.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Users\Admin\qozef.exe
        
        "C:\Users\Admin\qozef.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Users\Admin\neoohit.exe
        
        "C:\Users\Admin\neoohit.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\coilu.exe
        
        "C:\Users\Admin\coilu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Users\Admin\qaiij.exe
        
        "C:\Users\Admin\qaiij.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\chxoim.exe
        
        "C:\Users\Admin\chxoim.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\beodi.exe
        
        "C:\Users\Admin\beodi.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Users\Admin\dgxoim.exe
        
        "C:\Users\Admin\dgxoim.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\peodi.exe
        
        "C:\Users\Admin\peodi.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\xbsoiq.exe
        
        "C:\Users\Admin\xbsoiq.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\koejuuh.exe
        
        "C:\Users\Admin\koejuuh.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Users\Admin\qdzuas.exe
        
        "C:\Users\Admin\qdzuas.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Users\Admin\saeehi.exe
        
        "C:\Users\Admin\saeehi.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Users\Admin\zdkeuy.exe
        
        "C:\Users\Admin\zdkeuy.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Users\Admin\zaooh.exe
        
        "C:\Users\Admin\zaooh.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Users\Admin\heumaap.exe
        
        "C:\Users\Admin\heumaap.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\zbvoip.exe
        
        "C:\Users\Admin\zbvoip.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Users\Admin\geuul.exe
        
        "C:\Users\Admin\geuul.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Users\Admin\miaguu.exe
        
        "C:\Users\Admin\miaguu.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Users\Admin\muatoo.exe
        
        "C:\Users\Admin\muatoo.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Users\Admin\qusik.exe
        
        "C:\Users\Admin\qusik.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Users\Admin\saoohut.exe
        
        "C:\Users\Admin\saoohut.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Users\Admin\chqog.exe
        
        "C:\Users\Admin\chqog.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\guave.exe
        
        "C:\Users\Admin\guave.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Users\Admin\mianuu.exe
        
        "C:\Users\Admin\mianuu.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Users\Admin\miaguu.exe
        
        "C:\Users\Admin\miaguu.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\seoohit.exe
        
        "C:\Users\Admin\seoohit.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Users\Admin\qiuvab.exe
        
        "C:\Users\Admin\qiuvab.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Users\Admin\vplos.exe
        
        "C:\Users\Admin\vplos.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Users\Admin\mioruw.exe
        
        "C:\Users\Admin\mioruw.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Users\Admin\wuabe.exe
        
        "C:\Users\Admin\wuabe.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Users\Admin\doiixab.exe
        
        "C:\Users\Admin\doiixab.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Users\Admin\kiejuuh.exe
        
        "C:\Users\Admin\kiejuuh.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\wbvoif.exe
        
        "C:\Users\Admin\wbvoif.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Users\Admin\feodi.exe
        
        "C:\Users\Admin\feodi.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Users\Admin\toazeh.exe
        
        "C:\Users\Admin\toazeh.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Users\Admin\daiixe.exe
        
        "C:\Users\Admin\daiixe.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\jiuyaz.exe
        
        "C:\Users\Admin\jiuyaz.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Users\Admin\ydzuat.exe
        
        "C:\Users\Admin\ydzuat.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Users\Admin\wgxom.exe
        
        "C:\Users\Admin\wgxom.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Users\Admin\poemuur.exe
        
        "C:\Users\Admin\poemuur.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Users\Admin\seoohit.exe
        
        "C:\Users\Admin\seoohit.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\loisee.exe
        
        "C:\Users\Admin\loisee.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\liepuu.exe
        
        "C:\Users\Admin\liepuu.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\bauugex.exe
        
        "C:\Users\Admin\bauugex.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Users\Admin\wupol.exe
        
        "C:\Users\Admin\wupol.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Users\Admin\piuvab.exe
        
        "C:\Users\Admin\piuvab.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\beodi.exe

Filesize
224KB

MD5
0a92577b58fbe20774976b981d615e92

SHA1
bde0db342f98c2db96e317a3969e2920dda6c0eb

SHA256
4240348054567ef4e8e132ec068e95cd7dfbb93d5b1fc8936f5cbe01b1d2a3cf

SHA512
b4c02e81748245abb89d97f434d7fc235d7451ee24487460baba888a4e0c9203b39d537cd52b304b3b8a33fcf706b21f589d3a31e80aca1ccf0393fc088a7fb0

Download Submit
\Users\Admin\chxoim.exe

Filesize
224KB

MD5
31e54b090d686bf56211dc394580d527

SHA1
2653413d1264297de20c2f7a7a4ef39b689d4c4e

SHA256
b30b69c2dcbab2de1d7feb4ea3238387b9dd92755fbbc232281b3e2d65366d2e

SHA512
79f58e4ff6bb53242b862b8b81d826ed375ca2517fa3edddd28fad9d1e36fb550b38d50cd1f2a64ae78aba1fc8110b9dcbe22c25f48fb833795e80b9e384a3c0

Download Submit
\Users\Admin\coilu.exe

Filesize
224KB

MD5
8593d3bd2d79a1794621e010fc3c2ccb

SHA1
55650179445878fa2f18caf8340e62ee8f729a1b

SHA256
a02dbb28b122e7f517d02a46cc571dd0bff2076975058178f0f92e2eeb22275f

SHA512
43ce6911eda46be9d2ab5da99c79b6c9ed64efecb29065b7ad7b51b73584d4264064b7c64005a39a91b6245e71dcc60169be82934334e2f2e275cc28a52e0375

Download Submit
\Users\Admin\dgxoim.exe

Filesize
224KB

MD5
fce4d5b653863e75dd683b532b6e273d

SHA1
bc3bbf4484c9549d123937e2e400718596239337

SHA256
c46add992e2fd264a881dbe7a0a372bbed5d8a03cc4d7523e927b394ca7e6794

SHA512
d47a0e1c279ef169fc4d57517be88e45e3ca942a119b5bb9059b50a48b7b730edf1b491328b33a5a95f0e430183793539e0243296b5a20d7e834b091fe36f503

Download Submit
\Users\Admin\koejuuh.exe

Filesize
224KB

MD5
eb8a8b675a4f8d209baab0a3858f1817

SHA1
a223eba156739a1e4656d364c63ab1aa6dda957b

SHA256
6e8486b9e455ef47c86d2f84756b8a99e840c07fcec6ad29f253a19930f7eb06

SHA512
21409d93707f3df54a7c36d668707d938edb1eee0b6a1e6ff2fd28fee02828a1f10669b28f86f3418350495ac97dce4ce50c308afa7a4142c722665b3c8450cf

Download Submit
\Users\Admin\neoohit.exe

Filesize
224KB

MD5
2467b571874489d0671246215dbaca28

SHA1
9bb7cacba64cd8c21498e8c888b57d529db4e066

SHA256
b86828426bf4c6f0369dad704a980c7d7bfc422f6832cad79870ac4ebd91e52b

SHA512
563ce8fa368d590fba3eaeef6447c9a21249fb9c0f72c882357e894fad0f929e9ec2df537aa698c91682daf59d5dcf9b3261e4f64366444208a0de6ea7026d88

Download Submit
\Users\Admin\peodi.exe

Filesize
224KB

MD5
63d4f8626c9949a4f9f76bfa9624ce0d

SHA1
b0406b85e943247cccd820d5fe4bdb952ffd78c3

SHA256
070b5c9b95d54819511e0c0f5e80f8634d3a5f56878e2b71e188b6a34ab3cb43

SHA512
8da58897c1624d486fb16ba7dc85f621b0e265857e60fbbeeceb258f2bfdeef7b12c2b075c0e8f62b719a1a4255adca6745a0def583900a8392c9073b0bdf4b3

Download Submit
\Users\Admin\poemuur.exe

Filesize
224KB

MD5
b9f8cd74fb75bb4c7fc346d806a1391a

SHA1
51d107193d4f455aa8f78e935baacc5a2f48d70d

SHA256
472db2b59e71a67dfbe71e4f441af1898d4aa36a31911d4e15c294b772593ed2

SHA512
268c0cced68c082a9f2fe90a7e77aeaf27b0341d02e827a27463927c38982c69a86aa2a47a3884d24c9211d3568f646541534cf99597c1412444f97bd56f359d

Download Submit
\Users\Admin\puinaav.exe

Filesize
224KB

MD5
bf1e572f28463aaae42d049c717e4110

SHA1
9cb530fa76a97d19b3ce4e9c42c010a3053f582f

SHA256
c12bbc44b6ea190607641b1f924e1182510026f148427ab0949ef57216630af5

SHA512
cdd6455ba56d91ab8dc6c8826c2241e2b09e4ddc91fe8a282eb66da296b93155636ba685890e1c5ef358d2a2026013220f85b83f0b85429a49bab6a008a30835

Download Submit
\Users\Admin\qaiij.exe

Filesize
224KB

MD5
02a1785e8382c4ab5c3ece81147db4b6

SHA1
4b7fc706846c2f75c7a3bd95a600587ed3bc9e43

SHA256
50bc19b652efed89525819dca8d0814199afbc1a97d4c5b462d8e6f044a24303

SHA512
771f74375513e3fb3ebe9dace3410ce48dca55fe7e2c7c7d823ca472da34edb62ab3b2f0185d595432d61d80f5d517e7b6655ab219d48f2e28674c0422b03ca9

Download Submit
\Users\Admin\qdzuas.exe

Filesize
224KB

MD5
11e9aa8dd280707aef65b82e956985c7

SHA1
8256a595ab71a72263c4d0af6b9aeb4428b7fe79

SHA256
e8737183152a5b656c56619cc2490a18192b6ed4fbaf6c33a121e1157d17ba37

SHA512
44d6d1896d1cfad9dc413b69bdaeff16e933ad4bda6ef21f028e3bc016bf27f65813b5a1ed1cbd1cd215e56f2e2b5196bf8f7afdc39b47f3c3438ad7e34f1345

Download Submit
\Users\Admin\qozef.exe

Filesize
224KB

MD5
d886b79a4c540eda06ab77b46bfbe2e4

SHA1
0b2bafe4f4e4b7bf61b019d1e5dfeb7eda970e8c

SHA256
efa5cf14314d0c7e0f486713f63e8de22d5694f6336b31e16a39d151b0c37169

SHA512
edf07c888b65c6c1bf4462942f042d214c0140b83e5950fdd3789a159e8e595f8ccdc839790af60c635625bf5d104d4785a8be1a698065ba8cd919cacd90a22b

Download Submit
\Users\Admin\qutah.exe

Filesize
224KB

MD5
10d5673eb9079e7ec7cfc65cc48032ce

SHA1
b4466a3a92e67efd249c88b35d40827eb4c9f43f

SHA256
738d904b634eaad13145fd706a393babc5674e3c5b4c1520908eb71fa30532b3

SHA512
75835b116b38d290d688d9547f49204a2fa1ec965328ceda74a23052afe2c34c5168718899adc7bcd9bac232551d9f7dcfabed8a1cd52fca119ef77ecb65e5cd

Download Submit
\Users\Admin\saeehi.exe

Filesize
224KB

MD5
6c285123e9d5717475c71db3400fd884

SHA1
9174dffb46e600a4955a529ab28a015f9080967c

SHA256
b1182449ec7fc936a5f7a3682882ddd2eada3290406bdef2f4b39174cf2a4637

SHA512
3bf7adcb73657d9871dcb657c0e6e110dbb080cb05ec0f01f5a6db2f607c624efa1c0806ccda47e6e1f62c619461641bd12fc80aae21d277f47f1e7e617d6fa4

Download Submit
\Users\Admin\szhiem.exe

Filesize
224KB

MD5
fcb5df390464f326d4b984b91f6aa822

SHA1
edf5f87870e03dc724c3f4dd84f3330a773b0b26

SHA256
6362fd7e9b6808f3715786be79f5f967339436eec599b9db904dbaf0fd677e2a

SHA512
f8fbc12650b33452e02b064013290d8271acb26faaeaab6c91332b64165ed34ec858011eab3f6c18eeec88ebb29b315a86f7cd36afa6b8158c4a6e9448d45670

Download Submit
\Users\Admin\xbsoiq.exe

Filesize
224KB

MD5
d8063ce9f5ab630cddabdd71e15f46f4

SHA1
9fa885a16e10069e5def90902b57df1ace3110dc

SHA256
e4c6e229d5f437717f643f754dfaff2b281bc3913e3e5d59b6a006156bc3a814

SHA512
b914ae13eb0db8bd33df3c38a02d991990a138964e11f4e5d32275a1c54d1e8190411bfe340ef0b806c66e468ae6dbf3788b5377abbd84263c54fce8bc3b53e9

Download Submit
memory/440-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/440-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/440-77-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/832-347-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/944-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-110-0x0000000003560000-0x000000000359A000-memory.dmp

Filesize
232KB

Download
memory/944-100-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1344-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1344-166-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1368-159-0x0000000003380000-0x00000000033BA000-memory.dmp

Filesize
232KB

Download
memory/1368-165-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1412-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1412-293-0x0000000003330000-0x000000000336A000-memory.dmp

Filesize
232KB

Download
memory/1412-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-196-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download
memory/1828-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2108-208-0x0000000003260000-0x000000000329A000-memory.dmp

Filesize
232KB

Download
memory/2108-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-142-0x00000000030F0000-0x000000000312A000-memory.dmp

Filesize
232KB

Download
memory/2312-335-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2312-331-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2312-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2312-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-9-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/2488-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-30-0x0000000003450000-0x000000000348A000-memory.dmp

Filesize
232KB

Download
memory/2556-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-247-0x00000000031F0000-0x000000000322A000-memory.dmp

Filesize
232KB

Download
memory/2680-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-242-0x00000000031F0000-0x000000000322A000-memory.dmp

Filesize
232KB

Download
memory/2764-98-0x00000000031D0000-0x000000000320A000-memory.dmp

Filesize
232KB

Download
memory/2764-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2808-307-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2808-303-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2820-320-0x0000000002DD0000-0x0000000002E0A000-memory.dmp

Filesize
232KB

Download
memory/2820-309-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-321-0x0000000002DD0000-0x0000000002E0A000-memory.dmp

Filesize
232KB

Download
memory/2820-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-265-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2824-259-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2848-43-0x0000000003420000-0x000000000345A000-memory.dmp

Filesize
232KB

Download
memory/2848-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-280-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2956-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-65-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2956-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download