ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
Size

224KB
MD5

5bc3c1170791085dcda6bbcaa1661843
SHA1

6183977c4bbed0c0e7c0edb619bdac5b757092e0
SHA256

ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360
SHA512

106f69ff70750ed12ce8481afa6333154cbb13508b9dacdb47bdf9448006528c42cfb390f966cd0352428592406a245bad3bc6958abcb9054ad8aca8e3fce812
SSDEEP

3072:GhtKlty0L+ThCjG8G3GbGVGBGfGuGxGWYcrf6Kadk:Ghklty0sAYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 51 IoCs

pid	Process
2884	yuger.exe
2968	xurip.exe
2408	riexad.exe
464	qdyuir.exe
284	caooti.exe
1968	nauuqe.exe
1100	puinaav.exe
2428	nukiz.exe
1704	geuzo.exe
3068	gbfuov.exe
904	wjxoaf.exe
1852	veaasoq.exe
2876	suaniix.exe
2952	fuoce.exe
2584	jiafuw.exe
2664	caeeji.exe
2928	caiilu.exe
2420	cauuri.exe
2304	jiafuw.exe
1916	moanee.exe
1632	cauuzi.exe
2376	fuoce.exe
2720	nukic.exe
1068	ykwoat.exe
1004	gdzuov.exe
600	siuut.exe
2920	taoopig.exe
1696	wurom.exe
1852	koeraa.exe
3016	roimaax.exe
2544	jiufaz.exe
2552	whxof.exe
2968	jokig.exe
568	fiejuuh.exe
736	qiepaa.exe
1976	tdzuov.exe
284	ceaqii.exe
1724	miayuu.exe
2292	raiiw.exe
2348	nauuqe.exe
2536	caooji.exe
1044	pauuze.exe
2104	daoozu.exe
2844	duaasiy.exe
2084	liedu.exe
2908	yuaapif.exe
2204	feuuwo.exe
2716	guaboq.exe
2884	vuokaaj.exe
2552	fearii.exe
1284	roapu.exe

Loads dropped DLL 64 IoCs

pid	Process
1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
2884	yuger.exe
2884	yuger.exe
2968	xurip.exe
2968	xurip.exe
2408	riexad.exe
2408	riexad.exe
464	qdyuir.exe
464	qdyuir.exe
284	caooti.exe
284	caooti.exe
1968	nauuqe.exe
1968	nauuqe.exe
1100	puinaav.exe
1100	puinaav.exe
2428	nukiz.exe
2428	nukiz.exe
1704	geuzo.exe
1704	geuzo.exe
3068	gbfuov.exe
3068	gbfuov.exe
904	wjxoaf.exe
904	wjxoaf.exe
1852	veaasoq.exe
1852	veaasoq.exe
2876	suaniix.exe
2876	suaniix.exe
2952	fuoce.exe
2952	fuoce.exe
2584	jiafuw.exe
2584	jiafuw.exe
2664	caeeji.exe
2664	caeeji.exe
2928	caiilu.exe
2928	caiilu.exe
2420	cauuri.exe
2304	jiafuw.exe
2304	jiafuw.exe
1916	moanee.exe
1916	moanee.exe
1632	cauuzi.exe
2376	fuoce.exe
2376	fuoce.exe
2720	nukic.exe
2720	nukic.exe
1068	ykwoat.exe
1068	ykwoat.exe
1004	gdzuov.exe
1004	gdzuov.exe
600	siuut.exe
600	siuut.exe
2920	taoopig.exe
2920	taoopig.exe
1696	wurom.exe
1696	wurom.exe
1852	koeraa.exe
1852	koeraa.exe
3016	roimaax.exe
3016	roimaax.exe
2544	jiufaz.exe
2544	jiufaz.exe
2552	whxof.exe
2552	whxof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
2884	yuger.exe
2968	xurip.exe
2408	riexad.exe
464	qdyuir.exe
284	caooti.exe
1968	nauuqe.exe
1100	puinaav.exe
2428	nukiz.exe
1704	geuzo.exe
3068	gbfuov.exe
904	wjxoaf.exe
1852	veaasoq.exe
2876	suaniix.exe
2952	fuoce.exe
2584	jiafuw.exe
2664	caeeji.exe
2928	caiilu.exe
2420	cauuri.exe
2304	jiafuw.exe
1916	moanee.exe
1632	cauuzi.exe
2376	fuoce.exe
2720	nukic.exe
1068	ykwoat.exe
1004	gdzuov.exe
600	siuut.exe
2920	taoopig.exe
1696	wurom.exe
1852	koeraa.exe
3016	roimaax.exe
2544	jiufaz.exe
2552	whxof.exe
2968	jokig.exe
568	fiejuuh.exe
736	qiepaa.exe
1976	tdzuov.exe
284	ceaqii.exe
1724	miayuu.exe
2292	raiiw.exe
2348	nauuqe.exe
2536	caooji.exe
1044	pauuze.exe
2104	daoozu.exe
2844	duaasiy.exe
2084	liedu.exe
2908	yuaapif.exe
2204	feuuwo.exe
2716	guaboq.exe
2884	vuokaaj.exe
2552	fearii.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
2884	yuger.exe
2968	xurip.exe
2408	riexad.exe
464	qdyuir.exe
284	caooti.exe
1968	nauuqe.exe
1100	puinaav.exe
2428	nukiz.exe
1704	geuzo.exe
3068	gbfuov.exe
904	wjxoaf.exe
1852	veaasoq.exe
2876	suaniix.exe
2952	fuoce.exe
2584	jiafuw.exe
2664	caeeji.exe
2928	caiilu.exe
2420	cauuri.exe
2304	jiafuw.exe
1916	moanee.exe
1632	cauuzi.exe
2376	fuoce.exe
2720	nukic.exe
1068	ykwoat.exe
1004	gdzuov.exe
600	siuut.exe
2920	taoopig.exe
1696	wurom.exe
1852	koeraa.exe
3016	roimaax.exe
2544	jiufaz.exe
2552	whxof.exe
2968	jokig.exe
568	fiejuuh.exe
736	qiepaa.exe
1976	tdzuov.exe
284	ceaqii.exe
1724	miayuu.exe
2292	raiiw.exe
2348	nauuqe.exe
2536	caooji.exe
1044	pauuze.exe
2104	daoozu.exe
2844	duaasiy.exe
2084	liedu.exe
2908	yuaapif.exe
2204	feuuwo.exe
2716	guaboq.exe
2884	vuokaaj.exe
2552	fearii.exe
1284	roapu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2884	1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe	28
PID 1456 wrote to memory of 2884	1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe	28
PID 1456 wrote to memory of 2884	1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe	28
PID 1456 wrote to memory of 2884	1456	ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe	28
PID 2884 wrote to memory of 2968	2884	yuger.exe	29
PID 2884 wrote to memory of 2968	2884	yuger.exe	29
PID 2884 wrote to memory of 2968	2884	yuger.exe	29
PID 2884 wrote to memory of 2968	2884	yuger.exe	29
PID 2968 wrote to memory of 2408	2968	xurip.exe	30
PID 2968 wrote to memory of 2408	2968	xurip.exe	30
PID 2968 wrote to memory of 2408	2968	xurip.exe	30
PID 2968 wrote to memory of 2408	2968	xurip.exe	30
PID 2408 wrote to memory of 464	2408	riexad.exe	31
PID 2408 wrote to memory of 464	2408	riexad.exe	31
PID 2408 wrote to memory of 464	2408	riexad.exe	31
PID 2408 wrote to memory of 464	2408	riexad.exe	31
PID 464 wrote to memory of 284	464	qdyuir.exe	32
PID 464 wrote to memory of 284	464	qdyuir.exe	32
PID 464 wrote to memory of 284	464	qdyuir.exe	32
PID 464 wrote to memory of 284	464	qdyuir.exe	32
PID 284 wrote to memory of 1968	284	caooti.exe	33
PID 284 wrote to memory of 1968	284	caooti.exe	33
PID 284 wrote to memory of 1968	284	caooti.exe	33
PID 284 wrote to memory of 1968	284	caooti.exe	33
PID 1968 wrote to memory of 1100	1968	nauuqe.exe	34
PID 1968 wrote to memory of 1100	1968	nauuqe.exe	34
PID 1968 wrote to memory of 1100	1968	nauuqe.exe	34
PID 1968 wrote to memory of 1100	1968	nauuqe.exe	34
PID 1100 wrote to memory of 2428	1100	puinaav.exe	35
PID 1100 wrote to memory of 2428	1100	puinaav.exe	35
PID 1100 wrote to memory of 2428	1100	puinaav.exe	35
PID 1100 wrote to memory of 2428	1100	puinaav.exe	35
PID 2428 wrote to memory of 1704	2428	nukiz.exe	36
PID 2428 wrote to memory of 1704	2428	nukiz.exe	36
PID 2428 wrote to memory of 1704	2428	nukiz.exe	36
PID 2428 wrote to memory of 1704	2428	nukiz.exe	36
PID 1704 wrote to memory of 3068	1704	geuzo.exe	38
PID 1704 wrote to memory of 3068	1704	geuzo.exe	38
PID 1704 wrote to memory of 3068	1704	geuzo.exe	38
PID 1704 wrote to memory of 3068	1704	geuzo.exe	38
PID 3068 wrote to memory of 904	3068	gbfuov.exe	40
PID 3068 wrote to memory of 904	3068	gbfuov.exe	40
PID 3068 wrote to memory of 904	3068	gbfuov.exe	40
PID 3068 wrote to memory of 904	3068	gbfuov.exe	40
PID 904 wrote to memory of 1852	904	wjxoaf.exe	41
PID 904 wrote to memory of 1852	904	wjxoaf.exe	41
PID 904 wrote to memory of 1852	904	wjxoaf.exe	41
PID 904 wrote to memory of 1852	904	wjxoaf.exe	41
PID 1852 wrote to memory of 2876	1852	veaasoq.exe	42
PID 1852 wrote to memory of 2876	1852	veaasoq.exe	42
PID 1852 wrote to memory of 2876	1852	veaasoq.exe	42
PID 1852 wrote to memory of 2876	1852	veaasoq.exe	42
PID 2876 wrote to memory of 2952	2876	suaniix.exe	43
PID 2876 wrote to memory of 2952	2876	suaniix.exe	43
PID 2876 wrote to memory of 2952	2876	suaniix.exe	43
PID 2876 wrote to memory of 2952	2876	suaniix.exe	43
PID 2952 wrote to memory of 2584	2952	fuoce.exe	44
PID 2952 wrote to memory of 2584	2952	fuoce.exe	44
PID 2952 wrote to memory of 2584	2952	fuoce.exe	44
PID 2952 wrote to memory of 2584	2952	fuoce.exe	44
PID 2584 wrote to memory of 2664	2584	jiafuw.exe	45
PID 2584 wrote to memory of 2664	2584	jiafuw.exe	45
PID 2584 wrote to memory of 2664	2584	jiafuw.exe	45
PID 2584 wrote to memory of 2664	2584	jiafuw.exe	45

C:\Users\Admin\AppData\Local\Temp\ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe
"C:\Users\Admin\AppData\Local\Temp\ebc85aff78379ad5dfbd38dd92bff4cd393316eb32814d491b964ed97947b360.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\yuger.exe
  "C:\Users\Admin\yuger.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\xurip.exe
    "C:\Users\Admin\xurip.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\riexad.exe
      "C:\Users\Admin\riexad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Users\Admin\qdyuir.exe
        
        "C:\Users\Admin\qdyuir.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Users\Admin\caooti.exe
        
        "C:\Users\Admin\caooti.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Users\Admin\nauuqe.exe
        
        "C:\Users\Admin\nauuqe.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\puinaav.exe
        
        "C:\Users\Admin\puinaav.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\nukiz.exe
        
        "C:\Users\Admin\nukiz.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\geuzo.exe
        
        "C:\Users\Admin\geuzo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\gbfuov.exe
        
        "C:\Users\Admin\gbfuov.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\wjxoaf.exe
        
        "C:\Users\Admin\wjxoaf.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Users\Admin\veaasoq.exe
        
        "C:\Users\Admin\veaasoq.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\suaniix.exe
        
        "C:\Users\Admin\suaniix.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\fuoce.exe
        
        "C:\Users\Admin\fuoce.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\jiafuw.exe
        
        "C:\Users\Admin\jiafuw.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Users\Admin\caeeji.exe
        
        "C:\Users\Admin\caeeji.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Users\Admin\caiilu.exe
        
        "C:\Users\Admin\caiilu.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Users\Admin\cauuri.exe
        
        "C:\Users\Admin\cauuri.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\jiafuw.exe
        
        "C:\Users\Admin\jiafuw.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Users\Admin\moanee.exe
        
        "C:\Users\Admin\moanee.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Users\Admin\cauuzi.exe
        
        "C:\Users\Admin\cauuzi.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\fuoce.exe
        
        "C:\Users\Admin\fuoce.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\nukic.exe
        
        "C:\Users\Admin\nukic.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Users\Admin\ykwoat.exe
        
        "C:\Users\Admin\ykwoat.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Users\Admin\gdzuov.exe
        
        "C:\Users\Admin\gdzuov.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Users\Admin\siuut.exe
        
        "C:\Users\Admin\siuut.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:600
        
        C:\Users\Admin\taoopig.exe
        
        "C:\Users\Admin\taoopig.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Users\Admin\wurom.exe
        
        "C:\Users\Admin\wurom.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Users\Admin\koeraa.exe
        
        "C:\Users\Admin\koeraa.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\roimaax.exe
        
        "C:\Users\Admin\roimaax.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Users\Admin\jiufaz.exe
        
        "C:\Users\Admin\jiufaz.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\whxof.exe
        
        "C:\Users\Admin\whxof.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\jokig.exe
        
        "C:\Users\Admin\jokig.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Users\Admin\fiejuuh.exe
        
        "C:\Users\Admin\fiejuuh.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Users\Admin\qiepaa.exe
        
        "C:\Users\Admin\qiepaa.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Users\Admin\tdzuov.exe
        
        "C:\Users\Admin\tdzuov.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\ceaqii.exe
        
        "C:\Users\Admin\ceaqii.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Users\Admin\miayuu.exe
        
        "C:\Users\Admin\miayuu.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Users\Admin\raiiw.exe
        
        "C:\Users\Admin\raiiw.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Users\Admin\nauuqe.exe
        
        "C:\Users\Admin\nauuqe.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Users\Admin\caooji.exe
        
        "C:\Users\Admin\caooji.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Users\Admin\pauuze.exe
        
        "C:\Users\Admin\pauuze.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Users\Admin\daoozu.exe
        
        "C:\Users\Admin\daoozu.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Users\Admin\duaasiy.exe
        
        "C:\Users\Admin\duaasiy.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Users\Admin\liedu.exe
        
        "C:\Users\Admin\liedu.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Users\Admin\yuaapif.exe
        
        "C:\Users\Admin\yuaapif.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\feuuwo.exe
        
        "C:\Users\Admin\feuuwo.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Users\Admin\guaboq.exe
        
        "C:\Users\Admin\guaboq.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Users\Admin\vuokaaj.exe
        
        "C:\Users\Admin\vuokaaj.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Users\Admin\fearii.exe
        
        "C:\Users\Admin\fearii.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\roapu.exe
        
        "C:\Users\Admin\roapu.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\caeeji.exe

Filesize
224KB

MD5
fee701002933fb0ee7e70113b001ea84

SHA1
ca69ba2f58a54f547872021772d07758a183dcb9

SHA256
0d0d689ad5b2db1c8b261e08123b2775dd88721a2e99c3fe13b65bd6296f10dc

SHA512
76d1c3108dad66830d96b7190b182542aeb7b43092963583a3f9b45301efd7367f57abb84c9b20001ca7da86b4628f762b22039b08d368980cb5a3614bec4f08

Download Submit
\Users\Admin\caooti.exe

Filesize
224KB

MD5
009719c8de4689a1a0be6cc6b8905807

SHA1
230f37a47dd952525a37d43a879a29b9ee702eee

SHA256
e49e89ec435d67ce6c03ff897330c802b875ca18fe40137bfe2619903e56c419

SHA512
ee1b048fae41ac0f528d4100b5ce5eb5c4c84f026bd38aa6872e5ac4296b87a3ef47d0d245176a41ffddc1c9df05bd716605bcb70bd28cd476cd4f58de2e9ba3

Download Submit
\Users\Admin\fuoce.exe

Filesize
224KB

MD5
3574272c5726e748c307685dbb79b1b3

SHA1
350f6dad481761e81de4db5e9e8067beae057433

SHA256
f4feabc1850830f99155bf54127034a23e3091a3ea48f4e37c77e88fc7fb5b33

SHA512
268b75f3d5b6d7a67579a0c1025fbf60f321704be317f19e70eb98288dd4734641bf76a67875a86d1bf21da10a8b3c2a6b9cfb708bfc7e6c625a1745df431432

Download Submit
\Users\Admin\gbfuov.exe

Filesize
224KB

MD5
1c25f0a9ce0f1b5651a42667ca83204e

SHA1
3a8b8bb3554a98d1322b31282332a1a69c954468

SHA256
45bc42b100d8770da5f9cf7f4f427c99a7a5162ff77fe769bb87e04cdd799b06

SHA512
f47d85969869db89991b38cf56413aa91fd55f006f18409e613a5d0304da84b1f1973d41f8adf405875c8d155ff5182ecc7c2e08f8b5345c8991851032eb2dbc

Download Submit
\Users\Admin\geuzo.exe

Filesize
224KB

MD5
6de02fba191d3090db19bca8de4113f1

SHA1
ef15a6de0857ee7c7e91d83e6f362905799373c4

SHA256
284e99648cf52e8fb48e964e0d5831b45641932ff7111b050cde7b48e4c58dcd

SHA512
6c68460b5003fe35c07a5e5d57e015b2b9599883ef48bcecac442cbc0d999b063f1b3e4fc7949b17dda22a9bc697950715ac61a02068934c11246633a5c92631

Download Submit
\Users\Admin\jiafuw.exe

Filesize
224KB

MD5
283f210c6f27ec249430bda2af62f2ea

SHA1
f35e5ef8cdda66b173b2c627c9d3f0222518d8d9

SHA256
c731e7907beccd2b5d9596c8121fe0f161f9537268f80a8b79afd2847bbe6740

SHA512
32afe1f169d969fa8a5117ef8cad03516f0e2f356219d03d23fba9485bb768cc7c8fc2a88aab404564728ad9bf56939317bf8844a9e11f5be2393fcf321006b9

Download Submit
\Users\Admin\nauuqe.exe

Filesize
224KB

MD5
b42c182b27816324816a51098fc61987

SHA1
cf3373f6d327a7f9927587b76b5860ea5a674391

SHA256
17398f821fcc3f7a603ee295b4cacc42bbbd97b5de78f2364a39b247c02c8e42

SHA512
ab9ead20e5ffb14b2b97db2a2ad83bfe4bac45fede2e2db11ec9dc6116eab03e6a0d71792bcb28298b1dff124db819b06f08b06acbc3defaf925947a4f8dff1e

Download Submit
\Users\Admin\nukiz.exe

Filesize
224KB

MD5
5a45b64178d3b931d9dcbfb3c379d64c

SHA1
0f1e1997d6d26358240bb3630b50eda5b29aaa16

SHA256
e2fcdbbb6590806ca703d0316a9155d685a1ffed12d13b7f26a6a05e17213f69

SHA512
ea1f4b3562268a74234e6d6d3b25e61c3df745e4d29958f0b5e950b21de4a6fa439bfda9dfc0bddc727dedcb712726bf67a06ec7fec46d876f95d37ffa009aae

Download Submit
\Users\Admin\puinaav.exe

Filesize
224KB

MD5
9e2ee32d03a8c6b7424d6a7ceca2cd3b

SHA1
91ad9c971ac6e9506488e3f4fef3f0ccf40bec2e

SHA256
c99decf0d22582a4f5c9b39a831d2be5abe636faf00cb5fb47b730077bf176bd

SHA512
4c19f6caa225ecb58c90fbdad16538338e51ca2b65756901c953b69c057223d6eaff5a71bda8e8876d349179cdc08c57274cff77e054f22a206d5d7cff290bba

Download Submit
\Users\Admin\qdyuir.exe

Filesize
224KB

MD5
7aef6a3477302ab764419ea22bf83153

SHA1
4f68ab1d90165816a3614ff176695a388c7cd3c7

SHA256
c911d093ca40f1f3158caa208136e97b024f52b5df533077d9b2c5128ee596a8

SHA512
2bc3f98f56df59fa0cd6bdee17eaeb85bf646387a21b11b30753884b10decab974874a16bea86b702f6c2950d0d496c8f7c5d94e9ec51975d573ef3427e3b1a7

Download Submit
\Users\Admin\riexad.exe

Filesize
224KB

MD5
2cfa312b8770980217dda8c4d0c7e82f

SHA1
88c252cfedc60f8b6f7a3ab08bc5ddc91f7db929

SHA256
5a6853040b619e948dbfc26088ff9c6d5769284aa80357a4fe0038ad6a393ec3

SHA512
37af2625f250a9d52affc412f2a907461709f7eba2673b027f13728c61269e0f35aad1398419772d82718a593afdab73fe1aef1bbc753bd2759bc48a80b89ee8

Download Submit
\Users\Admin\suaniix.exe

Filesize
224KB

MD5
01e887aa40fc15237ebe94defed7d120

SHA1
47808bb314fd09653cfe688ed331542503e2a92a

SHA256
b5a132fa1cfb4b8bd7a2c6c72951ec4108a67f5ee74a6f9a77355f3ec2f67eef

SHA512
9330ca713f8b55fb737f956773ff93c715d0a5f8cc78380fd20c7d952867aee1f0d221972dc35de3b5ebb77f6fde28e9f05ffc10b5806f33d4c251b76d249779

Download Submit
\Users\Admin\veaasoq.exe

Filesize
224KB

MD5
8a75e84eccd56555f8c19cf2b1a39a9c

SHA1
96139559548d3480b0cdbbd5effa6b47471f2beb

SHA256
55bab18caf30cc73ad70f1d0137e7498d2b16df427800688b468dd1a1a56e0d7

SHA512
bbdeb1802ae717d7ee4474876c0a07c1027fcf0a27007a885063779b064981f7e0e7ab6633e3b27e43641cc775261f08185cc0f26392d440fcf966c656ab8bcc

Download Submit
\Users\Admin\wjxoaf.exe

Filesize
224KB

MD5
d780ba854687dd9f2e8a71e6dfa8377a

SHA1
a7efc90939528c68c8289a1ff5bf4c2a5b14d59b

SHA256
7b65fbcaa90a474af1bff2896110ffd99b038e265238b6d5edb255ef69937a54

SHA512
33c8e8a728d5037e13d0907d4c0ce26ed3ef0398e6c98f33c5d53fa4231a3cfba697130ac3ce00f4e734a759c4a5f7eee7a97373d27d38d76f587977f7666846

Download Submit
\Users\Admin\xurip.exe

Filesize
224KB

MD5
81f28e47ef87862abca2958e15b07150

SHA1
013b768ede9f06853465ae38ba9928793bf0c320

SHA256
c66dd968a48e5fe6e3d96c550474c18d75677b930897b4fc9df4cf8c50a4125c

SHA512
78dd25933edaabce41f9786a333e34af195b7a14ee3d0f044bf8a86bc7f5ead2c106f600b2a2509c55175983b9bf8a69feaa0dbfe1c8b51d257ca1409caa7326

Download Submit
\Users\Admin\yuger.exe

Filesize
224KB

MD5
cf54292208d11fac9b5c2207aa5b20e4

SHA1
0fb49aaf2fc4e1fdcdc204467ebf955875a0b6c2

SHA256
29e35c0a04b433fd5d2c5790359de5d1288870388764382dcb851806f79f8997

SHA512
0203c93eee0d31d7d246df536df500aab6c7cc6a4aa69ed407047150f14bb915cf1c5a93f820631c4f49f9591d5441591a1c098c3461a59a3ad3fd5a85dd48ee

Download Submit
memory/284-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/284-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/284-100-0x00000000031F0000-0x000000000322A000-memory.dmp

Filesize
232KB

Download
memory/284-95-0x00000000031F0000-0x000000000322A000-memory.dmp

Filesize
232KB

Download
memory/464-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/464-78-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/464-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/904-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/904-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-134-0x0000000003440000-0x000000000347A000-memory.dmp

Filesize
232KB

Download
memory/1456-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-9-0x0000000003460000-0x000000000349A000-memory.dmp

Filesize
232KB

Download
memory/1456-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-16-0x0000000003460000-0x000000000349A000-memory.dmp

Filesize
232KB

Download
memory/1632-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-321-0x0000000003490000-0x00000000034CA000-memory.dmp

Filesize
232KB

Download
memory/1916-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1968-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1968-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-310-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/2304-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-299-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-312-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/2376-339-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/2376-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2408-65-0x0000000003310000-0x000000000334A000-memory.dmp

Filesize
232KB

Download
memory/2408-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2408-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-298-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2420-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2428-146-0x0000000003240000-0x000000000327A000-memory.dmp

Filesize
232KB

Download
memory/2428-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2428-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2584-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2584-264-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2584-259-0x0000000003400000-0x000000000343A000-memory.dmp

Filesize
232KB

Download
memory/2664-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-276-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2664-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2720-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-231-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2884-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-32-0x0000000003230000-0x000000000326A000-memory.dmp

Filesize
232KB

Download
memory/2928-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-292-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/2928-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2952-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2952-243-0x0000000003240000-0x000000000327A000-memory.dmp

Filesize
232KB

Download
memory/2952-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-49-0x0000000003520000-0x000000000355A000-memory.dmp

Filesize
232KB

Download
memory/2968-52-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download