9f3037b5b954c640eb14f28700690feb18939b9f5b1a962617812dec4a57d862

Analysis

max time kernel
77s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
Size

224KB
MD5

c6ed9db1d14cedd3b4d6b4f9b20f73aa
SHA1

857a9ca2cf1dc5b9db8803c856c3289a0f197656
SHA256

9f3037b5b954c640eb14f28700690feb18939b9f5b1a962617812dec4a57d862
SHA512

62af4c6c07986d4065e78b889066892b26e1b7051cbd091db813a70604569dd22fc945f1f38410281e0818284c0ff72a9881954ce18583e21a8dffd30246bcf3
SSDEEP

3072:GUqKrBjohCjG8G3GbGVGBGfGuGxGWYcrf6Kad0:GUzrNoAYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
2940	cgqod.exe
2488	daeevo.exe
2360	feodi.exe
2632	puisaav.exe
1568	peoci.exe
2388	seuuhog.exe
628	saoinu.exe
2416	fauuqo.exe
576	gauuqo.exe
1796	miaguu.exe
1004	lauut.exe
900	daiice.exe
2792	kiejuah.exe
852	nbfij.exe
2004	feodi.exe
2536	beodi.exe
2832	vplos.exe
2560	nauuye.exe
1604	diaguu.exe
300	feuco.exe
1760	poliy.exe
3024	seoohit.exe
1804	kiejuuh.exe
360	daeevo.exe
2416	maoruv.exe
1104	naeezup.exe
832	bauukeg.exe
1672	wuebaan.exe
1352	seoohit.exe
1728	tokeg.exe
2252	koejuuh.exe

Loads dropped DLL 59 IoCs

pid	Process
2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
2940	cgqod.exe
2940	cgqod.exe
2488	daeevo.exe
2488	daeevo.exe
2360	feodi.exe
2360	feodi.exe
2632	puisaav.exe
2632	puisaav.exe
1568	peoci.exe
1568	peoci.exe
2388	seuuhog.exe
2388	seuuhog.exe
628	saoinu.exe
628	saoinu.exe
2416	fauuqo.exe
2416	fauuqo.exe
576	gauuqo.exe
576	gauuqo.exe
1796	miaguu.exe
1796	miaguu.exe
1004	lauut.exe
1004	lauut.exe
900	daiice.exe
900	daiice.exe
2792	kiejuah.exe
2792	kiejuah.exe
852	nbfij.exe
2004	feodi.exe
2004	feodi.exe
2536	beodi.exe
2536	beodi.exe
2832	vplos.exe
2832	vplos.exe
2560	nauuye.exe
2560	nauuye.exe
1604	diaguu.exe
1604	diaguu.exe
300	feuco.exe
300	feuco.exe
1760	poliy.exe
1760	poliy.exe
3024	seoohit.exe
3024	seoohit.exe
1804	kiejuuh.exe
360	daeevo.exe
360	daeevo.exe
2416	maoruv.exe
2416	maoruv.exe
1104	naeezup.exe
1104	naeezup.exe
832	bauukeg.exe
832	bauukeg.exe
1672	wuebaan.exe
1352	seoohit.exe
1352	seoohit.exe
1728	tokeg.exe
1728	tokeg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
2940	cgqod.exe
2488	daeevo.exe
2360	feodi.exe
2632	puisaav.exe
1568	peoci.exe
2388	seuuhog.exe
628	saoinu.exe
2416	fauuqo.exe
576	gauuqo.exe
1796	miaguu.exe
1004	lauut.exe
900	daiice.exe
2792	kiejuah.exe
852	nbfij.exe
2004	feodi.exe
2536	beodi.exe
2832	vplos.exe
2560	nauuye.exe
1604	diaguu.exe
300	feuco.exe
1760	poliy.exe
3024	seoohit.exe
1804	kiejuuh.exe
360	daeevo.exe
2416	maoruv.exe
1104	naeezup.exe
832	bauukeg.exe
1672	wuebaan.exe
1352	seoohit.exe
1728	tokeg.exe
2252	koejuuh.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
2940	cgqod.exe
2488	daeevo.exe
2360	feodi.exe
2632	puisaav.exe
1568	peoci.exe
2388	seuuhog.exe
628	saoinu.exe
2416	fauuqo.exe
576	gauuqo.exe
1796	miaguu.exe
1004	lauut.exe
900	daiice.exe
2792	kiejuah.exe
852	nbfij.exe
2004	feodi.exe
2536	beodi.exe
2832	vplos.exe
2560	nauuye.exe
1604	diaguu.exe
300	feuco.exe
1760	poliy.exe
3024	seoohit.exe
1804	kiejuuh.exe
360	daeevo.exe
2416	maoruv.exe
1104	naeezup.exe
832	bauukeg.exe
1672	wuebaan.exe
1352	seoohit.exe
1728	tokeg.exe
2252	koejuuh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2940	2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe	28
PID 2896 wrote to memory of 2940	2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe	28
PID 2896 wrote to memory of 2940	2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe	28
PID 2896 wrote to memory of 2940	2896	c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe	28
PID 2940 wrote to memory of 2488	2940	cgqod.exe	29
PID 2940 wrote to memory of 2488	2940	cgqod.exe	29
PID 2940 wrote to memory of 2488	2940	cgqod.exe	29
PID 2940 wrote to memory of 2488	2940	cgqod.exe	29
PID 2488 wrote to memory of 2360	2488	daeevo.exe	30
PID 2488 wrote to memory of 2360	2488	daeevo.exe	30
PID 2488 wrote to memory of 2360	2488	daeevo.exe	30
PID 2488 wrote to memory of 2360	2488	daeevo.exe	30
PID 2360 wrote to memory of 2632	2360	feodi.exe	31
PID 2360 wrote to memory of 2632	2360	feodi.exe	31
PID 2360 wrote to memory of 2632	2360	feodi.exe	31
PID 2360 wrote to memory of 2632	2360	feodi.exe	31
PID 2632 wrote to memory of 1568	2632	puisaav.exe	32
PID 2632 wrote to memory of 1568	2632	puisaav.exe	32
PID 2632 wrote to memory of 1568	2632	puisaav.exe	32
PID 2632 wrote to memory of 1568	2632	puisaav.exe	32
PID 1568 wrote to memory of 2388	1568	peoci.exe	33
PID 1568 wrote to memory of 2388	1568	peoci.exe	33
PID 1568 wrote to memory of 2388	1568	peoci.exe	33
PID 1568 wrote to memory of 2388	1568	peoci.exe	33
PID 2388 wrote to memory of 628	2388	seuuhog.exe	34
PID 2388 wrote to memory of 628	2388	seuuhog.exe	34
PID 2388 wrote to memory of 628	2388	seuuhog.exe	34
PID 2388 wrote to memory of 628	2388	seuuhog.exe	34
PID 628 wrote to memory of 2416	628	saoinu.exe	35
PID 628 wrote to memory of 2416	628	saoinu.exe	35
PID 628 wrote to memory of 2416	628	saoinu.exe	35
PID 628 wrote to memory of 2416	628	saoinu.exe	35
PID 2416 wrote to memory of 576	2416	fauuqo.exe	36
PID 2416 wrote to memory of 576	2416	fauuqo.exe	36
PID 2416 wrote to memory of 576	2416	fauuqo.exe	36
PID 2416 wrote to memory of 576	2416	fauuqo.exe	36
PID 576 wrote to memory of 1796	576	gauuqo.exe	37
PID 576 wrote to memory of 1796	576	gauuqo.exe	37
PID 576 wrote to memory of 1796	576	gauuqo.exe	37
PID 576 wrote to memory of 1796	576	gauuqo.exe	37
PID 1796 wrote to memory of 1004	1796	miaguu.exe	38
PID 1796 wrote to memory of 1004	1796	miaguu.exe	38
PID 1796 wrote to memory of 1004	1796	miaguu.exe	38
PID 1796 wrote to memory of 1004	1796	miaguu.exe	38
PID 1004 wrote to memory of 900	1004	lauut.exe	39
PID 1004 wrote to memory of 900	1004	lauut.exe	39
PID 1004 wrote to memory of 900	1004	lauut.exe	39
PID 1004 wrote to memory of 900	1004	lauut.exe	39
PID 900 wrote to memory of 2792	900	daiice.exe	40
PID 900 wrote to memory of 2792	900	daiice.exe	40
PID 900 wrote to memory of 2792	900	daiice.exe	40
PID 900 wrote to memory of 2792	900	daiice.exe	40
PID 2792 wrote to memory of 852	2792	kiejuah.exe	41
PID 2792 wrote to memory of 852	2792	kiejuah.exe	41
PID 2792 wrote to memory of 852	2792	kiejuah.exe	41
PID 2792 wrote to memory of 852	2792	kiejuah.exe	41
PID 852 wrote to memory of 2004	852	nbfij.exe	42
PID 852 wrote to memory of 2004	852	nbfij.exe	42
PID 852 wrote to memory of 2004	852	nbfij.exe	42
PID 852 wrote to memory of 2004	852	nbfij.exe	42
PID 2004 wrote to memory of 2536	2004	feodi.exe	43
PID 2004 wrote to memory of 2536	2004	feodi.exe	43
PID 2004 wrote to memory of 2536	2004	feodi.exe	43
PID 2004 wrote to memory of 2536	2004	feodi.exe	43

C:\Users\Admin\AppData\Local\Temp\c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe
"C:\Users\Admin\AppData\Local\Temp\c6ed9db1d14cedd3b4d6b4f9b20f73aa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\cgqod.exe
  "C:\Users\Admin\cgqod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\daeevo.exe
    "C:\Users\Admin\daeevo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\feodi.exe
      "C:\Users\Admin\feodi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\puisaav.exe
        
        "C:\Users\Admin\puisaav.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Users\Admin\peoci.exe
        
        "C:\Users\Admin\peoci.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\seuuhog.exe
        
        "C:\Users\Admin\seuuhog.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\saoinu.exe
        
        "C:\Users\Admin\saoinu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\fauuqo.exe
        
        "C:\Users\Admin\fauuqo.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\gauuqo.exe
        
        "C:\Users\Admin\gauuqo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\miaguu.exe
        
        "C:\Users\Admin\miaguu.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\lauut.exe
        
        "C:\Users\Admin\lauut.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\daiice.exe
        
        "C:\Users\Admin\daiice.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\kiejuah.exe
        
        "C:\Users\Admin\kiejuah.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\nbfij.exe
        
        "C:\Users\Admin\nbfij.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\feodi.exe
        
        "C:\Users\Admin\feodi.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\beodi.exe
        
        "C:\Users\Admin\beodi.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Users\Admin\vplos.exe
        
        "C:\Users\Admin\vplos.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Users\Admin\nauuye.exe
        
        "C:\Users\Admin\nauuye.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Users\Admin\diaguu.exe
        
        "C:\Users\Admin\diaguu.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Users\Admin\feuco.exe
        
        "C:\Users\Admin\feuco.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Users\Admin\poliy.exe
        
        "C:\Users\Admin\poliy.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Users\Admin\seoohit.exe
        
        "C:\Users\Admin\seoohit.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Users\Admin\kiejuuh.exe
        
        "C:\Users\Admin\kiejuuh.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Users\Admin\daeevo.exe
        
        "C:\Users\Admin\daeevo.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Users\Admin\maoruv.exe
        
        "C:\Users\Admin\maoruv.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Users\Admin\naeezup.exe
        
        "C:\Users\Admin\naeezup.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Users\Admin\bauukeg.exe
        
        "C:\Users\Admin\bauukeg.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Users\Admin\wuebaan.exe
        
        "C:\Users\Admin\wuebaan.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Users\Admin\seoohit.exe
        
        "C:\Users\Admin\seoohit.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Users\Admin\tokeg.exe
        
        "C:\Users\Admin\tokeg.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Users\Admin\koejuuh.exe
        
        "C:\Users\Admin\koejuuh.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\vauuq.exe
        
        "C:\Users\Admin\vauuq.exe"
        33⤵
        
        PID:852
        
        C:\Users\Admin\poemuur.exe
        
        "C:\Users\Admin\poemuur.exe"
        34⤵
        
        PID:2944
        
        C:\Users\Admin\xealip.exe
        
        "C:\Users\Admin\xealip.exe"
        35⤵
        
        PID:2352
        
        C:\Users\Admin\wueboon.exe
        
        "C:\Users\Admin\wueboon.exe"
        36⤵
        
        PID:2348
        
        C:\Users\Admin\xeamip.exe
        
        "C:\Users\Admin\xeamip.exe"
        37⤵
        
        PID:2604
        
        C:\Users\Admin\kiubaan.exe
        
        "C:\Users\Admin\kiubaan.exe"
        38⤵
        
        PID:2148
        
        C:\Users\Admin\liejuuq.exe
        
        "C:\Users\Admin\liejuuq.exe"
        39⤵
        
        PID:2144
        
        C:\Users\Admin\diafuu.exe
        
        "C:\Users\Admin\diafuu.exe"
        40⤵
        
        PID:1364
        
        C:\Users\Admin\pealoor.exe
        
        "C:\Users\Admin\pealoor.exe"
        41⤵
        
        PID:1584
        
        C:\Users\Admin\seoohit.exe
        
        "C:\Users\Admin\seoohit.exe"
        42⤵
        
        PID:1356
        
        C:\Users\Admin\jeiihuw.exe
        
        "C:\Users\Admin\jeiihuw.exe"
        43⤵
        
        PID:1404
        
        C:\Users\Admin\bauufe.exe
        
        "C:\Users\Admin\bauufe.exe"
        44⤵
        
        PID:1148
        
        C:\Users\Admin\feuuq.exe
        
        "C:\Users\Admin\feuuq.exe"
        45⤵
        
        PID:1864
        
        C:\Users\Admin\jiafuv.exe
        
        "C:\Users\Admin\jiafuv.exe"
        46⤵
        
        PID:2508
        
        C:\Users\Admin\coilu.exe
        
        "C:\Users\Admin\coilu.exe"
        47⤵
        
        PID:2976
        
        C:\Users\Admin\jiuyaz.exe
        
        "C:\Users\Admin\jiuyaz.exe"
        48⤵
        
        PID:1688
        
        C:\Users\Admin\rtqin.exe
        
        "C:\Users\Admin\rtqin.exe"
        49⤵
        
        PID:1432
        
        C:\Users\Admin\diaguu.exe
        
        "C:\Users\Admin\diaguu.exe"
        50⤵
        
        PID:1612
        
        C:\Users\Admin\tokeg.exe
        
        "C:\Users\Admin\tokeg.exe"
        51⤵
        
        PID:1996
        
        C:\Users\Admin\mauuj.exe
        
        "C:\Users\Admin\mauuj.exe"
        52⤵
        
        PID:872
        
        C:\Users\Admin\diafuu.exe
        
        "C:\Users\Admin\diafuu.exe"
        53⤵
        
        PID:2556
        
        C:\Users\Admin\yhxom.exe
        
        "C:\Users\Admin\yhxom.exe"
        54⤵
        
        PID:1420
        
        C:\Users\Admin\wuabe.exe
        
        "C:\Users\Admin\wuabe.exe"
        55⤵
        
        PID:2872
        
        C:\Users\Admin\wuqil.exe
        
        "C:\Users\Admin\wuqil.exe"
        56⤵
        
        PID:1576
        
        C:\Users\Admin\guawen.exe
        
        "C:\Users\Admin\guawen.exe"
        57⤵
        
        PID:1568
        
        C:\Users\Admin\wuqol.exe
        
        "C:\Users\Admin\wuqol.exe"
        58⤵
        
        PID:1456
        
        C:\Users\Admin\giabop.exe
        
        "C:\Users\Admin\giabop.exe"
        59⤵
        
        PID:332
        
        C:\Users\Admin\roaqu.exe
        
        "C:\Users\Admin\roaqu.exe"
        60⤵
        
        PID:2712
        
        C:\Users\Admin\ycdoat.exe
        
        "C:\Users\Admin\ycdoat.exe"
        61⤵
        
        PID:268
        
        C:\Users\Admin\gaobip.exe
        
        "C:\Users\Admin\gaobip.exe"
        62⤵
        
        PID:1812
        
        C:\Users\Admin\daiice.exe
        
        "C:\Users\Admin\daiice.exe"
        63⤵
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\daiice.exe

Filesize
224KB

MD5
11cc6f67b8d3ddade03b96dcf5ab9ccf

SHA1
f55a75c803d4308b5e585fdfff9ce1d92286cede

SHA256
6a375bff71d58447bb35ea13e14de3d840a9a3f93b10de8fe45c52dd61f23875

SHA512
01e92beb4dd3fa43f64a57cd22017ed72f19ca24dd4e34677f05070792422708efe7c22a1124179afe64bfc0f8a3738c62d9e98dc2c50c8121d43dca92e6327e

Download Submit
\Users\Admin\beodi.exe

Filesize
224KB

MD5
f91fd2a5009ab8a4672422a2feefaefe

SHA1
04bddb96c25ad51a327cad872062b18ab0be8c7e

SHA256
1dc81628fa63cc6283f6beeb19b629bb9b1f73214991e67dd6222a4fb9c0f6c2

SHA512
511a1a98632edd406a0de7f1fcdf45d75fca2a71f619b2addcbd2a188508f715afc5e38c9d0275b1fe40243daef36e581698c2f2982f4f68d0d03033e66fcef1

Download Submit
\Users\Admin\cgqod.exe

Filesize
224KB

MD5
3d3fc43328d928f104d0df183573e8e9

SHA1
952660df1aafb1596ce1f42149b5f53e5d8b7186

SHA256
de9b32acfe749c524b905b8199524b3e006e5ba2a93ccc91dab13d44636f79fd

SHA512
a2e872aed0cf43f9d1d18bbc274c133c3713f4f1e1e222553f2fe91352350ec23e492719e5236b32f26037837cbe093ae0cb5a924567297d75567bfb89ad8371

Download Submit
\Users\Admin\daeevo.exe

Filesize
224KB

MD5
ed7a7f020d0818f460c4fcd3942765e4

SHA1
70e789bcd5fd43979e2965cd7e4770662a5a2f80

SHA256
2f639f912c06e9af183dcfcdda2f8ccf7e9e796e237a2f0863b40cbf6a951309

SHA512
d2ef2414ce514a59e37bd7e6debedb5ef1b267618bab224c41dbe0d3bbfa824b2186d9172392e978de8a5045605c20f258c5477fa3c68a1d88b26f1e33761916

Download Submit
\Users\Admin\fauuqo.exe

Filesize
224KB

MD5
0794cd5c5c6384728cb240793cf8b931

SHA1
2965d31eb4ba3dbcd64be4619872ca4ddc09f600

SHA256
202b2e1eac6862d0bd43c5a6cb495edc05c42e4e2e1fad941463e4765a7c09ee

SHA512
4c4ac0b9814b7d825e45dcdea660b3c4a9b09219f0cda6221493a1cd49b6023703001ee77a9707651248999304757b890025ef6d640c67815b2c8c8d2b23e251

Download Submit
\Users\Admin\feodi.exe

Filesize
224KB

MD5
491b2ad132c5b4654814b86aa0e5967a

SHA1
b283b516089d8a820f988ece5c379506ac758c64

SHA256
45bc3da8eb49cc72c77aa3a53e0d5e669e3b3ab012fb5e30597b683c58182ef3

SHA512
ab3941ee432a25fee54fe9c3b2c268a98521e15a3146297a9fdb651d306fe0fd58cbdeb5b32209cdf0a004fec3893e0753f869069699da265cf211e284feeb2e

Download Submit
\Users\Admin\gauuqo.exe

Filesize
224KB

MD5
025727d00df9e4283e48199376316678

SHA1
9e9b1bbe0bc06c11a8300b53f3a5c993f0469359

SHA256
cc27ac7260302c3396a9e8d7d5874dfc91f4463e522419bb502eaaaa34bc3595

SHA512
e95a2f9eba7f09f2eac79173759bb875fc5974f7b70544c4f1d5fc5c82b74274a13a2c705abf117c16c9f7e00e83923c92b739a2204763c32d6a52f33539b114

Download Submit
\Users\Admin\kiejuah.exe

Filesize
224KB

MD5
90b3923ed7e690fd6ed6162e34f7a495

SHA1
6c77d22129d4019f0a497048fad1264dfe230c0b

SHA256
10d33a2955eb032c469a69a7d0fea40ac1ca427cfec4c8851cca595a60493c10

SHA512
beeecf3cb510308955d88f311692294355db7533b3604315c6c5b2c41568ffbae51762369bdda5b7b4966a5e900644a28a217e49fda9f41756a3ff15e7afaf05

Download Submit
\Users\Admin\lauut.exe

Filesize
224KB

MD5
2d9863e5a47913a6336906e76ec4f251

SHA1
3dee5e98b7b67bf60154de78a1ec995c810407ca

SHA256
f229394d8625c6dfc31d02e34e06fd12e0b3da5a30c99c8db4aa7e9ddc632213

SHA512
6f89008d97e131a68e8b08575e9107dd8cf3276ea33ea4ab7d3cd3db6c587acc7e70d7bb566b05ecec999787d9d337d068e71e7a7924df9060317bf762e428d8

Download Submit
\Users\Admin\miaguu.exe

Filesize
224KB

MD5
ca4c629982763e222f62352bfb731abc

SHA1
2cd78d1c2cd30cd3617dd669b24cb3c827f3dd11

SHA256
3dd555e5bff3c1da4c6c242431c879589ee7181597644aa1e77449aab57764cb

SHA512
bde81a6c72e7e1fa02cc7e1d47f20a04c9a923fea44673a157cd584ebc8442ea0f0478416dc76b5a936a1bbe4a139ab2a0460156efdfc92a17e4db6ffe86d1c7

Download Submit
\Users\Admin\nbfij.exe

Filesize
224KB

MD5
374656dbd00f37ffd44dc29669c41b95

SHA1
c533b828ea1f4679f4fe3ab3c2eaba30469e12df

SHA256
7a05474090ff6973675589dcdf4b4bb3c71d4efd5f49269fe8a6b767095c8b8e

SHA512
eae22558256980dbe9a55fd7c787ef2839d69b3141e2345b4f01cc6295a9b0a7788b54b480158932f3f9b44582d70119b73c6fe8e4b3f7f1e37a18c988e9d559

Download Submit
\Users\Admin\peoci.exe

Filesize
224KB

MD5
cfa48c31c51ea3a93aeb064312c881c9

SHA1
20ccce6caddf903c3ccf5d6c2df4b04dcfce6676

SHA256
3860f2aabe20e333594d25bb54c0342c015bf2008d1d04db811409d16341f7b2

SHA512
a753f6372891d0f98a6b77ef0a89cfd94e1819a1f6956a03218d4937f331e504f2bd6a4a8c79a0dbddd2b5b401fa312e83f8f3af4d9b46f3fa959fe5330abef1

Download Submit
\Users\Admin\puisaav.exe

Filesize
224KB

MD5
efbfa7411018821d2c7b7900ca9f9178

SHA1
dbfffb206591c0e8d5953e447853718a273e09ce

SHA256
499598768595cc943ede044b9a7c4b158266e20bb490918ec57c43b702a69bff

SHA512
1aae907e0d7b143a4a327b6abeff79c433f38b92cbf655c9bd41629823c49cdcc94a0914fab6f6fb09d8cd69a45c9ff55b3533925e6e8bf3f2c576ea29a4f074

Download Submit
\Users\Admin\saoinu.exe

Filesize
224KB

MD5
23f479d0ee0386e119581fa62edff957

SHA1
693b350e16d428acc76ac6f32a2a82044208f39b

SHA256
b7b6036d7801f626ccc205375cc05967c5ed1f1900a5a08919f48e0be447b6f3

SHA512
ae290628c81c7a1c6c931c03cb2c627324a5a72cd636fc3390ea2b751b2ee2a7dedd8175434d9ed5ee2b8149542ec2eb3b74fd7209c03baea16303d8c7842f21

Download Submit
\Users\Admin\seuuhog.exe

Filesize
224KB

MD5
350aea213f5bfe263dcf11154bd9f378

SHA1
ec9cb305d80a7e4424ff6d1e54ffea8663a89801

SHA256
3a243beb5feb7783cbd3bc002a112e0192a1cfe9f24102880d299fbd5cdf591b

SHA512
a88c4a68e01f9e8f8b16f244ec69091d2a1ab3d3789ddac91ba09563a190e08235cfde2cba906f86da940d6a9ece257dd6a77d2828ae04c29e3a631b57e1fd8e

Download Submit
\Users\Admin\vplos.exe

Filesize
224KB

MD5
388d3997f41c7eb9e8d5598a7ee769c8

SHA1
c341e90a3eba22106df8068ba1fdd8306cf69dbd

SHA256
36b2da6770e65b23baf252aae49c66965ecb7ff8ca5ba2a092909bd0ba4506c4

SHA512
5668d8f6d975ac2dc2da3301eead668a79d6d2964286d38b72ee185e0c63b93cd34e3bb2077e049dc22347138035e92b7797f49f2d2c3f5be2d6c309a942061c

Download Submit
memory/300-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/300-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/300-322-0x0000000003780000-0x00000000037BA000-memory.dmp

Filesize
232KB

Download
memory/576-162-0x00000000038B0000-0x00000000038EA000-memory.dmp

Filesize
232KB

Download
memory/576-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/576-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-132-0x0000000003B10000-0x0000000003B4A000-memory.dmp

Filesize
232KB

Download
memory/628-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/852-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/852-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-218-0x0000000002DA0000-0x0000000002DDA000-memory.dmp

Filesize
232KB

Download
memory/1004-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1004-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-309-0x00000000038B0000-0x00000000038EA000-memory.dmp

Filesize
232KB

Download
memory/1604-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-335-0x00000000038B0000-0x00000000038EA000-memory.dmp

Filesize
232KB

Download
memory/1796-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-183-0x00000000038C0000-0x00000000038FA000-memory.dmp

Filesize
232KB

Download
memory/1804-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-251-0x00000000038B0000-0x00000000038EA000-memory.dmp

Filesize
232KB

Download
memory/2360-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-63-0x0000000003A10000-0x0000000003A4A000-memory.dmp

Filesize
232KB

Download
memory/2360-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2416-151-0x00000000038F0000-0x000000000392A000-memory.dmp

Filesize
232KB

Download
memory/2416-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2416-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-38-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-49-0x0000000003A20000-0x0000000003A5A000-memory.dmp

Filesize
232KB

Download
memory/2488-51-0x0000000003A20000-0x0000000003A5A000-memory.dmp

Filesize
232KB

Download
memory/2536-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-271-0x0000000003630000-0x000000000366A000-memory.dmp

Filesize
232KB

Download
memory/2536-272-0x0000000003630000-0x000000000366A000-memory.dmp

Filesize
232KB

Download
memory/2560-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-229-0x00000000038F0000-0x000000000392A000-memory.dmp

Filesize
232KB

Download
memory/2832-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2832-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-16-0x0000000003620000-0x000000000365A000-memory.dmp

Filesize
232KB

Download
memory/2896-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-13-0x0000000003620000-0x000000000365A000-memory.dmp

Filesize
232KB

Download
memory/2896-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-37-0x00000000037A0000-0x00000000037DA000-memory.dmp

Filesize
232KB

Download
memory/2940-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-32-0x00000000037A0000-0x00000000037DA000-memory.dmp

Filesize
232KB

Download
memory/2940-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3024-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3024-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download