d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
Size

224KB
MD5

29239936028f8eb516700014845eded3
SHA1

34734a314ca6cf889919726e1179502578925b87
SHA256

d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb
SHA512

3a7b822470d77520cfc1874fa464ebba429b908fc9a9b78568afd7ee1088ac8071ab6494d60c120325b348d614eb9a6e1f48bae0623cb43dee3d07b2cc39815b
SSDEEP

3072:GG+KCdTZH9DhCjG8G3GbGVGBGfGuGxGWYcrf6Kad0:GGvCdTp1AYcD6Kad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 60 IoCs

pid	Process
2040	loiiv.exe
2880	gofik.exe
2572	luiqaa.exe
2028	xlfiy.exe
1796	koeraa.exe
2792	seuco.exe
1812	qoigeew.exe
1128	joezac.exe
604	toivee.exe
2236	wxhov.exe
2260	zienuu.exe
1804	soapeex.exe
320	soapeex.exe
3044	feuwo.exe
1724	koeraa.exe
2100	moelaa.exe
2616	vaooki.exe
2632	ydnoj.exe
3020	waooxi.exe
3016	zieju.exe
1700	sieyug.exe
1356	lieju.exe
1736	soapeey.exe
2056	weuyo.exe
708	zmjeg.exe
1152	wiegaal.exe
1600	xaoovi.exe
1972	jlyeoh.exe
1004	miaku.exe
2288	feuco.exe
2252	tdwoik.exe
1296	qoapu.exe
1684	jlyeoh.exe
2484	qaiic.exe
2740	feuwo.exe
2524	miejup.exe
3020	beuuwo.exe
2336	roicaaw.exe
2520	zlyeq.exe
2636	vrpuek.exe
2896	suopaay.exe
1940	yutor.exe
1112	csgew.exe
2236	taiix.exe
756	frgov.exe
2144	qauuf.exe
2412	xurin.exe
3044	jcvex.exe
1948	joatee.exe
2604	xurin.exe
2100	vrgot.exe
2724	baiilu.exe
2880	hgwoc.exe
2060	kdhiex.exe
1344	kieho.exe
1460	wauuti.exe
2340	lauuje.exe
2052	miaguu.exe
2344	wuookeg.exe
1388	qaiizur.exe

Loads dropped DLL 64 IoCs

pid	Process
1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
2040	loiiv.exe
2040	loiiv.exe
2880	gofik.exe
2880	gofik.exe
2572	luiqaa.exe
2572	luiqaa.exe
2028	xlfiy.exe
2028	xlfiy.exe
1796	koeraa.exe
1796	koeraa.exe
2792	seuco.exe
2792	seuco.exe
1812	qoigeew.exe
1812	qoigeew.exe
1128	joezac.exe
1128	joezac.exe
604	toivee.exe
604	toivee.exe
2236	wxhov.exe
2236	wxhov.exe
2260	zienuu.exe
2260	zienuu.exe
320	soapeex.exe
320	soapeex.exe
3044	feuwo.exe
1724	koeraa.exe
1724	koeraa.exe
2100	moelaa.exe
2100	moelaa.exe
2616	vaooki.exe
2616	vaooki.exe
2632	ydnoj.exe
2632	ydnoj.exe
3020	waooxi.exe
3020	waooxi.exe
3016	zieju.exe
3016	zieju.exe
1700	sieyug.exe
1700	sieyug.exe
1356	lieju.exe
1356	lieju.exe
1736	soapeey.exe
1736	soapeey.exe
2056	weuyo.exe
2056	weuyo.exe
708	zmjeg.exe
708	zmjeg.exe
1152	wiegaal.exe
1152	wiegaal.exe
1600	xaoovi.exe
1600	xaoovi.exe
1972	jlyeoh.exe
1972	jlyeoh.exe
1004	miaku.exe
1004	miaku.exe
2288	feuco.exe
2288	feuco.exe
2252	tdwoik.exe
2252	tdwoik.exe
1296	qoapu.exe
1684	jlyeoh.exe
1684	jlyeoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
2040	loiiv.exe
2880	gofik.exe
2572	luiqaa.exe
2028	xlfiy.exe
1796	koeraa.exe
2792	seuco.exe
1812	qoigeew.exe
1128	joezac.exe
604	toivee.exe
2236	wxhov.exe
2260	zienuu.exe
1804	soapeex.exe
320	soapeex.exe
3044	feuwo.exe
1724	koeraa.exe
2100	moelaa.exe
2616	vaooki.exe
2632	ydnoj.exe
3020	waooxi.exe
3016	zieju.exe
1700	sieyug.exe
1356	lieju.exe
1736	soapeey.exe
2056	weuyo.exe
708	zmjeg.exe
1152	wiegaal.exe
1600	xaoovi.exe
1972	jlyeoh.exe
1004	miaku.exe
2288	feuco.exe
2252	tdwoik.exe
1296	qoapu.exe
1684	jlyeoh.exe
2484	qaiic.exe
2740	feuwo.exe
2524	miejup.exe
3020	beuuwo.exe
2336	roicaaw.exe
2520	zlyeq.exe
2636	vrpuek.exe
2896	suopaay.exe
1940	yutor.exe
1112	csgew.exe
2236	taiix.exe
756	frgov.exe
2144	qauuf.exe
2412	xurin.exe
3044	jcvex.exe
1948	joatee.exe
2604	xurin.exe
2100	vrgot.exe
2724	baiilu.exe
2880	hgwoc.exe
2060	kdhiex.exe
1344	kieho.exe
1460	wauuti.exe
2340	lauuje.exe
2052	miaguu.exe
2344	wuookeg.exe
1388	qaiizur.exe

Suspicious use of SetWindowsHookEx 61 IoCs

pid	Process
1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
2040	loiiv.exe
2880	gofik.exe
2572	luiqaa.exe
2028	xlfiy.exe
1796	koeraa.exe
2792	seuco.exe
1812	qoigeew.exe
1128	joezac.exe
604	toivee.exe
2236	wxhov.exe
2260	zienuu.exe
1804	soapeex.exe
320	soapeex.exe
3044	feuwo.exe
1724	koeraa.exe
2100	moelaa.exe
2616	vaooki.exe
2632	ydnoj.exe
3020	waooxi.exe
3016	zieju.exe
1700	sieyug.exe
1356	lieju.exe
1736	soapeey.exe
2056	weuyo.exe
708	zmjeg.exe
1152	wiegaal.exe
1600	xaoovi.exe
1972	jlyeoh.exe
1004	miaku.exe
2288	feuco.exe
2252	tdwoik.exe
1296	qoapu.exe
1684	jlyeoh.exe
2484	qaiic.exe
2740	feuwo.exe
2524	miejup.exe
3020	beuuwo.exe
2336	roicaaw.exe
2520	zlyeq.exe
2636	vrpuek.exe
2896	suopaay.exe
1940	yutor.exe
1112	csgew.exe
2236	taiix.exe
756	frgov.exe
2144	qauuf.exe
2412	xurin.exe
3044	jcvex.exe
1948	joatee.exe
2604	xurin.exe
2100	vrgot.exe
2724	baiilu.exe
2880	hgwoc.exe
2060	kdhiex.exe
1344	kieho.exe
1460	wauuti.exe
2340	lauuje.exe
2052	miaguu.exe
2344	wuookeg.exe
1388	qaiizur.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2040	1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe	28
PID 1708 wrote to memory of 2040	1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe	28
PID 1708 wrote to memory of 2040	1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe	28
PID 1708 wrote to memory of 2040	1708	d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe	28
PID 2040 wrote to memory of 2880	2040	loiiv.exe	29
PID 2040 wrote to memory of 2880	2040	loiiv.exe	29
PID 2040 wrote to memory of 2880	2040	loiiv.exe	29
PID 2040 wrote to memory of 2880	2040	loiiv.exe	29
PID 2880 wrote to memory of 2572	2880	gofik.exe	30
PID 2880 wrote to memory of 2572	2880	gofik.exe	30
PID 2880 wrote to memory of 2572	2880	gofik.exe	30
PID 2880 wrote to memory of 2572	2880	gofik.exe	30
PID 2572 wrote to memory of 2028	2572	luiqaa.exe	31
PID 2572 wrote to memory of 2028	2572	luiqaa.exe	31
PID 2572 wrote to memory of 2028	2572	luiqaa.exe	31
PID 2572 wrote to memory of 2028	2572	luiqaa.exe	31
PID 2028 wrote to memory of 1796	2028	xlfiy.exe	32
PID 2028 wrote to memory of 1796	2028	xlfiy.exe	32
PID 2028 wrote to memory of 1796	2028	xlfiy.exe	32
PID 2028 wrote to memory of 1796	2028	xlfiy.exe	32
PID 1796 wrote to memory of 2792	1796	koeraa.exe	33
PID 1796 wrote to memory of 2792	1796	koeraa.exe	33
PID 1796 wrote to memory of 2792	1796	koeraa.exe	33
PID 1796 wrote to memory of 2792	1796	koeraa.exe	33
PID 2792 wrote to memory of 1812	2792	seuco.exe	34
PID 2792 wrote to memory of 1812	2792	seuco.exe	34
PID 2792 wrote to memory of 1812	2792	seuco.exe	34
PID 2792 wrote to memory of 1812	2792	seuco.exe	34
PID 1812 wrote to memory of 1128	1812	qoigeew.exe	35
PID 1812 wrote to memory of 1128	1812	qoigeew.exe	35
PID 1812 wrote to memory of 1128	1812	qoigeew.exe	35
PID 1812 wrote to memory of 1128	1812	qoigeew.exe	35
PID 1128 wrote to memory of 604	1128	joezac.exe	36
PID 1128 wrote to memory of 604	1128	joezac.exe	36
PID 1128 wrote to memory of 604	1128	joezac.exe	36
PID 1128 wrote to memory of 604	1128	joezac.exe	36
PID 604 wrote to memory of 2236	604	toivee.exe	37
PID 604 wrote to memory of 2236	604	toivee.exe	37
PID 604 wrote to memory of 2236	604	toivee.exe	37
PID 604 wrote to memory of 2236	604	toivee.exe	37
PID 2236 wrote to memory of 2260	2236	wxhov.exe	38
PID 2236 wrote to memory of 2260	2236	wxhov.exe	38
PID 2236 wrote to memory of 2260	2236	wxhov.exe	38
PID 2236 wrote to memory of 2260	2236	wxhov.exe	38
PID 2260 wrote to memory of 1804	2260	zienuu.exe	39
PID 2260 wrote to memory of 1804	2260	zienuu.exe	39
PID 2260 wrote to memory of 1804	2260	zienuu.exe	39
PID 2260 wrote to memory of 1804	2260	zienuu.exe	39
PID 1804 wrote to memory of 320	1804	soapeex.exe	40
PID 1804 wrote to memory of 320	1804	soapeex.exe	40
PID 1804 wrote to memory of 320	1804	soapeex.exe	40
PID 1804 wrote to memory of 320	1804	soapeex.exe	40
PID 320 wrote to memory of 3044	320	soapeex.exe	41
PID 320 wrote to memory of 3044	320	soapeex.exe	41
PID 320 wrote to memory of 3044	320	soapeex.exe	41
PID 320 wrote to memory of 3044	320	soapeex.exe	41
PID 3044 wrote to memory of 1724	3044	feuwo.exe	42
PID 3044 wrote to memory of 1724	3044	feuwo.exe	42
PID 3044 wrote to memory of 1724	3044	feuwo.exe	42
PID 3044 wrote to memory of 1724	3044	feuwo.exe	42
PID 1724 wrote to memory of 2100	1724	koeraa.exe	43
PID 1724 wrote to memory of 2100	1724	koeraa.exe	43
PID 1724 wrote to memory of 2100	1724	koeraa.exe	43
PID 1724 wrote to memory of 2100	1724	koeraa.exe	43

C:\Users\Admin\AppData\Local\Temp\d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe
"C:\Users\Admin\AppData\Local\Temp\d6fb4e84b42c2bf97b6cfa49b2ee34f61b462e04d97181b66de44149665b6feb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\loiiv.exe
  "C:\Users\Admin\loiiv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\gofik.exe
    "C:\Users\Admin\gofik.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\luiqaa.exe
      "C:\Users\Admin\luiqaa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\xlfiy.exe
        
        "C:\Users\Admin\xlfiy.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Users\Admin\koeraa.exe
        
        "C:\Users\Admin\koeraa.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\seuco.exe
        
        "C:\Users\Admin\seuco.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\qoigeew.exe
        
        "C:\Users\Admin\qoigeew.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\joezac.exe
        
        "C:\Users\Admin\joezac.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\toivee.exe
        
        "C:\Users\Admin\toivee.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Users\Admin\wxhov.exe
        
        "C:\Users\Admin\wxhov.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\zienuu.exe
        
        "C:\Users\Admin\zienuu.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Users\Admin\soapeex.exe
        
        "C:\Users\Admin\soapeex.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\soapeex.exe
        
        "C:\Users\Admin\soapeex.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\feuwo.exe
        
        "C:\Users\Admin\feuwo.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\koeraa.exe
        
        "C:\Users\Admin\koeraa.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\moelaa.exe
        
        "C:\Users\Admin\moelaa.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Users\Admin\vaooki.exe
        
        "C:\Users\Admin\vaooki.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\ydnoj.exe
        
        "C:\Users\Admin\ydnoj.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Users\Admin\waooxi.exe
        
        "C:\Users\Admin\waooxi.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Users\Admin\zieju.exe
        
        "C:\Users\Admin\zieju.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Users\Admin\sieyug.exe
        
        "C:\Users\Admin\sieyug.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Users\Admin\lieju.exe
        
        "C:\Users\Admin\lieju.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Users\Admin\soapeey.exe
        
        "C:\Users\Admin\soapeey.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Users\Admin\weuyo.exe
        
        "C:\Users\Admin\weuyo.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Users\Admin\zmjeg.exe
        
        "C:\Users\Admin\zmjeg.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Users\Admin\wiegaal.exe
        
        "C:\Users\Admin\wiegaal.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Users\Admin\xaoovi.exe
        
        "C:\Users\Admin\xaoovi.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Users\Admin\jlyeoh.exe
        
        "C:\Users\Admin\jlyeoh.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Users\Admin\miaku.exe
        
        "C:\Users\Admin\miaku.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Users\Admin\feuco.exe
        
        "C:\Users\Admin\feuco.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Users\Admin\tdwoik.exe
        
        "C:\Users\Admin\tdwoik.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\qoapu.exe
        
        "C:\Users\Admin\qoapu.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Users\Admin\jlyeoh.exe
        
        "C:\Users\Admin\jlyeoh.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Users\Admin\qaiic.exe
        
        "C:\Users\Admin\qaiic.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Users\Admin\feuwo.exe
        
        "C:\Users\Admin\feuwo.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\miejup.exe
        
        "C:\Users\Admin\miejup.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Users\Admin\beuuwo.exe
        
        "C:\Users\Admin\beuuwo.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Users\Admin\roicaaw.exe
        
        "C:\Users\Admin\roicaaw.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\zlyeq.exe
        
        "C:\Users\Admin\zlyeq.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\vrpuek.exe
        
        "C:\Users\Admin\vrpuek.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Users\Admin\suopaay.exe
        
        "C:\Users\Admin\suopaay.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Users\Admin\yutor.exe
        
        "C:\Users\Admin\yutor.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Users\Admin\csgew.exe
        
        "C:\Users\Admin\csgew.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Users\Admin\taiix.exe
        
        "C:\Users\Admin\taiix.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Users\Admin\frgov.exe
        
        "C:\Users\Admin\frgov.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Users\Admin\qauuf.exe
        
        "C:\Users\Admin\qauuf.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Users\Admin\xurin.exe
        
        "C:\Users\Admin\xurin.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Users\Admin\jcvex.exe
        
        "C:\Users\Admin\jcvex.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Users\Admin\joatee.exe
        
        "C:\Users\Admin\joatee.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Users\Admin\xurin.exe
        
        "C:\Users\Admin\xurin.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Users\Admin\vrgot.exe
        
        "C:\Users\Admin\vrgot.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Users\Admin\baiilu.exe
        
        "C:\Users\Admin\baiilu.exe"
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\hgwoc.exe
        
        "C:\Users\Admin\hgwoc.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Users\Admin\kdhiex.exe
        
        "C:\Users\Admin\kdhiex.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Users\Admin\kieho.exe
        
        "C:\Users\Admin\kieho.exe"
        56⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Users\Admin\wauuti.exe
        
        "C:\Users\Admin\wauuti.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Users\Admin\lauuje.exe
        
        "C:\Users\Admin\lauuje.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Users\Admin\miaguu.exe
        
        "C:\Users\Admin\miaguu.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Users\Admin\wuookeg.exe
        
        "C:\Users\Admin\wuookeg.exe"
        60⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Users\Admin\qaiizur.exe
        
        "C:\Users\Admin\qaiizur.exe"
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\moelaa.exe

Filesize
224KB

MD5
28dc8ad8f0f512be2a6795d8c8de57af

SHA1
796b44b166c1f9c1aa776f280f54e21c3de989d2

SHA256
d137a58a7f723319f18cb1b843f4b30d88ca8311ca877155ac762ac7a400f15d

SHA512
754a673691f48e001fe5ef72dc8ff422c0518119695f15838ab4cf57f336585f86379905223ab40106b04c849600a986a827bd666f105e11745fe936755a41e9

Download Submit
C:\Users\Admin\seuco.exe

Filesize
224KB

MD5
bb22088c11631392f4385ec586897936

SHA1
fa128661a064a930811cc7305e92fae15b042ee9

SHA256
c4d2b18a7c121205bb599deeb937ee708f882c194ca3c05e561c3033017bce84

SHA512
33ad96d1ad52c5456b479faf1db8b27eece04c65e3c14f99602196960e4af02667b42574525493184b029db1cb6810555339984e473ec3da2d8921e193c6a0a4

Download Submit
C:\Users\Admin\soapeex.exe

Filesize
224KB

MD5
99c0d88eb23ffe57b49d7e722f33959e

SHA1
ddf7335265e1f57b67099200cfae9a847c4095d0

SHA256
4ca3dcee578a039eec313dd44614d2ef7f25d709bed43d6a7084df153082b176

SHA512
127e6f2a337335818cd9f76364844aa43ab904dd694461b92528d63f35da3ec561ecd47b3c44268545360b7186530c41ee453505c737afeab87b5b234dab2dad

Download Submit
\Users\Admin\feuwo.exe

Filesize
224KB

MD5
17243c05aab99beddc6a512fd7032bcf

SHA1
f39d7b16bb9fdd80bb8c02b493051801efdb961a

SHA256
f3ef559a1827410d3c58f8e0e1722d64d68a8d2facff0ad93a5ab451e15ac6f6

SHA512
dce74140c535e364f9e0f7b56cf039c99695c2835b21e2ca8ad97119d45e300fea985e13b1b0ea5f3df6460bd3ad8cad8662f5f70690a3ecbf3db44ecd0c28ee

Download Submit
\Users\Admin\gofik.exe

Filesize
224KB

MD5
34260caa633047f66dfd81501751d87a

SHA1
7edf542980643cc02d1bc8f2105e8b7c1a836f0f

SHA256
3e833257cdd36792176115fe4da5e9e791b38a84edc0bb8a79bc51256a4d9e6a

SHA512
a26205548a1d8342bf95779ccaec71ecf0347f23155746acb3b6b2cd9e5c7daf364fd6d98bbac1083166fb1d146cc585f878f0b03727667a9fcfc99817658f6a

Download Submit
\Users\Admin\joezac.exe

Filesize
224KB

MD5
113ed6635cc1ecd4addb966a89026989

SHA1
0d2cd96247ed9c7967059c5818736ffa6565d7ef

SHA256
07b9c12c628a6de0b048de6afad0ab791e9f731c1c27add59cd75d7f763f7d76

SHA512
1b85d470693e6eb3905eafacb0d2dc26d99d92330144e67868fdd7e735238c3567e673b83bc4442e83d215dbf1f66f63771b75dbb836bbf496c5d7abef53e1be

Download Submit
\Users\Admin\koeraa.exe

Filesize
224KB

MD5
91d9d922e1dfe421e356878cd9a0d663

SHA1
5c4f023120d4b2839e888fb81f888b3b1079dc9c

SHA256
90be6630448f7e045eef26cc367b0f7586f8770b52413b803982827283034cf8

SHA512
9f4d7763360b54891f0ba2484f3bec28eae462b4c63deed342cee2c657b6a8423a8419205b0e34626e4840c5c055357c1e5848763d7664848d9926afe34ff8b7

Download Submit
\Users\Admin\loiiv.exe

Filesize
224KB

MD5
9dc5e57fff2bfb9268993a8ac8c45385

SHA1
ff3c95a0412599c8367d83588c0a9d4031b3dc7d

SHA256
b7c352d26fc81e4047ccc07d1f3f563fd6b76dff606a9754f5b98b471743fcb9

SHA512
b63d3242725e316b16681705f2f55e1dbff49036628914d46f340e60ee2988930738d4ad8a38c7e182ece7e4dc83bca21d02faaf86a7f98a1ce41dabf63a008e

Download Submit
\Users\Admin\luiqaa.exe

Filesize
224KB

MD5
343f823a3f45bbca3bf667ba45a0c03d

SHA1
93306189a28f6ca48947150f6cd3cc39f0f38da2

SHA256
706d6b054ffef229309401fe06f723aa8289d7c1742ece11ba8d4ec543d6af7d

SHA512
36830ffd9d68d1f7869c20cf62c95663a0f5854df71c63b5cad580231d2d265d67ca290f37f149aa02645a29a5e3df815c619dd2ec5c919f77d70426c031ad21

Download Submit
\Users\Admin\qoigeew.exe

Filesize
224KB

MD5
7e9d4ccc1440e3099dfc74d15bb760c5

SHA1
50ade14a3fa3374c3c9b00c72ad8ebe768c9e8d6

SHA256
857129cab631dff5b58a72ac994d78095ae8d382323c8e7b6ee3530205ecc1fa

SHA512
89eeb4de71526c5f030b55d002b630ae249625587ac3ce4bb28cd9dc3ebd18fd88caa9caf9534625de3357889c68f4933fd3e3ae1f418350214d08a2979cd01a

Download Submit
\Users\Admin\toivee.exe

Filesize
224KB

MD5
ef4aa66850a467b472259e9655ace4d6

SHA1
f09c69f2492e6e95d76b24d6647fc0de8449e7d0

SHA256
32659f39375ed83d821fb5fc5c429ad6932e50f92e4d7521f686ee1c5c4dd1c6

SHA512
a5921aeb92db7cae4cde31b8ceb7a8d1aa4efe323d3a8a25b21f4b91065f8d9f2b6eb253534a3ed11d866d83da4252dffaa2b50a6c01d2bd75e6dd2173b3cb8a

Download Submit
\Users\Admin\vaooki.exe

Filesize
224KB

MD5
5ecb78d96736983e36c55f7c3142623e

SHA1
80c0ed5e1c448db74dd2d4762fe4bf97523f1ccc

SHA256
3d25279ab9ee040573e0ab3f9f64747314d29739c891e320ac68b7d143e21474

SHA512
7c29082e0ef46bed029945fac91959cf6c98e60cd72815a616912c01f0a0e6901e33a5a3294a029c0aaa29737a24fdf7b27c30c5fb853c1b7ff855a10f48599e

Download Submit
\Users\Admin\wxhov.exe

Filesize
224KB

MD5
d11dcf4504b93864bd28c26ed5512dc9

SHA1
f0b88c886ff5aa8bf23f245b8ced0f700955817c

SHA256
9288260ed979ddf67c8fdce20a5c2f085f31961a6625d0626f473ced299b8f3f

SHA512
7c32ae173372e6a2956b087775e8d1813d2e6349f4fc5e01b138c9f5912d7dccdbad53ac4dbefc63dfd2e221b9f4b1087107a27af8a43104501def79bedad178

Download Submit
\Users\Admin\xlfiy.exe

Filesize
224KB

MD5
87eef5c366c12ebbfce3b4d7d3b83735

SHA1
be9d0bc4138b13c0f107cac2223a9aeb8416e9ad

SHA256
01c1d23dc624caed6eb4753bfd2591a14b75574c0ad2c401c601d37b0d1efac6

SHA512
915a8a4c1d25bf1376bee80a387559600bcd0387737e59b1fbc3d55b0eaa920d1788971fe0088b57007f7ef6c1dd799ea3d8af4d9c5a57bc8ecfee00d08ac0e9

Download Submit
\Users\Admin\ydnoj.exe

Filesize
224KB

MD5
91de53ea570f9b23bce8ab97ec8ca8bd

SHA1
2e27752874cb5ce0cb4589370eefe49c603b2313

SHA256
919d1c993d60d2e8e6fdd9b7ff9eeedc60898a9e61b3aab3074e5f404e9a4c84

SHA512
64faba61f28f985e837539e595f3ac91f72408f797ab88c02148ad902cceb6f74eb8afdff4d89cf9a7f8bcabc50909dfc28172cce4c83e571175950ea1420c38

Download Submit
\Users\Admin\zienuu.exe

Filesize
224KB

MD5
78ced412d2cacc93e31fdf1ce2093a1a

SHA1
8a77beb006dc7b617d71f6c917ec4895fd1cbf25

SHA256
7bd8995d5b5626c259ca18d28a21cfe06fad6165450cbf1da2d760ee17cf7f87

SHA512
babdf3af8fed226788a90aea20e10be48204e8b5048978db98355e248d720c60e7ec3cbaa0770a71bd62e41613e409bb9ff07063aba2591f6cf60c20fb563c4b

Download Submit
memory/320-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/604-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/604-167-0x0000000003A50000-0x0000000003A8A000-memory.dmp

Filesize
232KB

Download
memory/604-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/604-166-0x0000000003A50000-0x0000000003A8A000-memory.dmp

Filesize
232KB

Download
memory/1128-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1128-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-341-0x00000000037C0000-0x00000000037FA000-memory.dmp

Filesize
232KB

Download
memory/1356-337-0x00000000037C0000-0x00000000037FA000-memory.dmp

Filesize
232KB

Download
memory/1700-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-14-0x0000000003910000-0x000000000394A000-memory.dmp

Filesize
232KB

Download
memory/1708-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-9-0x0000000003910000-0x000000000394A000-memory.dmp

Filesize
232KB

Download
memory/1724-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-244-0x0000000003A20000-0x0000000003A5A000-memory.dmp

Filesize
232KB

Download
memory/1796-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-99-0x0000000003760000-0x000000000379A000-memory.dmp

Filesize
232KB

Download
memory/1796-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1812-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1812-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-261-0x00000000038C0000-0x00000000038FA000-memory.dmp

Filesize
232KB

Download
memory/2236-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-185-0x00000000037F0000-0x000000000382A000-memory.dmp

Filesize
232KB

Download
memory/2236-184-0x00000000037F0000-0x000000000382A000-memory.dmp

Filesize
232KB

Download
memory/2260-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2260-201-0x0000000003260000-0x000000000329A000-memory.dmp

Filesize
232KB

Download
memory/2260-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2572-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2572-67-0x00000000038C0000-0x00000000038FA000-memory.dmp

Filesize
232KB

Download
memory/2572-60-0x00000000038C0000-0x00000000038FA000-memory.dmp

Filesize
232KB

Download
memory/2572-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-277-0x0000000003660000-0x000000000369A000-memory.dmp

Filesize
232KB

Download
memory/2616-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-289-0x00000000037A0000-0x00000000037DA000-memory.dmp

Filesize
232KB

Download
memory/2632-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-112-0x00000000038F0000-0x000000000392A000-memory.dmp

Filesize
232KB

Download
memory/2880-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-51-0x0000000002DF0000-0x0000000002E2A000-memory.dmp

Filesize
232KB

Download
memory/2880-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-47-0x0000000002DF0000-0x0000000002E2A000-memory.dmp

Filesize
232KB

Download
memory/3016-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-312-0x0000000003830000-0x000000000386A000-memory.dmp

Filesize
232KB

Download
memory/3016-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3020-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3020-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3044-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3044-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3044-231-0x00000000038F0000-0x000000000392A000-memory.dmp

Filesize
232KB

Download