02ce719dad60e9bbcdf5ecaf0366731930452fa57ccadbef94b7b766990eb0df

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

891b4a04a78e9395b1286fb0a6bbafa0N.exe
Size

224KB
MD5

891b4a04a78e9395b1286fb0a6bbafa0
SHA1

ace84de526b8f1cc9e44eeae5d9de922969a3596
SHA256

02ce719dad60e9bbcdf5ecaf0366731930452fa57ccadbef94b7b766990eb0df
SHA512

4967d4d3b80573f72795ad706673c64f098d0f9b41ba731b3ed169f0ec90a9fd983178a0d0c169766678bd9c2b8e5a3d518a67a3e300d648c914eefaa2b2be9b
SSDEEP

3072:Gg2KWA8bNsPgS+PhCjG8G3GbGVGBGfGuGxGWYcrf6Kad0:Gg3WR64SoAYcD6Kad

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
848	zpfer.exe
2852	weoxii.exe
2656	lwviem.exe
1868	yutor.exe
2220	wuabe.exe
1252	waooki.exe
1788	kiedu.exe
2200	xlfey.exe
2464	ftjom.exe
1804	xiuus.exe
1244	xaooq.exe
1312	yutof.exe
1600	hqjir.exe
2820	veowii.exe
3004	woakun.exe
2740	yiabo.exe
2336	roikeax.exe
976	xiaatur.exe
1072	swjid.exe
1592	mauuje.exe
1016	guatoo.exe
2468	foimee.exe
2204	roikaax.exe
752	jixed.exe
268	vuogaaz.exe
2276	veaco.exe
1604	noamee.exe
1688	zdjiey.exe
2508	ziabu.exe
2800	zuoopi.exe
1996	xbvuir.exe
1808	hxvief.exe
2948	yiuloo.exe
2328	mauufe.exe
1744	zuanos.exe
1092	baeuxo.exe
2272	vfpot.exe

Loads dropped DLL 64 IoCs

pid	Process
2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe
2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe
848	zpfer.exe
848	zpfer.exe
2852	weoxii.exe
2852	weoxii.exe
2656	lwviem.exe
2656	lwviem.exe
1868	yutor.exe
1868	yutor.exe
2220	wuabe.exe
2220	wuabe.exe
1252	waooki.exe
1252	waooki.exe
1788	kiedu.exe
1788	kiedu.exe
2200	xlfey.exe
2200	xlfey.exe
2464	ftjom.exe
2464	ftjom.exe
1804	xiuus.exe
1804	xiuus.exe
1244	xaooq.exe
1244	xaooq.exe
1312	yutof.exe
1312	yutof.exe
1600	hqjir.exe
1600	hqjir.exe
2820	veowii.exe
2820	veowii.exe
3004	woakun.exe
3004	woakun.exe
2740	yiabo.exe
2740	yiabo.exe
2336	roikeax.exe
2336	roikeax.exe
976	xiaatur.exe
976	xiaatur.exe
1072	swjid.exe
1072	swjid.exe
1592	mauuje.exe
1592	mauuje.exe
1016	guatoo.exe
1016	guatoo.exe
2468	foimee.exe
2468	foimee.exe
2204	roikaax.exe
2204	roikaax.exe
752	jixed.exe
752	jixed.exe
268	vuogaaz.exe
268	vuogaaz.exe
2276	veaco.exe
2276	veaco.exe
1604	noamee.exe
1604	noamee.exe
1688	zdjiey.exe
1688	zdjiey.exe
2508	ziabu.exe
2508	ziabu.exe
2800	zuoopi.exe
2800	zuoopi.exe
1996	xbvuir.exe
1996	xbvuir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiuus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roikeax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noamee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuoopi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hxvief.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauufe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baeuxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woakun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziabu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	891b4a04a78e9395b1286fb0a6bbafa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiabo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guatoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weoxii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lwviem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waooki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaooq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauuje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roikaax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuanos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swjid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foimee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jixed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbvuir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zpfer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuogaaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfpot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiaatur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiuloo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xlfey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftjom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hqjir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veowii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdjiey.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe
848	zpfer.exe
2852	weoxii.exe
2656	lwviem.exe
1868	yutor.exe
2220	wuabe.exe
1252	waooki.exe
1788	kiedu.exe
2200	xlfey.exe
2464	ftjom.exe
1804	xiuus.exe
1244	xaooq.exe
1312	yutof.exe
1600	hqjir.exe
2820	veowii.exe
3004	woakun.exe
2740	yiabo.exe
2336	roikeax.exe
976	xiaatur.exe
1072	swjid.exe
1592	mauuje.exe
1016	guatoo.exe
2468	foimee.exe
2204	roikaax.exe
752	jixed.exe
268	vuogaaz.exe
2276	veaco.exe
1604	noamee.exe
1688	zdjiey.exe
2508	ziabu.exe
2800	zuoopi.exe
1996	xbvuir.exe
1808	hxvief.exe
2948	yiuloo.exe
2328	mauufe.exe
1744	zuanos.exe
1092	baeuxo.exe
2272	vfpot.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe
848	zpfer.exe
2852	weoxii.exe
2656	lwviem.exe
1868	yutor.exe
2220	wuabe.exe
1252	waooki.exe
1788	kiedu.exe
2200	xlfey.exe
2464	ftjom.exe
1804	xiuus.exe
1244	xaooq.exe
1312	yutof.exe
1600	hqjir.exe
2820	veowii.exe
3004	woakun.exe
2740	yiabo.exe
2336	roikeax.exe
976	xiaatur.exe
1072	swjid.exe
1592	mauuje.exe
1016	guatoo.exe
2468	foimee.exe
2204	roikaax.exe
752	jixed.exe
268	vuogaaz.exe
2276	veaco.exe
1604	noamee.exe
1688	zdjiey.exe
2508	ziabu.exe
2800	zuoopi.exe
1996	xbvuir.exe
1808	hxvief.exe
2948	yiuloo.exe
2328	mauufe.exe
1744	zuanos.exe
1092	baeuxo.exe
2272	vfpot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 848	2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe	29
PID 2552 wrote to memory of 848	2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe	29
PID 2552 wrote to memory of 848	2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe	29
PID 2552 wrote to memory of 848	2552	891b4a04a78e9395b1286fb0a6bbafa0N.exe	29
PID 848 wrote to memory of 2852	848	zpfer.exe	30
PID 848 wrote to memory of 2852	848	zpfer.exe	30
PID 848 wrote to memory of 2852	848	zpfer.exe	30
PID 848 wrote to memory of 2852	848	zpfer.exe	30
PID 2852 wrote to memory of 2656	2852	weoxii.exe	31
PID 2852 wrote to memory of 2656	2852	weoxii.exe	31
PID 2852 wrote to memory of 2656	2852	weoxii.exe	31
PID 2852 wrote to memory of 2656	2852	weoxii.exe	31
PID 2656 wrote to memory of 1868	2656	lwviem.exe	32
PID 2656 wrote to memory of 1868	2656	lwviem.exe	32
PID 2656 wrote to memory of 1868	2656	lwviem.exe	32
PID 2656 wrote to memory of 1868	2656	lwviem.exe	32
PID 1868 wrote to memory of 2220	1868	yutor.exe	33
PID 1868 wrote to memory of 2220	1868	yutor.exe	33
PID 1868 wrote to memory of 2220	1868	yutor.exe	33
PID 1868 wrote to memory of 2220	1868	yutor.exe	33
PID 2220 wrote to memory of 1252	2220	wuabe.exe	34
PID 2220 wrote to memory of 1252	2220	wuabe.exe	34
PID 2220 wrote to memory of 1252	2220	wuabe.exe	34
PID 2220 wrote to memory of 1252	2220	wuabe.exe	34
PID 1252 wrote to memory of 1788	1252	waooki.exe	35
PID 1252 wrote to memory of 1788	1252	waooki.exe	35
PID 1252 wrote to memory of 1788	1252	waooki.exe	35
PID 1252 wrote to memory of 1788	1252	waooki.exe	35
PID 1788 wrote to memory of 2200	1788	kiedu.exe	36
PID 1788 wrote to memory of 2200	1788	kiedu.exe	36
PID 1788 wrote to memory of 2200	1788	kiedu.exe	36
PID 1788 wrote to memory of 2200	1788	kiedu.exe	36
PID 2200 wrote to memory of 2464	2200	xlfey.exe	37
PID 2200 wrote to memory of 2464	2200	xlfey.exe	37
PID 2200 wrote to memory of 2464	2200	xlfey.exe	37
PID 2200 wrote to memory of 2464	2200	xlfey.exe	37
PID 2464 wrote to memory of 1804	2464	ftjom.exe	38
PID 2464 wrote to memory of 1804	2464	ftjom.exe	38
PID 2464 wrote to memory of 1804	2464	ftjom.exe	38
PID 2464 wrote to memory of 1804	2464	ftjom.exe	38
PID 1804 wrote to memory of 1244	1804	xiuus.exe	39
PID 1804 wrote to memory of 1244	1804	xiuus.exe	39
PID 1804 wrote to memory of 1244	1804	xiuus.exe	39
PID 1804 wrote to memory of 1244	1804	xiuus.exe	39
PID 1244 wrote to memory of 1312	1244	xaooq.exe	40
PID 1244 wrote to memory of 1312	1244	xaooq.exe	40
PID 1244 wrote to memory of 1312	1244	xaooq.exe	40
PID 1244 wrote to memory of 1312	1244	xaooq.exe	40
PID 1312 wrote to memory of 1600	1312	yutof.exe	41
PID 1312 wrote to memory of 1600	1312	yutof.exe	41
PID 1312 wrote to memory of 1600	1312	yutof.exe	41
PID 1312 wrote to memory of 1600	1312	yutof.exe	41
PID 1600 wrote to memory of 2820	1600	hqjir.exe	42
PID 1600 wrote to memory of 2820	1600	hqjir.exe	42
PID 1600 wrote to memory of 2820	1600	hqjir.exe	42
PID 1600 wrote to memory of 2820	1600	hqjir.exe	42
PID 2820 wrote to memory of 3004	2820	veowii.exe	43
PID 2820 wrote to memory of 3004	2820	veowii.exe	43
PID 2820 wrote to memory of 3004	2820	veowii.exe	43
PID 2820 wrote to memory of 3004	2820	veowii.exe	43
PID 3004 wrote to memory of 2740	3004	woakun.exe	44
PID 3004 wrote to memory of 2740	3004	woakun.exe	44
PID 3004 wrote to memory of 2740	3004	woakun.exe	44
PID 3004 wrote to memory of 2740	3004	woakun.exe	44

C:\Users\Admin\AppData\Local\Temp\891b4a04a78e9395b1286fb0a6bbafa0N.exe
"C:\Users\Admin\AppData\Local\Temp\891b4a04a78e9395b1286fb0a6bbafa0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\zpfer.exe
  "C:\Users\Admin\zpfer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\weoxii.exe
    "C:\Users\Admin\weoxii.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\lwviem.exe
      "C:\Users\Admin\lwviem.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\yutor.exe
        
        "C:\Users\Admin\yutor.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Users\Admin\wuabe.exe
        
        "C:\Users\Admin\wuabe.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\waooki.exe
        
        "C:\Users\Admin\waooki.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\kiedu.exe
        
        "C:\Users\Admin\kiedu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\xlfey.exe
        
        "C:\Users\Admin\xlfey.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\ftjom.exe
        
        "C:\Users\Admin\ftjom.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\xiuus.exe
        
        "C:\Users\Admin\xiuus.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\xaooq.exe
        
        "C:\Users\Admin\xaooq.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\yutof.exe
        
        "C:\Users\Admin\yutof.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\hqjir.exe
        
        "C:\Users\Admin\hqjir.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\veowii.exe
        
        "C:\Users\Admin\veowii.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Users\Admin\woakun.exe
        
        "C:\Users\Admin\woakun.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\yiabo.exe
        
        "C:\Users\Admin\yiabo.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\roikeax.exe
        
        "C:\Users\Admin\roikeax.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\xiaatur.exe
        
        "C:\Users\Admin\xiaatur.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Users\Admin\swjid.exe
        
        "C:\Users\Admin\swjid.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Users\Admin\mauuje.exe
        
        "C:\Users\Admin\mauuje.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Users\Admin\guatoo.exe
        
        "C:\Users\Admin\guatoo.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Users\Admin\foimee.exe
        
        "C:\Users\Admin\foimee.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Users\Admin\roikaax.exe
        
        "C:\Users\Admin\roikaax.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Users\Admin\jixed.exe
        
        "C:\Users\Admin\jixed.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Users\Admin\vuogaaz.exe
        
        "C:\Users\Admin\vuogaaz.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Users\Admin\veaco.exe
        
        "C:\Users\Admin\veaco.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Users\Admin\noamee.exe
        
        "C:\Users\Admin\noamee.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Users\Admin\zdjiey.exe
        
        "C:\Users\Admin\zdjiey.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Users\Admin\ziabu.exe
        
        "C:\Users\Admin\ziabu.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Users\Admin\zuoopi.exe
        
        "C:\Users\Admin\zuoopi.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Users\Admin\xbvuir.exe
        
        "C:\Users\Admin\xbvuir.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Users\Admin\hxvief.exe
        
        "C:\Users\Admin\hxvief.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Users\Admin\yiuloo.exe
        
        "C:\Users\Admin\yiuloo.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Users\Admin\mauufe.exe
        
        "C:\Users\Admin\mauufe.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Users\Admin\zuanos.exe
        
        "C:\Users\Admin\zuanos.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Users\Admin\baeuxo.exe
        
        "C:\Users\Admin\baeuxo.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Users\Admin\vfpot.exe
        
        "C:\Users\Admin\vfpot.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\syhij.exe
        
        "C:\Users\Admin\syhij.exe"
        39⤵
        
        PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\ftjom.exe

Filesize
224KB

MD5
b9b0a3786370ea37eac02432c5210296

SHA1
e33eca4a49c2abb4aef983179b24b6ca93887f04

SHA256
e03b5f1ba6c4e775494d48e50b15c6edf31296e247e73a6ecb79e604b79fe6db

SHA512
a3ce8f992f750452f081d5048a7adc7199cedc1029e467b2573df260e27b3b5731aecefb1ca40dedc60b9c030bbafbffd41b682ad7fbcad1d674ec1bacfeb1e1

Download Submit
\Users\Admin\hqjir.exe

Filesize
224KB

MD5
370cd0d5c3636ace5ff82b8ddeb36282

SHA1
ef4c154e3d8af0698ee17543e7278d9df29720e7

SHA256
34a45a8850e20769777993bb86dd7dad76344bcf1dd6cd2ebdf856c838df632c

SHA512
32ca36fde63a42ccd0d76e55bdeaaf5326d9c15027720931997b97726761216b5f1455d8082d5b4b41e29e313704e781ca8166605904837f14890545e1bd7761

Download Submit
\Users\Admin\kiedu.exe

Filesize
224KB

MD5
eaf647903e09b7ff1973653870e72f74

SHA1
e4d1faeaa753882e033b86fe70644b09ccd7bff1

SHA256
35e2b072f851a3f5c51dd985734ae8b2c83e7745025d0f39744a5ca13c66b824

SHA512
3970866cdfda4c0324c5f8f88e5291ba57dc47202d5897ce7eeb5ffef53df63ea40a14495206200a63ebe04399c682e53f2b76661ad4edd7abbae968a9d16b47

Download Submit
\Users\Admin\lwviem.exe

Filesize
224KB

MD5
6e014f5dffe5a0bdf6ab5f7ee79484ea

SHA1
0c98191ee11aa4e5a131b2dcacf98f2cf4e3b781

SHA256
d332cb8b02ebca49384988726e85cf09658d3400f2b59dc0c9cbc853eda6bd39

SHA512
67d206443cc68ef280c18ce68556f8c52d209f0f44571faeb7e59d1967b4ccf79aece8724afb51e68dd8cadeb50f0521c7cf579d1f0c54296cb4f1728ad1db80

Download Submit
\Users\Admin\veowii.exe

Filesize
224KB

MD5
e37dc7303881be64195304aecb02ce0c

SHA1
5350ee7d840706de5c9b140c555130bc2ae55df8

SHA256
25d3a596fdc0124291e3101379dc6554ee4a27d41a93a1161280980b1d4cd2c5

SHA512
920287edfa364bd6ec72b9cf3abd10e014338ddd5fd6a8c4e80411e04243263f4922a6e61548c7a4a0d2a0b754a99ab1d997af75556638fb75025fdb7beebf25

Download Submit
\Users\Admin\waooki.exe

Filesize
224KB

MD5
a27cf8a7c36cf7690d52dd47baa47822

SHA1
6505313571501806539b161b9ba8711c12e3f8b7

SHA256
ab2b786010bb34c0a9ac83ce903e91be934a08840002328e8e526522acf98124

SHA512
aee17adda42d4636e1c069e97f14912df7ad7e167148f296e90b5e22558ef077a31b365174c2b595313bb39b450289f1b9b0475c1714882e583bee1ffb125664

Download Submit
\Users\Admin\weoxii.exe

Filesize
224KB

MD5
d57bc6fb9317577480a97657f23f8015

SHA1
708b732fc52b4ff68b421b38e799dacf31c005c0

SHA256
945cb31ead9739aa75643d7b11e23edd6a22eea7d4add15b5b747c989bf90c22

SHA512
3906b23b05227130697b40864272e08fb5dc94716b0f42d939c1e4381a5ee2e262784205e12e067910219cf0ae06c57e441abfe01e8000578f4d79db9bcbcae7

Download Submit
\Users\Admin\woakun.exe

Filesize
224KB

MD5
41456d4989122cfe4eee2eb7cef55fbd

SHA1
230c1a19c68b98fbfa353b6634c899a65fa8631e

SHA256
a02d23a84f35cdfd0a056197340102c091dc668a9b7dd245627b7fdf2972daa0

SHA512
7cd357b6c406d5e3cf31064a0e9287391c9801e632da80642aa88810dd2afaa020a845a5ac22dd5317c142218069e5003011fb37e003985a7ff1aae3953dbcd8

Download Submit
\Users\Admin\wuabe.exe

Filesize
224KB

MD5
5adb5c2aa905d1b9266820f6d8165de8

SHA1
49a937fdc97f628fc5dfd50d15f33ae4d3613b87

SHA256
3d698f7fb8d5bfcbe91906df4f31640382148a0a68f606ebff54a990b20012d3

SHA512
a2dce91ff9a1eeba0be69da8c85a27daa7fb2bfe1a20480200542da5449fd01ddff542169f1fbf1376b27e6e89b626a149b460745ed29b92d470666deeef557c

Download Submit
\Users\Admin\xaooq.exe

Filesize
224KB

MD5
390562ab50da2760253fb76e00f328f9

SHA1
cd68d37039caca0145c101bab1d7a471504e5d06

SHA256
8bd0b880e008ef044e332a28c8c62f831d0dfd1eb983ced853b7bbeeca743bb1

SHA512
5daf70580e0bf6d09c6e3fc178f2c42dac0c225bd64cb6e309f745fb915891f6d697f31838361830dc952d9ed8f88b107398f50bbf4dd455dbc057c5b3e9de28

Download Submit
\Users\Admin\xiuus.exe

Filesize
224KB

MD5
08b974f3510dd9243b4f524a5f6a1536

SHA1
499ba7d6154fa9a7922666d93f103dc1abcecc69

SHA256
2226030cc6db435a22cffef5cd7b312ac0f802a81034a4df93a2196be14c252c

SHA512
34ebf0085375347779d9446326f7890e2e770824143beabf389b834eba677054f2ad7c86d64bc41b6054818ee17953ce8635df0790aca80a67d4386b08620562

Download Submit
\Users\Admin\xlfey.exe

Filesize
224KB

MD5
3a6f4c43da120ed2274cf67594b2988c

SHA1
cc1169a917be86be5da12699519e09242b52eeaa

SHA256
156514c7044b107006de2bced9e04ab883d4456da58dc4ef45676333dd17c9e3

SHA512
480caab4e3971b62f5fa7ca6ba297bdbaf006d82ad9ee8db00b326f0a39a50f91a08e4bd559cd286b902ec35420cd59e7fc88c2ea903903a1e5d70d76a10c80b

Download Submit
\Users\Admin\yiabo.exe

Filesize
224KB

MD5
bf7390f2f7c296e8e8362c615de23875

SHA1
f9536433600fe4a111afaecc3b57c8d857b1eb37

SHA256
a7b2f09e7d6c86261aa1d7760d0cba78a0345f3a4093985d3ad95c6362604011

SHA512
385cfc3e383eb759212e2e2157be8da2de84695043587946d55a20c375d3e97367058726fc2cb2dec03ef919b7c0c9ca9c6eaf2f33f47c8a26f0926dacc1c8dd

Download Submit
\Users\Admin\yutof.exe

Filesize
224KB

MD5
32df498f74f8a82a7ad7cd394fcf6ae4

SHA1
8693794a0f561e67e7441872c0eeeea70af33ea5

SHA256
d44e6ee0ba31eb33005e14965d63ec79b3bcd7aa5f2d460491506bf73c5ba1c0

SHA512
d24c5b10e27da15445f562ce21f155deee324748cfe61c79d780bd48be6f50db06f9d4623de5185e44f25a696ea80bebebd0db3c5eb0eba6c2b97de395cd3e00

Download Submit
\Users\Admin\yutor.exe

Filesize
224KB

MD5
5509a0d3322467bddec35c46d2696ae3

SHA1
01a489044b773d784dc25949dfebf26a1c2e3a01

SHA256
bf8b12f83f993c63e19b3ea4dfb810920771b43e392154020ab7c477b4e3b3d8

SHA512
02fac7c939bdb6970efd8d1723162cc5917bb3f352424d264fd0fe5f9def165c21f745903d25b56b4c495723397602332b730b12776fe37b98642d828340c1ae

Download Submit
\Users\Admin\zpfer.exe

Filesize
224KB

MD5
d3c28a1397a8ca03638acd4be71ed259

SHA1
eb0f57cfcc9e76105bed2bc6ab29bc4e907d67f5

SHA256
153d2c59198a9ad0e3237976d1e5487d4f236db0006addb6e3bcfdf2d7361149

SHA512
ff5a54505ca4c874ef3d0fbc6b581cbcc40060c049c5e4a10d185e9f4e00f26aec1db29abf95ff1f01cc861215c918d1ddf89fde659b385f099eee8161561898

Download Submit
memory/268-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/268-407-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-390-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/848-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/848-33-0x0000000003470000-0x00000000034AA000-memory.dmp

Filesize
232KB

Download
memory/848-27-0x0000000003470000-0x00000000034AA000-memory.dmp

Filesize
232KB

Download
memory/848-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-316-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/976-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-317-0x0000000003540000-0x000000000357A000-memory.dmp

Filesize
232KB

Download
memory/976-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-356-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/1016-355-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/1072-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1244-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1244-206-0x0000000003410000-0x000000000344A000-memory.dmp

Filesize
232KB

Download
memory/1244-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1252-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1252-119-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1252-113-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1252-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1312-223-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/1312-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1312-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-342-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/1592-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-343-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/1600-240-0x0000000003280000-0x00000000032BA000-memory.dmp

Filesize
232KB

Download
memory/1600-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-432-0x00000000031B0000-0x00000000031EA000-memory.dmp

Filesize
232KB

Download
memory/1688-445-0x0000000003250000-0x000000000328A000-memory.dmp

Filesize
232KB

Download
memory/1688-446-0x0000000003250000-0x000000000328A000-memory.dmp

Filesize
232KB

Download
memory/1688-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-433-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1788-136-0x0000000003380000-0x00000000033BA000-memory.dmp

Filesize
232KB

Download
memory/1788-135-0x0000000003380000-0x00000000033BA000-memory.dmp

Filesize
232KB

Download
memory/1788-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1788-139-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-188-0x0000000003350000-0x000000000338A000-memory.dmp

Filesize
232KB

Download
memory/1804-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1868-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1868-78-0x0000000003560000-0x000000000359A000-memory.dmp

Filesize
232KB

Download
memory/1868-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-156-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/2200-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-149-0x0000000003430000-0x000000000346A000-memory.dmp

Filesize
232KB

Download
memory/2204-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2220-99-0x0000000003460000-0x000000000349A000-memory.dmp

Filesize
232KB

Download
memory/2220-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2220-100-0x0000000003460000-0x000000000349A000-memory.dmp

Filesize
232KB

Download
memory/2220-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-415-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/2276-420-0x0000000003570000-0x00000000035AA000-memory.dmp

Filesize
232KB

Download
memory/2276-419-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-303-0x00000000035A0000-0x00000000035DA000-memory.dmp

Filesize
232KB

Download
memory/2336-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-299-0x00000000035A0000-0x00000000035DA000-memory.dmp

Filesize
232KB

Download
memory/2464-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-172-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2464-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-171-0x0000000003340000-0x000000000337A000-memory.dmp

Filesize
232KB

Download
memory/2468-366-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2468-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2508-458-0x00000000036D0000-0x000000000370A000-memory.dmp

Filesize
232KB

Download
memory/2552-13-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2552-14-0x00000000033F0000-0x000000000342A000-memory.dmp

Filesize
232KB

Download
memory/2552-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-66-0x00000000032C0000-0x00000000032FA000-memory.dmp

Filesize
232KB

Download
memory/2656-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-286-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2800-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-252-0x0000000003530000-0x000000000356A000-memory.dmp

Filesize
232KB

Download
memory/2820-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-50-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-44-0x0000000003230000-0x000000000326A000-memory.dmp

Filesize
232KB

Download
memory/3004-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-274-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download
memory/3004-273-0x00000000031C0000-0x00000000031FA000-memory.dmp

Filesize
232KB

Download