e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64

Analysis

max time kernel
238s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
Size

124KB
MD5

0d0734c601c4979ea9cd8d6c365516a0
SHA1

7183b9960ade0969103e4267ed2883169118b9b2
SHA256

e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64
SHA512

b1f51fdc846f34624ee97568dc0b8afe352e6214420c3468642898544327985282ae230f116f2101bb4b0b54ea4c722bbe8ed80f8c6814aebb35866071f06a46
SSDEEP

1536:8iszj5YWvahRO/N69BH3OoGa+FLHjKceRgrkOSoINeGUmE:pGFYWShkFoN3Oo1+FvfSW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kbvoey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geicee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	daoje.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	weawi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geoabig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qaujae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yeqas.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qaocof.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yeehii.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceoda.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vooehuq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	touxeij.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	paiaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gaotoe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	luizii.exe

Executes dropped EXE 16 IoCs

pid	Process
4896	kbvoey.exe
4172	qaujae.exe
3460	geicee.exe
2736	gaotoe.exe
392	yeqas.exe
1468	luizii.exe
3608	qaocof.exe
4188	yeehii.exe
3632	daoje.exe
1556	ceoda.exe
4576	vooehuq.exe
2044	touxeij.exe
944	weawi.exe
1612	geoabig.exe
3188	paiaw.exe
1672	ymsez.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	luizii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	qaocof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	geoabig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	daoje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	touxeij.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	weawi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	paiaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	kbvoey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	geicee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	yeqas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ceoda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	vooehuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	qaujae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gaotoe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	yeehii.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoje = "C:\\Users\\Admin\\daoje.exe /p"	yeehii.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paiaw = "C:\\Users\\Admin\\paiaw.exe /A"	geoabig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ymsez = "C:\\Users\\Admin\\ymsez.exe /R"	paiaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbvoey = "C:\\Users\\Admin\\kbvoey.exe /m"	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaujae = "C:\\Users\\Admin\\qaujae.exe /d"	kbvoey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaotoe = "C:\\Users\\Admin\\gaotoe.exe /Z"	geicee.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yeqas.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	luizii.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qaocof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\touxeij = "C:\\Users\\Admin\\touxeij.exe /m"	vooehuq.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qaujae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vooehuq = "C:\\Users\\Admin\\vooehuq.exe /V"	ceoda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoabig = "C:\\Users\\Admin\\geoabig.exe /U"	weawi.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	geoabig.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kbvoey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geicee = "C:\\Users\\Admin\\geicee.exe /J"	qaujae.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	gaotoe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\luizii = "C:\\Users\\Admin\\luizii.exe /m"	yeqas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaocof = "C:\\Users\\Admin\\qaocof.exe /h"	luizii.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yeehii.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoda = "C:\\Users\\Admin\\ceoda.exe /o"	daoje.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	touxeij.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ceoda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weawi = "C:\\Users\\Admin\\weawi.exe /j"	touxeij.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daoje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeehii = "C:\\Users\\Admin\\yeehii.exe /U"	qaocof.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	geicee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yeqas = "C:\\Users\\Admin\\yeqas.exe /b"	gaotoe.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vooehuq.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	weawi.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	paiaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
4896	kbvoey.exe
4896	kbvoey.exe
4172	qaujae.exe
4172	qaujae.exe
3460	geicee.exe
3460	geicee.exe
2736	gaotoe.exe
2736	gaotoe.exe
392	yeqas.exe
392	yeqas.exe
1468	luizii.exe
1468	luizii.exe
3608	qaocof.exe
3608	qaocof.exe
4188	yeehii.exe
4188	yeehii.exe
3632	daoje.exe
3632	daoje.exe
1556	ceoda.exe
1556	ceoda.exe
4576	vooehuq.exe
4576	vooehuq.exe
2044	touxeij.exe
2044	touxeij.exe
944	weawi.exe
944	weawi.exe
1612	geoabig.exe
1612	geoabig.exe
3188	paiaw.exe
3188	paiaw.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
4896	kbvoey.exe
4172	qaujae.exe
3460	geicee.exe
2736	gaotoe.exe
392	yeqas.exe
1468	luizii.exe
3608	qaocof.exe
4188	yeehii.exe
3632	daoje.exe
1556	ceoda.exe
4576	vooehuq.exe
2044	touxeij.exe
944	weawi.exe
1612	geoabig.exe
3188	paiaw.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 4896	1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe	79
PID 1120 wrote to memory of 4896	1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe	79
PID 1120 wrote to memory of 4896	1120	e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe	79
PID 4896 wrote to memory of 4172	4896	kbvoey.exe	81
PID 4896 wrote to memory of 4172	4896	kbvoey.exe	81
PID 4896 wrote to memory of 4172	4896	kbvoey.exe	81
PID 4172 wrote to memory of 3460	4172	qaujae.exe	83
PID 4172 wrote to memory of 3460	4172	qaujae.exe	83
PID 4172 wrote to memory of 3460	4172	qaujae.exe	83
PID 3460 wrote to memory of 2736	3460	geicee.exe	84
PID 3460 wrote to memory of 2736	3460	geicee.exe	84
PID 3460 wrote to memory of 2736	3460	geicee.exe	84
PID 2736 wrote to memory of 392	2736	gaotoe.exe	85
PID 2736 wrote to memory of 392	2736	gaotoe.exe	85
PID 2736 wrote to memory of 392	2736	gaotoe.exe	85
PID 392 wrote to memory of 1468	392	yeqas.exe	86
PID 392 wrote to memory of 1468	392	yeqas.exe	86
PID 392 wrote to memory of 1468	392	yeqas.exe	86
PID 1468 wrote to memory of 3608	1468	luizii.exe	87
PID 1468 wrote to memory of 3608	1468	luizii.exe	87
PID 1468 wrote to memory of 3608	1468	luizii.exe	87
PID 3608 wrote to memory of 4188	3608	qaocof.exe	88
PID 3608 wrote to memory of 4188	3608	qaocof.exe	88
PID 3608 wrote to memory of 4188	3608	qaocof.exe	88
PID 4188 wrote to memory of 3632	4188	yeehii.exe	89
PID 4188 wrote to memory of 3632	4188	yeehii.exe	89
PID 4188 wrote to memory of 3632	4188	yeehii.exe	89
PID 3632 wrote to memory of 1556	3632	daoje.exe	90
PID 3632 wrote to memory of 1556	3632	daoje.exe	90
PID 3632 wrote to memory of 1556	3632	daoje.exe	90
PID 1556 wrote to memory of 4576	1556	ceoda.exe	91
PID 1556 wrote to memory of 4576	1556	ceoda.exe	91
PID 1556 wrote to memory of 4576	1556	ceoda.exe	91
PID 4576 wrote to memory of 2044	4576	vooehuq.exe	94
PID 4576 wrote to memory of 2044	4576	vooehuq.exe	94
PID 4576 wrote to memory of 2044	4576	vooehuq.exe	94
PID 2044 wrote to memory of 944	2044	touxeij.exe	97
PID 2044 wrote to memory of 944	2044	touxeij.exe	97
PID 2044 wrote to memory of 944	2044	touxeij.exe	97
PID 944 wrote to memory of 1612	944	weawi.exe	100
PID 944 wrote to memory of 1612	944	weawi.exe	100
PID 944 wrote to memory of 1612	944	weawi.exe	100
PID 1612 wrote to memory of 3188	1612	geoabig.exe	102
PID 1612 wrote to memory of 3188	1612	geoabig.exe	102
PID 1612 wrote to memory of 3188	1612	geoabig.exe	102
PID 3188 wrote to memory of 1672	3188	paiaw.exe	103
PID 3188 wrote to memory of 1672	3188	paiaw.exe	103
PID 3188 wrote to memory of 1672	3188	paiaw.exe	103

C:\Users\Admin\AppData\Local\Temp\e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe
"C:\Users\Admin\AppData\Local\Temp\e317c9e3a0f5d1cda43d413e41bd587dbd4dbfd250b834da6c06d198a081fd64.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\kbvoey.exe
  "C:\Users\Admin\kbvoey.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\qaujae.exe
    "C:\Users\Admin\qaujae.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Users\Admin\geicee.exe
      "C:\Users\Admin\geicee.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Users\Admin\gaotoe.exe
        
        "C:\Users\Admin\gaotoe.exe"
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Users\Admin\yeqas.exe
        
        "C:\Users\Admin\yeqas.exe"
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Users\Admin\luizii.exe
        
        "C:\Users\Admin\luizii.exe"
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Users\Admin\qaocof.exe
        
        "C:\Users\Admin\qaocof.exe"
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Users\Admin\yeehii.exe
        
        "C:\Users\Admin\yeehii.exe"
        9⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Users\Admin\daoje.exe
        
        "C:\Users\Admin\daoje.exe"
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\ceoda.exe
        
        "C:\Users\Admin\ceoda.exe"
        11⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\vooehuq.exe
        
        "C:\Users\Admin\vooehuq.exe"
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Users\Admin\touxeij.exe
        
        "C:\Users\Admin\touxeij.exe"
        13⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\weawi.exe
        
        "C:\Users\Admin\weawi.exe"
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\geoabig.exe
        
        "C:\Users\Admin\geoabig.exe"
        15⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\paiaw.exe
        
        "C:\Users\Admin\paiaw.exe"
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Users\Admin\ymsez.exe
        
        "C:\Users\Admin\ymsez.exe"
        17⤵
        Executes dropped EXE
        
        PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ceoda.exe

Filesize
124KB

MD5
0b388a2ed6e4a9ecefd39d1c739ca0fc

SHA1
6c8d3a0d42d086171d203be74af286335c796f09

SHA256
20567c62193483353bca450abd79ceaf18c9ce8fbaa76730ef2aa2c9758cf913

SHA512
0281923a07c36a5d2e5275e0e99c8735bca81ec1e914e85db1de9bb732adb83ee2688da0a8eadbbb6db1db8a92f3fcdf98576e17db7cf8d4bad320476d5c2394

Download Submit
C:\Users\Admin\ceoda.exe

Filesize
124KB

MD5
0b388a2ed6e4a9ecefd39d1c739ca0fc

SHA1
6c8d3a0d42d086171d203be74af286335c796f09

SHA256
20567c62193483353bca450abd79ceaf18c9ce8fbaa76730ef2aa2c9758cf913

SHA512
0281923a07c36a5d2e5275e0e99c8735bca81ec1e914e85db1de9bb732adb83ee2688da0a8eadbbb6db1db8a92f3fcdf98576e17db7cf8d4bad320476d5c2394

Download Submit
C:\Users\Admin\daoje.exe

Filesize
124KB

MD5
e81596cf5882460e1e82a6915cc254af

SHA1
0f972a7b407290000527bf25676bd99c7c06700b

SHA256
8bde7cd2e5bcae2635d6d6902731628197e9db1ab86136679e8019735aab4f9f

SHA512
c80c586b0a2ed537bc1b5a2320882213042328d385721130cef4760ea63372549584fe6f3ef2f10879f5a00a468299a3e8990d0fbd7e55f225e0dcffa6b047b9

Download Submit
C:\Users\Admin\daoje.exe

Filesize
124KB

MD5
e81596cf5882460e1e82a6915cc254af

SHA1
0f972a7b407290000527bf25676bd99c7c06700b

SHA256
8bde7cd2e5bcae2635d6d6902731628197e9db1ab86136679e8019735aab4f9f

SHA512
c80c586b0a2ed537bc1b5a2320882213042328d385721130cef4760ea63372549584fe6f3ef2f10879f5a00a468299a3e8990d0fbd7e55f225e0dcffa6b047b9

Download Submit
C:\Users\Admin\gaotoe.exe

Filesize
124KB

MD5
1812cfcbe91b5ee680317be1e3d7bb0f

SHA1
e492632a75e1dd1f462c5e51b13083f188e164aa

SHA256
836906443a9a736b23fee2e121bc13533e3b0f69ef292e973901835f56e8453d

SHA512
4a9f32a22a95e57db56a6c4a3facf30dd038a83b38df621e1e9040a650c44d9b14f3ef8cd5662998c1ee5e402b4ff367753aed0765c4ed58d6accea7d716c6d8

Download Submit
C:\Users\Admin\gaotoe.exe

Filesize
124KB

MD5
1812cfcbe91b5ee680317be1e3d7bb0f

SHA1
e492632a75e1dd1f462c5e51b13083f188e164aa

SHA256
836906443a9a736b23fee2e121bc13533e3b0f69ef292e973901835f56e8453d

SHA512
4a9f32a22a95e57db56a6c4a3facf30dd038a83b38df621e1e9040a650c44d9b14f3ef8cd5662998c1ee5e402b4ff367753aed0765c4ed58d6accea7d716c6d8

Download Submit
C:\Users\Admin\geicee.exe

Filesize
124KB

MD5
363f31021590b4ee8944b61b49ce12c1

SHA1
a2c626b017a2b2779e37d8e4d8144df3d1a0cbc3

SHA256
031e5aa55592e96ca285ca2e668c66cf5619db2b24f594ff99800b108865a8f3

SHA512
4764a0899ccddbea05d01331594dd879e5f03871a774190f68c45a81c924a6e7d07b0490912b61ecbdab373e567400c409f98546498c8f94eb45e5a65b6b21a8

Download Submit
C:\Users\Admin\geicee.exe

Filesize
124KB

MD5
363f31021590b4ee8944b61b49ce12c1

SHA1
a2c626b017a2b2779e37d8e4d8144df3d1a0cbc3

SHA256
031e5aa55592e96ca285ca2e668c66cf5619db2b24f594ff99800b108865a8f3

SHA512
4764a0899ccddbea05d01331594dd879e5f03871a774190f68c45a81c924a6e7d07b0490912b61ecbdab373e567400c409f98546498c8f94eb45e5a65b6b21a8

Download Submit
C:\Users\Admin\geoabig.exe

Filesize
124KB

MD5
0e74261013fb8cf78961b6c6f1fd5bba

SHA1
53c8e0f8e10bfe2455941d0a569c08d7f09a4581

SHA256
40e49b14b4a467137ec557b4014b5bac3186eef11bd7e82a2d031747613d5844

SHA512
ca3b77441213ec37adbccc7f82caaeee9f0ea4d12039a6167f13ea2f1cad12a6b6ccd741f4431a995efccef2f4f3c38a0ea7e7268a54ed22c43719e323d612e7

Download Submit
C:\Users\Admin\geoabig.exe

Filesize
124KB

MD5
0e74261013fb8cf78961b6c6f1fd5bba

SHA1
53c8e0f8e10bfe2455941d0a569c08d7f09a4581

SHA256
40e49b14b4a467137ec557b4014b5bac3186eef11bd7e82a2d031747613d5844

SHA512
ca3b77441213ec37adbccc7f82caaeee9f0ea4d12039a6167f13ea2f1cad12a6b6ccd741f4431a995efccef2f4f3c38a0ea7e7268a54ed22c43719e323d612e7

Download Submit
C:\Users\Admin\kbvoey.exe

Filesize
124KB

MD5
93a4f4750ab8a0cd61669a7e538fde08

SHA1
d77ffde4b4c67fb0ba3c7bcf0a37e060fe419623

SHA256
6dd18f65ed11ff99eccd2f4408d9aa3a061bf9b26c3249ee8a5c6319e476fa9b

SHA512
86769122cebcfc5ff7539e6710fce3560ec637a1d1ee20244973feee10b81ffefe2fc4c95aa9490dfeeb20cd65d6469b80d5ce92610f59495613215a78b404da

Download Submit
C:\Users\Admin\kbvoey.exe

Filesize
124KB

MD5
93a4f4750ab8a0cd61669a7e538fde08

SHA1
d77ffde4b4c67fb0ba3c7bcf0a37e060fe419623

SHA256
6dd18f65ed11ff99eccd2f4408d9aa3a061bf9b26c3249ee8a5c6319e476fa9b

SHA512
86769122cebcfc5ff7539e6710fce3560ec637a1d1ee20244973feee10b81ffefe2fc4c95aa9490dfeeb20cd65d6469b80d5ce92610f59495613215a78b404da

Download Submit
C:\Users\Admin\luizii.exe

Filesize
124KB

MD5
72b37974c43bc5d9b54eea4f52dfb514

SHA1
d511fb8c8af42cbc7fbef33eb0c27d8a231abb06

SHA256
e4dca42462a64b2089286ca87939fe01e586a040d5f0c1514a39879675a85c45

SHA512
7fd99bead5d05aec477e990de3ba30cb5b9d1e71e113a788bf18d9ad6be818c1e44124f63afc60d758d78859bee6d4a3e3404eb5809ce93f58e16465a346b593

Download Submit
C:\Users\Admin\luizii.exe

Filesize
124KB

MD5
72b37974c43bc5d9b54eea4f52dfb514

SHA1
d511fb8c8af42cbc7fbef33eb0c27d8a231abb06

SHA256
e4dca42462a64b2089286ca87939fe01e586a040d5f0c1514a39879675a85c45

SHA512
7fd99bead5d05aec477e990de3ba30cb5b9d1e71e113a788bf18d9ad6be818c1e44124f63afc60d758d78859bee6d4a3e3404eb5809ce93f58e16465a346b593

Download Submit
C:\Users\Admin\paiaw.exe

Filesize
124KB

MD5
880cb029bb1d11310ed00a6a39825f45

SHA1
c215e313c9428647af94bb4a0ad9d00e2696cc0a

SHA256
2e8e084b367d810cf10e246b96ad84e93442151d5335d66dfa970753b4404718

SHA512
9e013060061922374f83a4c2cca5c9f54aaad20b18a9c93d51432e2a6265872af9658aa331c4012d9bc5a9c44fce51ae21559dc16eb9e629016ed17da5a14e98

Download Submit
C:\Users\Admin\paiaw.exe

Filesize
124KB

MD5
880cb029bb1d11310ed00a6a39825f45

SHA1
c215e313c9428647af94bb4a0ad9d00e2696cc0a

SHA256
2e8e084b367d810cf10e246b96ad84e93442151d5335d66dfa970753b4404718

SHA512
9e013060061922374f83a4c2cca5c9f54aaad20b18a9c93d51432e2a6265872af9658aa331c4012d9bc5a9c44fce51ae21559dc16eb9e629016ed17da5a14e98

Download Submit
C:\Users\Admin\qaocof.exe

Filesize
124KB

MD5
35f9cec50b0032ff300abcf57a36bb79

SHA1
8e0f2c9a9ae3f8b3b04c857cf236981f0fd4e3c8

SHA256
09047b68fc7edb0d6c199e65a9fc7824894f9aa5ecb561f85577710694aa504d

SHA512
c2556f795b2c47e3e3363cc60e35b7f3f05963cf088f807863b8c6492c6fe36c962433c676847b382ce7fabd4ba9e790077587ad56869c7a174ea89e07de4743

Download Submit
C:\Users\Admin\qaocof.exe

Filesize
124KB

MD5
35f9cec50b0032ff300abcf57a36bb79

SHA1
8e0f2c9a9ae3f8b3b04c857cf236981f0fd4e3c8

SHA256
09047b68fc7edb0d6c199e65a9fc7824894f9aa5ecb561f85577710694aa504d

SHA512
c2556f795b2c47e3e3363cc60e35b7f3f05963cf088f807863b8c6492c6fe36c962433c676847b382ce7fabd4ba9e790077587ad56869c7a174ea89e07de4743

Download Submit
C:\Users\Admin\qaujae.exe

Filesize
124KB

MD5
f91f83615279e3202508a31997c3fdfc

SHA1
1b4ae15b294995f67440c332a8381305933a91b7

SHA256
0923606788ec9300b5d933eef4f9ec498fa7ebdb0ee0f1003ada40af41760ed5

SHA512
c984790adce730500e22e8be9a368e4160be4bc53ec4ca933d68b8bffd005d178be7367e710660b8a7d4ca764bf7a4938ce2b182026f5ed8b705ef8040d39603

Download Submit
C:\Users\Admin\qaujae.exe

Filesize
124KB

MD5
f91f83615279e3202508a31997c3fdfc

SHA1
1b4ae15b294995f67440c332a8381305933a91b7

SHA256
0923606788ec9300b5d933eef4f9ec498fa7ebdb0ee0f1003ada40af41760ed5

SHA512
c984790adce730500e22e8be9a368e4160be4bc53ec4ca933d68b8bffd005d178be7367e710660b8a7d4ca764bf7a4938ce2b182026f5ed8b705ef8040d39603

Download Submit
C:\Users\Admin\touxeij.exe

Filesize
124KB

MD5
f20d403355b54881c992cc3e6069d661

SHA1
c3ace7845bd46022819ac6aa840b28543c7b6cdf

SHA256
44507b61d9e6f01469efddc4143cc5f3bf285567dff8e337a3d66bb8d884d818

SHA512
0df16292177c283d197ef576a19d2199f342bccb77122ffbb93064a0a59e58c47cd3aa6c8176b42e24ed1eb719d80d865e64055dec7b9a7f218634b95a9c4593

Download Submit
C:\Users\Admin\touxeij.exe

Filesize
124KB

MD5
f20d403355b54881c992cc3e6069d661

SHA1
c3ace7845bd46022819ac6aa840b28543c7b6cdf

SHA256
44507b61d9e6f01469efddc4143cc5f3bf285567dff8e337a3d66bb8d884d818

SHA512
0df16292177c283d197ef576a19d2199f342bccb77122ffbb93064a0a59e58c47cd3aa6c8176b42e24ed1eb719d80d865e64055dec7b9a7f218634b95a9c4593

Download Submit
C:\Users\Admin\vooehuq.exe

Filesize
124KB

MD5
425b52b1bc1a5e364cd75ab4e0a96a5d

SHA1
f4bfd2697b444537bba9fbeefb37d770460412da

SHA256
8d3a96d4a1586e527cf03525e03f067a4d929be2e077104bcd94aa98deae9f5d

SHA512
3aa00b4497f8384b94aed01c8b3c6d1be2889496b8db84e350de5e3a2071e4baf87b68a8d4c38e3297290f61171389560cce9270a882d195199325dad6896990

Download Submit
C:\Users\Admin\vooehuq.exe

Filesize
124KB

MD5
425b52b1bc1a5e364cd75ab4e0a96a5d

SHA1
f4bfd2697b444537bba9fbeefb37d770460412da

SHA256
8d3a96d4a1586e527cf03525e03f067a4d929be2e077104bcd94aa98deae9f5d

SHA512
3aa00b4497f8384b94aed01c8b3c6d1be2889496b8db84e350de5e3a2071e4baf87b68a8d4c38e3297290f61171389560cce9270a882d195199325dad6896990

Download Submit
C:\Users\Admin\weawi.exe

Filesize
124KB

MD5
d59012a486d10e3137d58642b204fc52

SHA1
97490e95032a8139579ae08e28e875355f69eb76

SHA256
b8ebb098281c6dd40709c5af0f9c57bee595aaf6da354f2a1074b3d79ade0838

SHA512
12635ed336d596d64e2016cdc420ce82bd78b9e1be9c3ea8ca54775b31f2cb9a53fccc4277caa1e9605d5385763a639811c7c3f6e26ced5d040371c4a9708bc6

Download Submit
C:\Users\Admin\weawi.exe

Filesize
124KB

MD5
d59012a486d10e3137d58642b204fc52

SHA1
97490e95032a8139579ae08e28e875355f69eb76

SHA256
b8ebb098281c6dd40709c5af0f9c57bee595aaf6da354f2a1074b3d79ade0838

SHA512
12635ed336d596d64e2016cdc420ce82bd78b9e1be9c3ea8ca54775b31f2cb9a53fccc4277caa1e9605d5385763a639811c7c3f6e26ced5d040371c4a9708bc6

Download Submit
C:\Users\Admin\yeehii.exe

Filesize
124KB

MD5
9716fc9ecf2837f00e850feeca721b18

SHA1
1c73769fb3e614732830e5441b0f12b726038aca

SHA256
cb3b47dea18af3d05cf2739b7c71c5110739a3e9445b65c4fa3b02f1064ab76e

SHA512
f2bec20a5c5e4d91f7df04df5c59fb7f187e561df6fb9203371f7f62522719d23e10b901f3089878c2854dcc9008370547e430269b4e772e2cd220442a6a9c35

Download Submit
C:\Users\Admin\yeehii.exe

Filesize
124KB

MD5
9716fc9ecf2837f00e850feeca721b18

SHA1
1c73769fb3e614732830e5441b0f12b726038aca

SHA256
cb3b47dea18af3d05cf2739b7c71c5110739a3e9445b65c4fa3b02f1064ab76e

SHA512
f2bec20a5c5e4d91f7df04df5c59fb7f187e561df6fb9203371f7f62522719d23e10b901f3089878c2854dcc9008370547e430269b4e772e2cd220442a6a9c35

Download Submit
C:\Users\Admin\yeqas.exe

Filesize
124KB

MD5
b54b0f881a9d0edfe54fe2965bbf3051

SHA1
4a978f10d409c771bcaec09744565ec2dbb219b4

SHA256
37d8cb6942da9e1d7486dec040fa16150fd9e784968f501f679f7d600f0b75d5

SHA512
247451f6802a23ef3b460874c11345c5655554c1065cf8da0455fb3d568f421c90d8af36600286271cba665c86eaf2de9f485aeb0e316c576c02c21db4af6d9b

Download Submit
C:\Users\Admin\yeqas.exe

Filesize
124KB

MD5
b54b0f881a9d0edfe54fe2965bbf3051

SHA1
4a978f10d409c771bcaec09744565ec2dbb219b4

SHA256
37d8cb6942da9e1d7486dec040fa16150fd9e784968f501f679f7d600f0b75d5

SHA512
247451f6802a23ef3b460874c11345c5655554c1065cf8da0455fb3d568f421c90d8af36600286271cba665c86eaf2de9f485aeb0e316c576c02c21db4af6d9b

Download Submit
C:\Users\Admin\ymsez.exe

Filesize
124KB

MD5
54f99ce7362faae5614234ede2271569

SHA1
e232342bc08cea6cb03a5f636ff5c3c1f686c6d5

SHA256
3439bfad78587039b6e784bc4ae7ebca7528aed6ad5206a20e7e7ef5390f53b6

SHA512
f5ffecd683e5cd12b016c5dd5d776e359c421712cb1d3babc1d7d5daca4cfe039589f8bc7da6c0b4ed6cdd51e13d65d30b0a7d2ef26c49352fdae6d495022ce9

Download Submit