67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c

General

Target

67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
Size

200KB
MD5

5cc267d2ba4689e197dac3025046e260
SHA1

7ea97b226cc20da133e6e627224f0a654b3f9ab5
SHA256

67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c
SHA512

2df8978a9230f472a0689b768b28ce360775bfae356b0a6ed084ff3d217ffb56c9b7c5f2a5e34ff2a6b638d91618f680c7241a8d9e80d0f83d322061d50b29e6
SSDEEP

3072:DTtcstTstk/pSBAFtbCduLCADMcgg7ker:ftcATstk/pp2ADMVC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

paiqe.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	paiqe.exe

Executes dropped EXE 1 IoCs

Processes:

paiqe.exe

pid process

1652 paiqe.exe

Loads dropped DLL 2 IoCs

Processes:

67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe

pid	process
1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paiqe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /k"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /g"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /p"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /i"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /s"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /D"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /W"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /b"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /K"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /R"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /d"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /j"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /Z"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /z"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /A"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /e"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /F"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /L"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /x"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /I"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /N"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /h"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /E"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /r"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /M"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /n"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /C"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /V"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /S"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /H"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /o"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /O"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /T"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /U"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /q"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /G"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /w"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /Y"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /B"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /P"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /v"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /a"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /X"	paiqe.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /u"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /t"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /c"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /y"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /l"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /f"	paiqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\paiqe = "C:\\Users\\Admin\\paiqe.exe /J"	paiqe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

paiqe.exe

pid	process
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe
1652	paiqe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exepaiqe.exe

pid process

1836 67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
1652 paiqe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exepaiqe.exe

description	pid	process	target process
PID 1836 wrote to memory of 1652	1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe	paiqe.exe
PID 1836 wrote to memory of 1652	1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe	paiqe.exe
PID 1836 wrote to memory of 1652	1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe	paiqe.exe
PID 1836 wrote to memory of 1652	1836	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe	paiqe.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
PID 1652 wrote to memory of 1836	1652	paiqe.exe	67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe

C:\Users\Admin\AppData\Local\Temp\67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe
"C:\Users\Admin\AppData\Local\Temp\67251cb15ae25b777b0677244d0fab369be57f25779b79674439a6b50787b04c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\paiqe.exe
"C:\Users\Admin\paiqe.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\paiqe.exe

Filesize
200KB

MD5
c0665b46f3b13b959200e5393344d208

SHA1
fe91db7e624a9b8d17217661ed9fd0bd0e6c8bf3

SHA256
be43d4dd4c11bfc3a389219f7125668fe31a5348c98b9570c0cd110860e0aa95

SHA512
005cac7e3f63d7f8719ac32a9af0b13d38ce9e6a3de8791639bbc26d8177fc823151cd99e3075b9b2ff598f6468820044ae0246fb33133c36680c9ed65db41b2

Download Submit
C:\Users\Admin\paiqe.exe

Filesize
200KB

MD5
c0665b46f3b13b959200e5393344d208

SHA1
fe91db7e624a9b8d17217661ed9fd0bd0e6c8bf3

SHA256
be43d4dd4c11bfc3a389219f7125668fe31a5348c98b9570c0cd110860e0aa95

SHA512
005cac7e3f63d7f8719ac32a9af0b13d38ce9e6a3de8791639bbc26d8177fc823151cd99e3075b9b2ff598f6468820044ae0246fb33133c36680c9ed65db41b2

Download Submit
\Users\Admin\paiqe.exe

Filesize
200KB

MD5
c0665b46f3b13b959200e5393344d208

SHA1
fe91db7e624a9b8d17217661ed9fd0bd0e6c8bf3

SHA256
be43d4dd4c11bfc3a389219f7125668fe31a5348c98b9570c0cd110860e0aa95

SHA512
005cac7e3f63d7f8719ac32a9af0b13d38ce9e6a3de8791639bbc26d8177fc823151cd99e3075b9b2ff598f6468820044ae0246fb33133c36680c9ed65db41b2

Download Submit
\Users\Admin\paiqe.exe

Filesize
200KB

MD5
c0665b46f3b13b959200e5393344d208

SHA1
fe91db7e624a9b8d17217661ed9fd0bd0e6c8bf3

SHA256
be43d4dd4c11bfc3a389219f7125668fe31a5348c98b9570c0cd110860e0aa95

SHA512
005cac7e3f63d7f8719ac32a9af0b13d38ce9e6a3de8791639bbc26d8177fc823151cd99e3075b9b2ff598f6468820044ae0246fb33133c36680c9ed65db41b2

Download Submit
memory/1652-59-0x0000000000000000-mapping.dmp

Download
memory/1836-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads