Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-aehgfsfg25
Target a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876
SHA256 a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876

Threat Level: Known bad

The file a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:07

Reported

2024-04-07 00:10

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\guoyob.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\guoyob.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /k" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /e" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /j" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /w" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /y" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /r" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /t" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /s" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /x" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /h" C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /v" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /c" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /q" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /f" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /z" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /o" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /g" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /u" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /i" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /d" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /b" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /l" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /n" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /h" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /p" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /m" C:\Users\Admin\guoyob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /a" C:\Users\Admin\guoyob.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
N/A N/A C:\Users\Admin\guoyob.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe

"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"

C:\Users\Admin\guoyob.exe

"C:\Users\Admin\guoyob.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ns1.chopsuwey.com udp
US 8.8.8.8:53 ns1.chopsuwey.net udp
US 8.8.8.8:53 ns1.chopsuwey.org udp
US 8.8.8.8:53 ns1.chopsuwey.biz udp
US 8.8.8.8:53 ns1.chopsuwey.info udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\guoyob.exe

MD5 a2eec86419dbcd39d2676639b3553028
SHA1 a51fd5eae0a0939dda9d7420cedf01664b8cd342
SHA256 fe02d5dbc95231456a750954d17c0f34fa9f6a03f2ee46cfddfe4eb5eb8ee087
SHA512 f85083f821cac57c24303093a6e6accb25837e4c00bdca7769927b05d40cebdf89889f39e28356720271dcc4fefd92068e4b3bad852cfce472f64ebfd9a3a9be

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:07

Reported

2024-04-07 00:09

Platform

win7-20240220-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\buezae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\buezae.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /b" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /i" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /d" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /l" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /e" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /s" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /k" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /c" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /n" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /g" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /w" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /q" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /h" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /t" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /z" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /p" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /o" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /v" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /u" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /a" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /m" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /y" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /x" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /s" C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /r" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /f" C:\Users\Admin\buezae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /j" C:\Users\Admin\buezae.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe N/A
N/A N/A C:\Users\Admin\buezae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe

"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"

C:\Users\Admin\buezae.exe

"C:\Users\Admin\buezae.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.chopsuwey.com udp
US 8.8.8.8:53 ns1.chopsuwey.net udp
US 8.8.8.8:53 ns1.chopsuwey.org udp
US 8.8.8.8:53 ns1.chopsuwey.biz udp
US 8.8.8.8:53 ns1.chopsuwey.info udp

Files

C:\Users\Admin\buezae.exe

MD5 2a094c06431421ae087afd456551007d
SHA1 f51233b35b7672f309adcfbe0d59c9e796fcffe1
SHA256 603b7c4daad8f197e0cfaffc9f648cded6006756189d9f0cc0380fb0c938e4cf
SHA512 604f9843a807d625aac889f9ac6914a53da426d734f445d6f44f39a23bc1e530584341c4603eb584ec62f258fa27e6c6a70c0744e33acfbab7e20b4d8fea690e