Analysis Overview
SHA256
a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876
Threat Level: Known bad
The file a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:07
Reported
2024-04-07 00:10
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\guoyob.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\guoyob.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /k" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /e" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /j" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /w" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /y" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /r" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /t" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /s" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /x" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /h" | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /v" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /c" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /q" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /f" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /z" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /o" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /g" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /u" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /i" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /d" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /b" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /l" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /n" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /h" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /p" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /m" | C:\Users\Admin\guoyob.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guoyob = "C:\\Users\\Admin\\guoyob.exe /a" | C:\Users\Admin\guoyob.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| N/A | N/A | C:\Users\Admin\guoyob.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\guoyob.exe |
| PID 4860 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\guoyob.exe |
| PID 4860 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\guoyob.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe
"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"
C:\Users\Admin\guoyob.exe
"C:\Users\Admin\guoyob.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.com | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.net | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.org | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.biz | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.info | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\guoyob.exe
| MD5 | a2eec86419dbcd39d2676639b3553028 |
| SHA1 | a51fd5eae0a0939dda9d7420cedf01664b8cd342 |
| SHA256 | fe02d5dbc95231456a750954d17c0f34fa9f6a03f2ee46cfddfe4eb5eb8ee087 |
| SHA512 | f85083f821cac57c24303093a6e6accb25837e4c00bdca7769927b05d40cebdf89889f39e28356720271dcc4fefd92068e4b3bad852cfce472f64ebfd9a3a9be |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:07
Reported
2024-04-07 00:09
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\buezae.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\buezae.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /b" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /i" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /d" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /l" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /e" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /s" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /k" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /c" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /n" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /g" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /w" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /q" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /h" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /t" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /z" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /p" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /o" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /v" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /u" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /a" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /m" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /y" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /x" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /s" | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /r" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /f" | C:\Users\Admin\buezae.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buezae = "C:\\Users\\Admin\\buezae.exe /j" | C:\Users\Admin\buezae.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | N/A |
| N/A | N/A | C:\Users\Admin\buezae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\buezae.exe |
| PID 2092 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\buezae.exe |
| PID 2092 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\buezae.exe |
| PID 2092 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe | C:\Users\Admin\buezae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe
"C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"
C:\Users\Admin\buezae.exe
"C:\Users\Admin\buezae.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.chopsuwey.com | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.net | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.org | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.biz | udp |
| US | 8.8.8.8:53 | ns1.chopsuwey.info | udp |
Files
C:\Users\Admin\buezae.exe
| MD5 | 2a094c06431421ae087afd456551007d |
| SHA1 | f51233b35b7672f309adcfbe0d59c9e796fcffe1 |
| SHA256 | 603b7c4daad8f197e0cfaffc9f648cded6006756189d9f0cc0380fb0c938e4cf |
| SHA512 | 604f9843a807d625aac889f9ac6914a53da426d734f445d6f44f39a23bc1e530584341c4603eb584ec62f258fa27e6c6a70c0744e33acfbab7e20b4d8fea690e |