Analysis Overview
SHA256
041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97
Threat Level: Known bad
The file 041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:15
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\niuawil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\niuawil.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /W" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /h" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /I" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /r" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /y" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /b" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /c" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /v" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /F" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /z" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /A" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /K" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /Q" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /O" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /R" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /G" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /S" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /D" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /j" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /s" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /w" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /n" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /N" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /E" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /t" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /u" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /Y" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /e" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /C" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /V" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /M" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /L" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /X" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /g" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /o" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /B" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /q" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /Z" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /P" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /a" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /H" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /i" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /k" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /f" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /l" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /d" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /J" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /T" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /m" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /p" | C:\Users\Admin\niuawil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuawil = "C:\\Users\\Admin\\niuawil.exe /U" | C:\Users\Admin\niuawil.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe | N/A |
| N/A | N/A | C:\Users\Admin\niuawil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe
"C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe"
C:\Users\Admin\niuawil.exe
"C:\Users\Admin\niuawil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.codeconline.biz | udp |
| US | 8.8.8.8:53 | ns1.player1523.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\niuawil.exe
| MD5 | c23062f6795cf891f2ec164be5852558 |
| SHA1 | f517935a36486a2667d52f3dea741a6297c6f1c1 |
| SHA256 | ea8cced38ce094402d3e5a4df223c05e960aa1dc2acd57ee6a7ed71fb9ef15ff |
| SHA512 | 4aeb2ee0d1cef61cd321ee9f3db6237a4941b1dc123339b3ae11de475b29a198ff3f00786ecffcd681135b682614aa6f72d9590cb9c66b1fd68177643dca2de2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\heuqoem.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\heuqoem.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /r" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /e" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /K" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /I" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /R" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /z" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /f" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /T" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /l" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /o" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /C" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /W" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /q" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /v" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /U" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /g" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /Z" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /t" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /p" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /j" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /G" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /u" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /E" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /A" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /Y" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /F" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /B" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /V" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /J" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /s" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /O" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /Q" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /w" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /h" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /N" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /d" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /P" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /c" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /a" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /S" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /k" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /H" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /x" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /X" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /n" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /L" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /m" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /y" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /D" | C:\Users\Admin\heuqoem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\heuqoem = "C:\\Users\\Admin\\heuqoem.exe /M" | C:\Users\Admin\heuqoem.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe | N/A |
| N/A | N/A | C:\Users\Admin\heuqoem.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe
"C:\Users\Admin\AppData\Local\Temp\041a8be2a89d0d7823da7cb61910761e6051898ca47b348ed1906587faf94d97.exe"
C:\Users\Admin\heuqoem.exe
"C:\Users\Admin\heuqoem.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.codeconline.biz | udp |
| US | 8.8.8.8:53 | ns1.player1523.com | udp |
Files
\Users\Admin\heuqoem.exe
| MD5 | 4da8ee8b9cb90be27dea7a970a791fd8 |
| SHA1 | 45b1323630219b07453e3a498331ecdfdfbd55e1 |
| SHA256 | 753d23f32e41d3da2c7a17680b7f06e59189afe8bc720239a2bb22f2911f702f |
| SHA512 | 4cd4746772c38b03124b9f249b10d9fb9fe0f8275eb44375c1d0315d36c455813c1a84a6148ee38860db1ccb892f2c75b2cb9d0671fde83d25c3da09b68a9ad2 |