496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
Size

124KB
MD5

6487cf67b6eaa52a22f2dda78c3c0a40
SHA1

be61bd6e46a8d554edbad2537fa0eeef9d33ac23
SHA256

496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb
SHA512

56051cc4a9c22dbb6c081681f63c80085e69cde3b02e0380ff1da4e1971016ce469e82c5470b2d61b2c249f9f53d6473fecd25f53a1bfc3319572ccec6a2145d
SSDEEP

1536:1mszp5Y5AhhRO/N69BH3OoGa+FL9jKceRgrkjSo:sGHY6hhkFoN3Oo1+F92S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qxguek.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geireo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wuodea.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jeize.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jmvoez.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buaki.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kmzij.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xemoj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ftsuuq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wyguer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	giuhuv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lwluaf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	weubue.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ciuceuq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	liqor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jwsom.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vaucoe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nuebu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kaoef.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vaovo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	weidar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wueada.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	leiiy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	haimoac.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fueumaj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gxpix.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	doafue.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reebe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qauje.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xaizoow.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yauate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dzyid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	teenak.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zoauwed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lenep.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	houdao.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xucag.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceuolu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xeiiqo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	peofo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hxraum.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qoehul.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buieqes.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	luagoa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jauba.exe

Executes dropped EXE 46 IoCs

pid	Process
3060	wyguer.exe
2712	fueumaj.exe
2444	gxpix.exe
2228	xeiiqo.exe
2800	nuebu.exe
2216	peofo.exe
1856	dzyid.exe
772	qxguek.exe
916	teenak.exe
2964	doafue.exe
2008	kaoef.exe
1984	hxraum.exe
836	qoehul.exe
2888	geireo.exe
2368	vaovo.exe
2724	zoauwed.exe
2684	reebe.exe
2624	kmzij.exe
2456	qauje.exe
2744	wuodea.exe
2644	buieqes.exe
1860	giuhuv.exe
292	lwluaf.exe
992	lenep.exe
2860	weubue.exe
1620	weidar.exe
1480	xaizoow.exe
1000	jeize.exe
1636	ciuceuq.exe
2856	luagoa.exe
2704	liqor.exe
2812	houdao.exe
2156	wueada.exe
500	yauate.exe
2980	jwsom.exe
2028	leiiy.exe
2052	jauba.exe
2068	jmvoez.exe
2496	xemoj.exe
2936	haimoac.exe
1544	xucag.exe
784	ceuolu.exe
1440	buaki.exe
1140	vaucoe.exe
2484	ftsuuq.exe
1992	kzqaog.exe

Loads dropped DLL 64 IoCs

pid	Process
1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
3060	wyguer.exe
3060	wyguer.exe
2712	fueumaj.exe
2712	fueumaj.exe
2444	gxpix.exe
2444	gxpix.exe
2228	xeiiqo.exe
2228	xeiiqo.exe
2800	nuebu.exe
2800	nuebu.exe
2216	peofo.exe
2216	peofo.exe
1856	dzyid.exe
1856	dzyid.exe
772	qxguek.exe
772	qxguek.exe
916	teenak.exe
916	teenak.exe
2964	doafue.exe
2964	doafue.exe
2008	kaoef.exe
2008	kaoef.exe
1984	hxraum.exe
1984	hxraum.exe
836	qoehul.exe
836	qoehul.exe
2888	geireo.exe
2888	geireo.exe
2368	vaovo.exe
2368	vaovo.exe
2724	zoauwed.exe
2724	zoauwed.exe
2684	reebe.exe
2684	reebe.exe
2624	kmzij.exe
2624	kmzij.exe
2456	qauje.exe
2456	qauje.exe
2744	wuodea.exe
2744	wuodea.exe
2644	buieqes.exe
2644	buieqes.exe
1860	giuhuv.exe
1860	giuhuv.exe
292	lwluaf.exe
292	lwluaf.exe
992	lenep.exe
992	lenep.exe
2860	weubue.exe
2860	weubue.exe
1620	weidar.exe
1620	weidar.exe
1480	xaizoow.exe
1480	xaizoow.exe
1000	jeize.exe
1000	jeize.exe
1636	ciuceuq.exe
1636	ciuceuq.exe
2856	luagoa.exe
2856	luagoa.exe
2704	liqor.exe
2704	liqor.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dzyid = "C:\\Users\\Admin\\dzyid.exe /x"	peofo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\gxpix = "C:\\Users\\Admin\\gxpix.exe /T"	fueumaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciuceuq = "C:\\Users\\Admin\\ciuceuq.exe /h"	jeize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\houdao = "C:\\Users\\Admin\\houdao.exe /b"	liqor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwsom = "C:\\Users\\Admin\\jwsom.exe /D"	yauate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ftsuuq = "C:\\Users\\Admin\\ftsuuq.exe /D"	vaucoe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyguer = "C:\\Users\\Admin\\wyguer.exe /g"	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoef = "C:\\Users\\Admin\\kaoef.exe /x"	doafue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\leiiy = "C:\\Users\\Admin\\leiiy.exe /B"	jwsom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jmvoez = "C:\\Users\\Admin\\jmvoez.exe /l"	jauba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\doafue = "C:\\Users\\Admin\\doafue.exe /p"	teenak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoehul = "C:\\Users\\Admin\\qoehul.exe /z"	hxraum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoauwed = "C:\\Users\\Admin\\zoauwed.exe /e"	vaovo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\buieqes = "C:\\Users\\Admin\\buieqes.exe /C"	wuodea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuhuv = "C:\\Users\\Admin\\giuhuv.exe /f"	buieqes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwluaf = "C:\\Users\\Admin\\lwluaf.exe /R"	giuhuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeize = "C:\\Users\\Admin\\jeize.exe /x"	xaizoow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\liqor = "C:\\Users\\Admin\\liqor.exe /z"	luagoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxraum = "C:\\Users\\Admin\\hxraum.exe /t"	kaoef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauba = "C:\\Users\\Admin\\jauba.exe /Q"	leiiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceuolu = "C:\\Users\\Admin\\ceuolu.exe /h"	xucag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\wueada = "C:\\Users\\Admin\\wueada.exe /y"	houdao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaovo = "C:\\Users\\Admin\\vaovo.exe /j"	geireo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\weubue = "C:\\Users\\Admin\\weubue.exe /y"	lenep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\luagoa = "C:\\Users\\Admin\\luagoa.exe /Q"	ciuceuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaucoe = "C:\\Users\\Admin\\vaucoe.exe /N"	buaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\kzqaog = "C:\\Users\\Admin\\kzqaog.exe /d"	ftsuuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxguek = "C:\\Users\\Admin\\qxguek.exe /O"	dzyid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\peofo = "C:\\Users\\Admin\\peofo.exe /L"	nuebu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\qauje = "C:\\Users\\Admin\\qauje.exe /U"	kmzij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuodea = "C:\\Users\\Admin\\wuodea.exe /o"	qauje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lenep = "C:\\Users\\Admin\\lenep.exe /W"	lwluaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\weidar = "C:\\Users\\Admin\\weidar.exe /L"	weubue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaizoow = "C:\\Users\\Admin\\xaizoow.exe /f"	weidar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\haimoac = "C:\\Users\\Admin\\haimoac.exe /f"	xemoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeiiqo = "C:\\Users\\Admin\\xeiiqo.exe /v"	gxpix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\buaki = "C:\\Users\\Admin\\buaki.exe /B"	ceuolu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuebu = "C:\\Users\\Admin\\nuebu.exe /j"	xeiiqo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\teenak = "C:\\Users\\Admin\\teenak.exe /z"	qxguek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\geireo = "C:\\Users\\Admin\\geireo.exe /h"	qoehul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\reebe = "C:\\Users\\Admin\\reebe.exe /f"	zoauwed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauate = "C:\\Users\\Admin\\yauate.exe /b"	wueada.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xucag = "C:\\Users\\Admin\\xucag.exe /h"	haimoac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\fueumaj = "C:\\Users\\Admin\\fueumaj.exe /K"	wyguer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemoj = "C:\\Users\\Admin\\xemoj.exe /E"	jmvoez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmzij = "C:\\Users\\Admin\\kmzij.exe /f"	reebe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
3060	wyguer.exe
2712	fueumaj.exe
2444	gxpix.exe
2228	xeiiqo.exe
2800	nuebu.exe
2216	peofo.exe
1856	dzyid.exe
772	qxguek.exe
916	teenak.exe
2964	doafue.exe
2008	kaoef.exe
1984	hxraum.exe
836	qoehul.exe
2888	geireo.exe
2368	vaovo.exe
2724	zoauwed.exe
2684	reebe.exe
2624	kmzij.exe
2456	qauje.exe
2744	wuodea.exe
2644	buieqes.exe
1860	giuhuv.exe
292	lwluaf.exe
992	lenep.exe
2860	weubue.exe
1620	weidar.exe
1480	xaizoow.exe
1000	jeize.exe
1636	ciuceuq.exe
2856	luagoa.exe
2704	liqor.exe
2812	houdao.exe
2156	wueada.exe
500	yauate.exe
2980	jwsom.exe
2028	leiiy.exe
2052	jauba.exe
2068	jmvoez.exe
2496	xemoj.exe
2936	haimoac.exe
1544	xucag.exe
784	ceuolu.exe
1440	buaki.exe
1140	vaucoe.exe
2484	ftsuuq.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
3060	wyguer.exe
2712	fueumaj.exe
2444	gxpix.exe
2228	xeiiqo.exe
2800	nuebu.exe
2216	peofo.exe
1856	dzyid.exe
772	qxguek.exe
916	teenak.exe
2964	doafue.exe
2008	kaoef.exe
1984	hxraum.exe
836	qoehul.exe
2888	geireo.exe
2368	vaovo.exe
2724	zoauwed.exe
2684	reebe.exe
2624	kmzij.exe
2456	qauje.exe
2744	wuodea.exe
2644	buieqes.exe
1860	giuhuv.exe
292	lwluaf.exe
992	lenep.exe
2860	weubue.exe
1620	weidar.exe
1480	xaizoow.exe
1000	jeize.exe
1636	ciuceuq.exe
2856	luagoa.exe
2704	liqor.exe
2812	houdao.exe
2156	wueada.exe
500	yauate.exe
2980	jwsom.exe
2028	leiiy.exe
2052	jauba.exe
2068	jmvoez.exe
2496	xemoj.exe
2936	haimoac.exe
1544	xucag.exe
784	ceuolu.exe
1440	buaki.exe
1140	vaucoe.exe
2484	ftsuuq.exe
1992	kzqaog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3060	1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe	28
PID 1888 wrote to memory of 3060	1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe	28
PID 1888 wrote to memory of 3060	1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe	28
PID 1888 wrote to memory of 3060	1888	496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe	28
PID 3060 wrote to memory of 2712	3060	wyguer.exe	29
PID 3060 wrote to memory of 2712	3060	wyguer.exe	29
PID 3060 wrote to memory of 2712	3060	wyguer.exe	29
PID 3060 wrote to memory of 2712	3060	wyguer.exe	29
PID 2712 wrote to memory of 2444	2712	fueumaj.exe	30
PID 2712 wrote to memory of 2444	2712	fueumaj.exe	30
PID 2712 wrote to memory of 2444	2712	fueumaj.exe	30
PID 2712 wrote to memory of 2444	2712	fueumaj.exe	30
PID 2444 wrote to memory of 2228	2444	gxpix.exe	31
PID 2444 wrote to memory of 2228	2444	gxpix.exe	31
PID 2444 wrote to memory of 2228	2444	gxpix.exe	31
PID 2444 wrote to memory of 2228	2444	gxpix.exe	31
PID 2228 wrote to memory of 2800	2228	xeiiqo.exe	32
PID 2228 wrote to memory of 2800	2228	xeiiqo.exe	32
PID 2228 wrote to memory of 2800	2228	xeiiqo.exe	32
PID 2228 wrote to memory of 2800	2228	xeiiqo.exe	32
PID 2800 wrote to memory of 2216	2800	nuebu.exe	33
PID 2800 wrote to memory of 2216	2800	nuebu.exe	33
PID 2800 wrote to memory of 2216	2800	nuebu.exe	33
PID 2800 wrote to memory of 2216	2800	nuebu.exe	33
PID 2216 wrote to memory of 1856	2216	peofo.exe	34
PID 2216 wrote to memory of 1856	2216	peofo.exe	34
PID 2216 wrote to memory of 1856	2216	peofo.exe	34
PID 2216 wrote to memory of 1856	2216	peofo.exe	34
PID 1856 wrote to memory of 772	1856	dzyid.exe	35
PID 1856 wrote to memory of 772	1856	dzyid.exe	35
PID 1856 wrote to memory of 772	1856	dzyid.exe	35
PID 1856 wrote to memory of 772	1856	dzyid.exe	35
PID 772 wrote to memory of 916	772	qxguek.exe	36
PID 772 wrote to memory of 916	772	qxguek.exe	36
PID 772 wrote to memory of 916	772	qxguek.exe	36
PID 772 wrote to memory of 916	772	qxguek.exe	36
PID 916 wrote to memory of 2964	916	teenak.exe	37
PID 916 wrote to memory of 2964	916	teenak.exe	37
PID 916 wrote to memory of 2964	916	teenak.exe	37
PID 916 wrote to memory of 2964	916	teenak.exe	37
PID 2964 wrote to memory of 2008	2964	doafue.exe	38
PID 2964 wrote to memory of 2008	2964	doafue.exe	38
PID 2964 wrote to memory of 2008	2964	doafue.exe	38
PID 2964 wrote to memory of 2008	2964	doafue.exe	38
PID 2008 wrote to memory of 1984	2008	kaoef.exe	39
PID 2008 wrote to memory of 1984	2008	kaoef.exe	39
PID 2008 wrote to memory of 1984	2008	kaoef.exe	39
PID 2008 wrote to memory of 1984	2008	kaoef.exe	39
PID 1984 wrote to memory of 836	1984	hxraum.exe	40
PID 1984 wrote to memory of 836	1984	hxraum.exe	40
PID 1984 wrote to memory of 836	1984	hxraum.exe	40
PID 1984 wrote to memory of 836	1984	hxraum.exe	40
PID 836 wrote to memory of 2888	836	qoehul.exe	43
PID 836 wrote to memory of 2888	836	qoehul.exe	43
PID 836 wrote to memory of 2888	836	qoehul.exe	43
PID 836 wrote to memory of 2888	836	qoehul.exe	43
PID 2888 wrote to memory of 2368	2888	geireo.exe	44
PID 2888 wrote to memory of 2368	2888	geireo.exe	44
PID 2888 wrote to memory of 2368	2888	geireo.exe	44
PID 2888 wrote to memory of 2368	2888	geireo.exe	44
PID 2368 wrote to memory of 2724	2368	vaovo.exe	45
PID 2368 wrote to memory of 2724	2368	vaovo.exe	45
PID 2368 wrote to memory of 2724	2368	vaovo.exe	45
PID 2368 wrote to memory of 2724	2368	vaovo.exe	45

C:\Users\Admin\AppData\Local\Temp\496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe
"C:\Users\Admin\AppData\Local\Temp\496fd59b6379f1a57b2dc7171943e128833c38a9e31a99a899e7cc2ffc582eeb.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\wyguer.exe
  "C:\Users\Admin\wyguer.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\fueumaj.exe
    "C:\Users\Admin\fueumaj.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\gxpix.exe
      "C:\Users\Admin\gxpix.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\xeiiqo.exe
        
        "C:\Users\Admin\xeiiqo.exe"
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Users\Admin\nuebu.exe
        
        "C:\Users\Admin\nuebu.exe"
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\peofo.exe
        
        "C:\Users\Admin\peofo.exe"
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\dzyid.exe
        
        "C:\Users\Admin\dzyid.exe"
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\qxguek.exe
        
        "C:\Users\Admin\qxguek.exe"
        9⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Users\Admin\teenak.exe
        
        "C:\Users\Admin\teenak.exe"
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\doafue.exe
        
        "C:\Users\Admin\doafue.exe"
        11⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\kaoef.exe
        
        "C:\Users\Admin\kaoef.exe"
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\hxraum.exe
        
        "C:\Users\Admin\hxraum.exe"
        13⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\qoehul.exe
        
        "C:\Users\Admin\qoehul.exe"
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\geireo.exe
        
        "C:\Users\Admin\geireo.exe"
        15⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\vaovo.exe
        
        "C:\Users\Admin\vaovo.exe"
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\zoauwed.exe
        
        "C:\Users\Admin\zoauwed.exe"
        17⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\reebe.exe
        
        "C:\Users\Admin\reebe.exe"
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Users\Admin\kmzij.exe
        
        "C:\Users\Admin\kmzij.exe"
        19⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Users\Admin\qauje.exe
        
        "C:\Users\Admin\qauje.exe"
        20⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Users\Admin\wuodea.exe
        
        "C:\Users\Admin\wuodea.exe"
        21⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Users\Admin\buieqes.exe
        
        "C:\Users\Admin\buieqes.exe"
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Users\Admin\giuhuv.exe
        
        "C:\Users\Admin\giuhuv.exe"
        23⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Users\Admin\lwluaf.exe
        
        "C:\Users\Admin\lwluaf.exe"
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Users\Admin\lenep.exe
        
        "C:\Users\Admin\lenep.exe"
        25⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Users\Admin\weubue.exe
        
        "C:\Users\Admin\weubue.exe"
        26⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Users\Admin\weidar.exe
        
        "C:\Users\Admin\weidar.exe"
        27⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\xaizoow.exe
        
        "C:\Users\Admin\xaizoow.exe"
        28⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Users\Admin\jeize.exe
        
        "C:\Users\Admin\jeize.exe"
        29⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Users\Admin\ciuceuq.exe
        
        "C:\Users\Admin\ciuceuq.exe"
        30⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Users\Admin\luagoa.exe
        
        "C:\Users\Admin\luagoa.exe"
        31⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Users\Admin\liqor.exe
        
        "C:\Users\Admin\liqor.exe"
        32⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Users\Admin\houdao.exe
        
        "C:\Users\Admin\houdao.exe"
        33⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Users\Admin\wueada.exe
        
        "C:\Users\Admin\wueada.exe"
        34⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Users\Admin\yauate.exe
        
        "C:\Users\Admin\yauate.exe"
        35⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:500
        
        C:\Users\Admin\jwsom.exe
        
        "C:\Users\Admin\jwsom.exe"
        36⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Users\Admin\leiiy.exe
        
        "C:\Users\Admin\leiiy.exe"
        37⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Users\Admin\jauba.exe
        
        "C:\Users\Admin\jauba.exe"
        38⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Users\Admin\jmvoez.exe
        
        "C:\Users\Admin\jmvoez.exe"
        39⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\xemoj.exe
        
        "C:\Users\Admin\xemoj.exe"
        40⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Users\Admin\haimoac.exe
        
        "C:\Users\Admin\haimoac.exe"
        41⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\xucag.exe
        
        "C:\Users\Admin\xucag.exe"
        42⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Users\Admin\ceuolu.exe
        
        "C:\Users\Admin\ceuolu.exe"
        43⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Users\Admin\buaki.exe
        
        "C:\Users\Admin\buaki.exe"
        44⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Users\Admin\vaucoe.exe
        
        "C:\Users\Admin\vaucoe.exe"
        45⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Users\Admin\ftsuuq.exe
        
        "C:\Users\Admin\ftsuuq.exe"
        46⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Users\Admin\kzqaog.exe
        
        "C:\Users\Admin\kzqaog.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Users\Admin\yoiufor.exe
        
        "C:\Users\Admin\yoiufor.exe"
        48⤵
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\doafue.exe

Filesize
124KB

MD5
2d5f71d248f60610f59e6842cc1e72d3

SHA1
b92c1eb863b8d4698b1ba0c3fbfff972f11e9299

SHA256
b2c0d52c8c5557a45cd860545dc13071b3d023f517d6c5e976574e711ec0befd

SHA512
635eb2680355141cf0aa139f2b68a918e3ffee20d5e850643a18bd2f439ad8ad95367747efa21edf929b1a8831ecf8efbf17b93c6ad34f5bed2b12bb7dc0ae28

Download Submit
C:\Users\Admin\geireo.exe

Filesize
124KB

MD5
97cefb1d5801861f125daa4ce2929fcf

SHA1
3e10512c68160d45f79446c1194375dd6b4277e0

SHA256
9114aced911e0ea7e478d178693f4c186ac05654d2511da8c6acb838248294de

SHA512
b2ed607e96aeedcfda5e1630650c91dc664b4edc00fd490739bcaf5887d1e107566dd03f9b3bf52359e75de116c48c66e1fcca6e2256f5874417dd9ed933273c

Download Submit
C:\Users\Admin\kaoef.exe

Filesize
124KB

MD5
4995245ba9db466bd68d346a2874b85b

SHA1
189e044739e7a871da4a9b4505873002e55941c4

SHA256
efdd545acd7e04b77702f1869a840a3724f54ceb41b69cafee0f06364acdcabc

SHA512
bd51f0069bf41ba95cd21504a36e33a5e1d253d9c136386efb05f57bf443663cb657a795a8dac5c95f7595d8b31b18e5b8dccaede09736c81d0971a41e5d5a6e

Download Submit
C:\Users\Admin\qoehul.exe

Filesize
124KB

MD5
404ad08218481e660daef8c67e825a5c

SHA1
1bcac1bfaa941f390012e4e917198d80b70b3bc7

SHA256
1d5536ce88ebc605cafbdddf189d768daa9da4487e7d28067f88b39f211f1001

SHA512
e6b9ff693de0a922f812c5dae81c6eb8f619269d2bc123b751acfa7354bf2915bad7fdc0bf7e555e0acd6e4cc8c1c1d2cc3640b3d9e67b9300d53ef309389927

Download Submit
C:\Users\Admin\teenak.exe

Filesize
124KB

MD5
9cf014a57351b374888015e0fe6196ec

SHA1
529d75cfd22abd4b2791476acc10df1f3e5121e6

SHA256
24e2e97e61f0cdfc2c4e2f0ee5ad1691df1a67c9c52222fd63b518ffa5f3c3b7

SHA512
cfbc2bd01afc2e22c4a5d6b7dfd652d5774e6b38e14b11bc386628a1ff353cd93f79d166d3e87b5d919fb1fc9cbe1fd99cf5d57a329067dbcd27f49bedfd2fff

Download Submit
C:\Users\Admin\vaovo.exe

Filesize
124KB

MD5
959eeee330ab49fdd48dbee611b61973

SHA1
abfe08f2591295591754c90bfd356ef848f8dd3d

SHA256
6664757785cb158241e225240a853e7e40e38f9a1b23c7b47053b4112c8df173

SHA512
40c7b88070403e87077fbfbc028d23174d15512df56a621c685e84c6d7691d34c5bbac846551dd8559f24eea19d85b8bf7c909c4b61f1768ee10c941aa83c708

Download Submit
C:\Users\Admin\wyguer.exe

Filesize
124KB

MD5
8693a5ab49a1ef9ec71be3fa76b9475f

SHA1
166d5ecd79bfb4f1210d72884404450476bb564c

SHA256
2294a6c9608d66879874ffd33805c37504a7837e0d55ac890f938a4938e6246e

SHA512
ffaec9b1a2c31bd15c2cb48fae396479478b597f53032c99a6ee16a05b12f766bf082cbc4b99b9beede96c013ba9ddbf33eb3010e779d96b05d9e8197b07a17e

Download Submit
C:\Users\Admin\zoauwed.exe

Filesize
124KB

MD5
377ecae68d76edb0d684b8063e70c873

SHA1
ca29eafdf73d41e6c8530f24e6402d5a93d6bc36

SHA256
560c6f92af9e429e7cf07172f78e5d6fc5a9c4d2e9b7f1b255ee22b719bcca18

SHA512
e0495e559eba8f72efdd72cf80a272a3ae03182be9599670f6166dfe2ea6bc5162cb3e5b72f1334831998e91ad5472f834ab266a4d2e4f00bf0250a4b4ba166b

Download Submit
\Users\Admin\dzyid.exe

Filesize
124KB

MD5
10042ac55461089b048e5a44c7ee9f50

SHA1
07ee6ba4b8908fc2bdcc90fe69c16cc5e9cc804c

SHA256
fdda547abecac5bad621365c1381ab2857c8dfa92c205c4363e5a7a184b743e2

SHA512
01358eea9742ce5e7ddb5339a0802d184c21cdcbadf1daad992f5bafb38a3d141f56dce973295f5e6158d2025ade4f6571e536a4a48e565f143913ebf1fd5ec2

Download Submit
\Users\Admin\fueumaj.exe

Filesize
124KB

MD5
73c691c1d39ea6a5c53f20452a25d474

SHA1
05fe2cc8c67c89b164c7daee13a5335471f3d1f7

SHA256
d1222d0db89c9211d0d34ef3a677cdd2e2fb389519d653e0ab8cdf0757091951

SHA512
ee31f003ea9676d94e568c8b15fe5d561f025eb19a81346ad56be6a745b84fe8eabf649dd547e6594ee477ff2d98ab71d7d66fc221f9b0b4678a74c1d62de573

Download Submit
\Users\Admin\gxpix.exe

Filesize
124KB

MD5
00e3cb7ad563a1d1ef813c4915377bb2

SHA1
11046c794c66debfb495ea2fe22f7709593bb025

SHA256
23ecec3727db0b8ac79e02014b0c10067c69d19e27dcf24b6c6f4616da3fc877

SHA512
1931fa602f80dc984a220b86398038a19ed2d9083950c17e959285471f324a1875a396b6fea5d2b23e4fc49afc7e0737dee5c73f8ba14a396f9f5794e8a03579

Download Submit
\Users\Admin\hxraum.exe

Filesize
124KB

MD5
76377115e4d6ad68748963b87c4a1f69

SHA1
3e491f311850e5f552c3e695af3113a25a222b4a

SHA256
d97a4cb88ea04425f3b15a37d710191ec425d8abb5bbff4d168c0d8ba4f1295c

SHA512
522e0bd6ffb019423424e53e331d3b4077602e70c874fb639289fc7da207c777369c6b63ec4a44c178da16a94aba2cff32e1ce9ed9670cc613a92e59c07583bd

Download Submit
\Users\Admin\nuebu.exe

Filesize
124KB

MD5
553c422155693a84f9193216a7b80629

SHA1
67aa10b8e57682f18e2954d265f26f823533f26f

SHA256
bf7fb6e27c969b2b86576f0986edb7033280c6e7cef6ef47d5d627dd46321acb

SHA512
2cf43fb85dc1c2f00a843fa0e9cb021ecd3c545412226a80e6951567175ff6e337ff06d544af88f63334649839c6ab85da7ddcb98077f040dc4e89bf6d537182

Download Submit
\Users\Admin\peofo.exe

Filesize
124KB

MD5
6aaf5f735e285fca39b0a82d7501f5a1

SHA1
732e8ec1e9c12945118ae81b51df38c117d61b48

SHA256
ff59ed0765cebb39718b4d9d41e0edcd72bbcfdcef0de13fe0ac8039564c30a2

SHA512
912a64996102dc6b7b9b386c14c30e4e9407fb3b1d00b47ecfb0fcd5e6788bf31bdcd08ea4257f827c3918154dd8dc9a67e16a9b7d83c6b520308b93b3bd0c8d

Download Submit
\Users\Admin\qxguek.exe

Filesize
124KB

MD5
6df6f83ed56cd566b03821314a53b1ca

SHA1
60e8cbd462ff5b38eb9d2a541671a2ad6eec83cb

SHA256
a7252579c885b6715538d61731d455c55dd5aa7864e836cb369dacf24ad072a1

SHA512
c9b5067394c226cbe13d2b3c2e257f05636031e2fba3fa3bb134d5482a7ffe968b84fb7d2d44d5f1aa55fe469091f92bbfcf0622d1d96caac844b98a5952d65c

Download Submit
\Users\Admin\xeiiqo.exe

Filesize
124KB

MD5
56b345aa2e3216b777c245b3b2963cc0

SHA1
1a227cc7a191f3d57dba4fcc34e17f7eb6fcb735

SHA256
4683bdaffb5a68e33debc082869933a2a24becf8dd323e1a8858bf8a9086e04c

SHA512
73d9364d1c44bcc5d80d5b985e1e25fadadfbdb9a89386fab9e8a1ff4c5da4a51dbfa276b13836ae4ebb2288b860fabdcf309884e5a2a88dd0319d4da66a8ed9

Download Submit