Analysis Overview
SHA256
d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69
Threat Level: Known bad
The file d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:29
Reported
2024-05-26 03:31
Platform
win7-20240508-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\reiroaw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\reiroaw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /L" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /M" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /c" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /H" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /j" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /d" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /Z" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /U" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /e" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /z" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /E" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /k" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /y" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /A" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /Y" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /W" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /N" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /s" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /D" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /t" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /r" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /I" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /u" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /w" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /h" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /a" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /P" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /Q" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /J" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /T" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /K" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /R" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /o" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /l" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /g" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /V" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /b" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /p" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /F" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /i" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /p" | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /S" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /O" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /G" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /q" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /n" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /v" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /X" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /B" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /m" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /x" | C:\Users\Admin\reiroaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\reiroaw = "C:\\Users\\Admin\\reiroaw.exe /C" | C:\Users\Admin\reiroaw.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| N/A | N/A | C:\Users\Admin\reiroaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\reiroaw.exe |
| PID 2960 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\reiroaw.exe |
| PID 2960 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\reiroaw.exe |
| PID 2960 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\reiroaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe
"C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe"
C:\Users\Admin\reiroaw.exe
"C:\Users\Admin\reiroaw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1352.com | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 107.178.223.183:8000 | ns1.player1352.net | tcp |
Files
\Users\Admin\reiroaw.exe
| MD5 | 5c956adc6493c075d984d56b15486240 |
| SHA1 | 0f0e2b17b728959d09e244289dbfdc83b109dc8a |
| SHA256 | 5d38dce0cdd46c6847d46a2e39533daaea7eb36b54213931ad5cd1c342e4e74f |
| SHA512 | 3cc7708ec781a534253c6c392eefdc3cb38f55012ebb406a953dd26b87889f27b29e75f1b58d12142bb28ae1d8179a337da55bc4ec5fa3748933ab9f5ec3611f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:29
Reported
2024-05-26 03:31
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\maimit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\maimit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /c" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /N" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /T" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /W" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /d" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /l" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /P" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /j" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /A" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /G" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /n" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /E" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /w" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /B" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /g" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /M" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /Y" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /x" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /y" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /z" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /S" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /h" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /r" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /L" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /b" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /m" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /V" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /K" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /R" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /f" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /O" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /D" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /t" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /s" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /a" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /Q" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /k" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /o" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /i" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /s" | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /v" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /X" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /e" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /q" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /Z" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /J" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /u" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /C" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /U" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /H" | C:\Users\Admin\maimit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maimit = "C:\\Users\\Admin\\maimit.exe /F" | C:\Users\Admin\maimit.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | N/A |
| N/A | N/A | C:\Users\Admin\maimit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3352 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\maimit.exe |
| PID 3352 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\maimit.exe |
| PID 3352 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe | C:\Users\Admin\maimit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe
"C:\Users\Admin\AppData\Local\Temp\d5d4068e75d565763b518b9e7712ca12eb303e2083b668353b668438c84cff69.exe"
C:\Users\Admin\maimit.exe
"C:\Users\Admin\maimit.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | ns1.player1352.com | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\maimit.exe
| MD5 | ae4cb7e0a0a49e9d3701964607efd08f |
| SHA1 | 945d1b7191d0c8e902ece3ad2787baf785e1a2ac |
| SHA256 | ce114a307f64ca74557dc56f506393c18271a85da1636d248839ea8601bfd914 |
| SHA512 | 7554909e0d6c31123b2f62336acb500cf3ab6467599883edd979086ad2d18ad0da3e4861e94e9772ddf0db7fb34df4da4c4c0e851e465748f64f8d37c3fb9846 |