Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe
Resource
win10v2004-20240226-en
General
-
Target
d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe
-
Size
124KB
-
MD5
5ca912a6d51d63f079ffd545032dabd4
-
SHA1
96a13a52f86e9ee5aeb98fe6209d4c3858cb9155
-
SHA256
d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e
-
SHA512
25b077da6818d57cba28c0daa316a8a80298ac67008605b517e1daeded1e78250c84c6275b2f25a9bb8519ceb516b66a3e781e0ab98ac93a81f434b443508abf
-
SSDEEP
1536:TrszL5YAhRO/N69BH3OoGa+FL9jKceRgrkjSo:PGdYAhkFoN3Oo1+F92S
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 46 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" luetey.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fuheq.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raiqaiy.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vgcew.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" heafo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qeusouc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zoudas.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ruuavu.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kqtoeb.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yaros.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tnvaix.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ftkar.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yapen.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" liagib.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vaamen.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wauxoim.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vswox.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" deudeuv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bjyaoc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bhcus.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" saaogad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" maoreo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hioab.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" quinaez.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zaoigi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" racev.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tlmof.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rqrap.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" keideok.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xaaxi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gaiez.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" viejoob.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" coecuo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" woucae.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mieas.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziafa.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fuaecuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sueku.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" leuyeun.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" woiciw.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jieeb.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zxhem.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zaziv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" boewi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" saauv.exe -
Executes dropped EXE 46 IoCs
pid Process 1332 fuheq.exe 2752 mieas.exe 2592 raiqaiy.exe 2588 maoreo.exe 1700 xaaxi.exe 2928 zxhem.exe 1576 ziafa.exe 2828 zaziv.exe 800 hioab.exe 2340 liagib.exe 484 boewi.exe 2028 vaamen.exe 2432 fuaecuk.exe 1980 sueku.exe 2104 wauxoim.exe 2180 leuyeun.exe 2364 ruuavu.exe 2984 quinaez.exe 2232 kqtoeb.exe 2656 vswox.exe 1080 tlmof.exe 1724 vgcew.exe 304 yaros.exe 1612 deudeuv.exe 720 saauv.exe 1036 tnvaix.exe 1548 gaiez.exe 1748 yapen.exe 2888 woucae.exe 2760 zaoigi.exe 2728 ftkar.exe 2916 racev.exe 2964 viejoob.exe 1908 bjyaoc.exe 3012 coecuo.exe 2456 heafo.exe 2296 qeusouc.exe 1200 bhcus.exe 2708 saaogad.exe 1156 woiciw.exe 1068 rqrap.exe 2000 luetey.exe 920 jieeb.exe 448 keideok.exe 3052 zoudas.exe 2272 feafooz.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 1332 fuheq.exe 1332 fuheq.exe 2752 mieas.exe 2752 mieas.exe 2592 raiqaiy.exe 2592 raiqaiy.exe 2588 maoreo.exe 2588 maoreo.exe 1700 xaaxi.exe 1700 xaaxi.exe 2928 zxhem.exe 2928 zxhem.exe 1576 ziafa.exe 1576 ziafa.exe 2828 zaziv.exe 2828 zaziv.exe 800 hioab.exe 800 hioab.exe 2340 liagib.exe 2340 liagib.exe 484 boewi.exe 484 boewi.exe 2028 vaamen.exe 2028 vaamen.exe 2432 fuaecuk.exe 2432 fuaecuk.exe 1980 sueku.exe 1980 sueku.exe 2104 wauxoim.exe 2104 wauxoim.exe 2180 leuyeun.exe 2180 leuyeun.exe 2364 ruuavu.exe 2364 ruuavu.exe 2984 quinaez.exe 2984 quinaez.exe 2232 kqtoeb.exe 2232 kqtoeb.exe 2656 vswox.exe 2656 vswox.exe 1080 tlmof.exe 1080 tlmof.exe 1724 vgcew.exe 1724 vgcew.exe 304 yaros.exe 304 yaros.exe 1612 deudeuv.exe 1612 deudeuv.exe 720 saauv.exe 720 saauv.exe 1036 tnvaix.exe 1036 tnvaix.exe 1548 gaiez.exe 1548 gaiez.exe 1748 yapen.exe 1748 yapen.exe 2888 woucae.exe 2888 woucae.exe 2760 zaoigi.exe 2760 zaoigi.exe 2728 ftkar.exe 2728 ftkar.exe -
Adds Run key to start application 2 TTPs 46 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuaecuk = "C:\\Users\\Admin\\fuaecuk.exe /d" vaamen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wauxoim = "C:\\Users\\Admin\\wauxoim.exe /y" sueku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\leuyeun = "C:\\Users\\Admin\\leuyeun.exe /S" wauxoim.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqtoeb = "C:\\Users\\Admin\\kqtoeb.exe /S" quinaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\coecuo = "C:\\Users\\Admin\\coecuo.exe /t" bjyaoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeusouc = "C:\\Users\\Admin\\qeusouc.exe /z" heafo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\feafooz = "C:\\Users\\Admin\\feafooz.exe /J" zoudas.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaaxi = "C:\\Users\\Admin\\xaaxi.exe /i" maoreo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnvaix = "C:\\Users\\Admin\\tnvaix.exe /v" saauv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjyaoc = "C:\\Users\\Admin\\bjyaoc.exe /k" viejoob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\keideok = "C:\\Users\\Admin\\keideok.exe /s" jieeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuheq = "C:\\Users\\Admin\\fuheq.exe /l" d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zxhem = "C:\\Users\\Admin\\zxhem.exe /N" xaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\liagib = "C:\\Users\\Admin\\liagib.exe /n" hioab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sueku = "C:\\Users\\Admin\\sueku.exe /W" fuaecuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vswox = "C:\\Users\\Admin\\vswox.exe /t" kqtoeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\yapen = "C:\\Users\\Admin\\yapen.exe /A" gaiez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\viejoob = "C:\\Users\\Admin\\viejoob.exe /M" racev.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoreo = "C:\\Users\\Admin\\maoreo.exe /Q" raiqaiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\gaiez = "C:\\Users\\Admin\\gaiez.exe /T" tnvaix.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoigi = "C:\\Users\\Admin\\zaoigi.exe /r" woucae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiciw = "C:\\Users\\Admin\\woiciw.exe /Y" saaogad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoudas = "C:\\Users\\Admin\\zoudas.exe /t" keideok.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaros = "C:\\Users\\Admin\\yaros.exe /k" vgcew.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaziv = "C:\\Users\\Admin\\zaziv.exe /e" ziafa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioab = "C:\\Users\\Admin\\hioab.exe /i" zaziv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\boewi = "C:\\Users\\Admin\\boewi.exe /t" liagib.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruuavu = "C:\\Users\\Admin\\ruuavu.exe /Q" leuyeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\quinaez = "C:\\Users\\Admin\\quinaez.exe /i" ruuavu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlmof = "C:\\Users\\Admin\\tlmof.exe /h" vswox.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bhcus = "C:\\Users\\Admin\\bhcus.exe /H" qeusouc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\raiqaiy = "C:\\Users\\Admin\\raiqaiy.exe /r" mieas.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\luetey = "C:\\Users\\Admin\\luetey.exe /w" rqrap.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\rqrap = "C:\\Users\\Admin\\rqrap.exe /c" woiciw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\saauv = "C:\\Users\\Admin\\saauv.exe /z" deudeuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\saaogad = "C:\\Users\\Admin\\saaogad.exe /d" bhcus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\jieeb = "C:\\Users\\Admin\\jieeb.exe /q" luetey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\mieas = "C:\\Users\\Admin\\mieas.exe /z" fuheq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaamen = "C:\\Users\\Admin\\vaamen.exe /x" boewi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ftkar = "C:\\Users\\Admin\\ftkar.exe /m" zaoigi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziafa = "C:\\Users\\Admin\\ziafa.exe /P" zxhem.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\deudeuv = "C:\\Users\\Admin\\deudeuv.exe /E" yaros.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\woucae = "C:\\Users\\Admin\\woucae.exe /P" yapen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\racev = "C:\\Users\\Admin\\racev.exe /t" ftkar.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\heafo = "C:\\Users\\Admin\\heafo.exe /t" coecuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vgcew = "C:\\Users\\Admin\\vgcew.exe /D" tlmof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 1332 fuheq.exe 2752 mieas.exe 2592 raiqaiy.exe 2588 maoreo.exe 1700 xaaxi.exe 2928 zxhem.exe 1576 ziafa.exe 2828 zaziv.exe 800 hioab.exe 2340 liagib.exe 484 boewi.exe 2028 vaamen.exe 2432 fuaecuk.exe 1980 sueku.exe 2104 wauxoim.exe 2180 leuyeun.exe 2364 ruuavu.exe 2984 quinaez.exe 2232 kqtoeb.exe 2656 vswox.exe 1080 tlmof.exe 1724 vgcew.exe 304 yaros.exe 1612 deudeuv.exe 720 saauv.exe 1036 tnvaix.exe 1548 gaiez.exe 1748 yapen.exe 2888 woucae.exe 2760 zaoigi.exe 2728 ftkar.exe 2916 racev.exe 2964 viejoob.exe 1908 bjyaoc.exe 3012 coecuo.exe 2456 heafo.exe 2296 qeusouc.exe 1200 bhcus.exe 2708 saaogad.exe 1156 woiciw.exe 1068 rqrap.exe 2000 luetey.exe 920 jieeb.exe 448 keideok.exe 3052 zoudas.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 1332 fuheq.exe 2752 mieas.exe 2592 raiqaiy.exe 2588 maoreo.exe 1700 xaaxi.exe 2928 zxhem.exe 1576 ziafa.exe 2828 zaziv.exe 800 hioab.exe 2340 liagib.exe 484 boewi.exe 2028 vaamen.exe 2432 fuaecuk.exe 1980 sueku.exe 2104 wauxoim.exe 2180 leuyeun.exe 2364 ruuavu.exe 2984 quinaez.exe 2232 kqtoeb.exe 2656 vswox.exe 1080 tlmof.exe 1724 vgcew.exe 304 yaros.exe 1612 deudeuv.exe 720 saauv.exe 1036 tnvaix.exe 1548 gaiez.exe 1748 yapen.exe 2888 woucae.exe 2760 zaoigi.exe 2728 ftkar.exe 2916 racev.exe 2964 viejoob.exe 1908 bjyaoc.exe 3012 coecuo.exe 2456 heafo.exe 2296 qeusouc.exe 1200 bhcus.exe 2708 saaogad.exe 1156 woiciw.exe 1068 rqrap.exe 2000 luetey.exe 920 jieeb.exe 448 keideok.exe 3052 zoudas.exe 2272 feafooz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1332 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 28 PID 2236 wrote to memory of 1332 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 28 PID 2236 wrote to memory of 1332 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 28 PID 2236 wrote to memory of 1332 2236 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe 28 PID 1332 wrote to memory of 2752 1332 fuheq.exe 29 PID 1332 wrote to memory of 2752 1332 fuheq.exe 29 PID 1332 wrote to memory of 2752 1332 fuheq.exe 29 PID 1332 wrote to memory of 2752 1332 fuheq.exe 29 PID 2752 wrote to memory of 2592 2752 mieas.exe 30 PID 2752 wrote to memory of 2592 2752 mieas.exe 30 PID 2752 wrote to memory of 2592 2752 mieas.exe 30 PID 2752 wrote to memory of 2592 2752 mieas.exe 30 PID 2592 wrote to memory of 2588 2592 raiqaiy.exe 31 PID 2592 wrote to memory of 2588 2592 raiqaiy.exe 31 PID 2592 wrote to memory of 2588 2592 raiqaiy.exe 31 PID 2592 wrote to memory of 2588 2592 raiqaiy.exe 31 PID 2588 wrote to memory of 1700 2588 maoreo.exe 32 PID 2588 wrote to memory of 1700 2588 maoreo.exe 32 PID 2588 wrote to memory of 1700 2588 maoreo.exe 32 PID 2588 wrote to memory of 1700 2588 maoreo.exe 32 PID 1700 wrote to memory of 2928 1700 xaaxi.exe 33 PID 1700 wrote to memory of 2928 1700 xaaxi.exe 33 PID 1700 wrote to memory of 2928 1700 xaaxi.exe 33 PID 1700 wrote to memory of 2928 1700 xaaxi.exe 33 PID 2928 wrote to memory of 1576 2928 zxhem.exe 34 PID 2928 wrote to memory of 1576 2928 zxhem.exe 34 PID 2928 wrote to memory of 1576 2928 zxhem.exe 34 PID 2928 wrote to memory of 1576 2928 zxhem.exe 34 PID 1576 wrote to memory of 2828 1576 ziafa.exe 35 PID 1576 wrote to memory of 2828 1576 ziafa.exe 35 PID 1576 wrote to memory of 2828 1576 ziafa.exe 35 PID 1576 wrote to memory of 2828 1576 ziafa.exe 35 PID 2828 wrote to memory of 800 2828 zaziv.exe 36 PID 2828 wrote to memory of 800 2828 zaziv.exe 36 PID 2828 wrote to memory of 800 2828 zaziv.exe 36 PID 2828 wrote to memory of 800 2828 zaziv.exe 36 PID 800 wrote to memory of 2340 800 hioab.exe 37 PID 800 wrote to memory of 2340 800 hioab.exe 37 PID 800 wrote to memory of 2340 800 hioab.exe 37 PID 800 wrote to memory of 2340 800 hioab.exe 37 PID 2340 wrote to memory of 484 2340 liagib.exe 38 PID 2340 wrote to memory of 484 2340 liagib.exe 38 PID 2340 wrote to memory of 484 2340 liagib.exe 38 PID 2340 wrote to memory of 484 2340 liagib.exe 38 PID 484 wrote to memory of 2028 484 boewi.exe 39 PID 484 wrote to memory of 2028 484 boewi.exe 39 PID 484 wrote to memory of 2028 484 boewi.exe 39 PID 484 wrote to memory of 2028 484 boewi.exe 39 PID 2028 wrote to memory of 2432 2028 vaamen.exe 40 PID 2028 wrote to memory of 2432 2028 vaamen.exe 40 PID 2028 wrote to memory of 2432 2028 vaamen.exe 40 PID 2028 wrote to memory of 2432 2028 vaamen.exe 40 PID 2432 wrote to memory of 1980 2432 fuaecuk.exe 41 PID 2432 wrote to memory of 1980 2432 fuaecuk.exe 41 PID 2432 wrote to memory of 1980 2432 fuaecuk.exe 41 PID 2432 wrote to memory of 1980 2432 fuaecuk.exe 41 PID 1980 wrote to memory of 2104 1980 sueku.exe 44 PID 1980 wrote to memory of 2104 1980 sueku.exe 44 PID 1980 wrote to memory of 2104 1980 sueku.exe 44 PID 1980 wrote to memory of 2104 1980 sueku.exe 44 PID 2104 wrote to memory of 2180 2104 wauxoim.exe 45 PID 2104 wrote to memory of 2180 2104 wauxoim.exe 45 PID 2104 wrote to memory of 2180 2104 wauxoim.exe 45 PID 2104 wrote to memory of 2180 2104 wauxoim.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\fuheq.exe"C:\Users\Admin\fuheq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\mieas.exe"C:\Users\Admin\mieas.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\raiqaiy.exe"C:\Users\Admin\raiqaiy.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\maoreo.exe"C:\Users\Admin\maoreo.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\xaaxi.exe"C:\Users\Admin\xaaxi.exe"6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\zxhem.exe"C:\Users\Admin\zxhem.exe"7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\ziafa.exe"C:\Users\Admin\ziafa.exe"8⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\zaziv.exe"C:\Users\Admin\zaziv.exe"9⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\hioab.exe"C:\Users\Admin\hioab.exe"10⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\liagib.exe"C:\Users\Admin\liagib.exe"11⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\boewi.exe"C:\Users\Admin\boewi.exe"12⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\vaamen.exe"C:\Users\Admin\vaamen.exe"13⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\fuaecuk.exe"C:\Users\Admin\fuaecuk.exe"14⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\sueku.exe"C:\Users\Admin\sueku.exe"15⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\wauxoim.exe"C:\Users\Admin\wauxoim.exe"16⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\leuyeun.exe"C:\Users\Admin\leuyeun.exe"17⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2180 -
C:\Users\Admin\ruuavu.exe"C:\Users\Admin\ruuavu.exe"18⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Users\Admin\quinaez.exe"C:\Users\Admin\quinaez.exe"19⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2984 -
C:\Users\Admin\kqtoeb.exe"C:\Users\Admin\kqtoeb.exe"20⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Users\Admin\vswox.exe"C:\Users\Admin\vswox.exe"21⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Users\Admin\tlmof.exe"C:\Users\Admin\tlmof.exe"22⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1080 -
C:\Users\Admin\vgcew.exe"C:\Users\Admin\vgcew.exe"23⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724 -
C:\Users\Admin\yaros.exe"C:\Users\Admin\yaros.exe"24⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:304 -
C:\Users\Admin\deudeuv.exe"C:\Users\Admin\deudeuv.exe"25⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Users\Admin\saauv.exe"C:\Users\Admin\saauv.exe"26⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:720 -
C:\Users\Admin\tnvaix.exe"C:\Users\Admin\tnvaix.exe"27⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Users\Admin\gaiez.exe"C:\Users\Admin\gaiez.exe"28⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Users\Admin\yapen.exe"C:\Users\Admin\yapen.exe"29⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Users\Admin\woucae.exe"C:\Users\Admin\woucae.exe"30⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Users\Admin\zaoigi.exe"C:\Users\Admin\zaoigi.exe"31⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Users\Admin\ftkar.exe"C:\Users\Admin\ftkar.exe"32⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2728 -
C:\Users\Admin\racev.exe"C:\Users\Admin\racev.exe"33⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Users\Admin\viejoob.exe"C:\Users\Admin\viejoob.exe"34⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Users\Admin\bjyaoc.exe"C:\Users\Admin\bjyaoc.exe"35⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Users\Admin\coecuo.exe"C:\Users\Admin\coecuo.exe"36⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Users\Admin\heafo.exe"C:\Users\Admin\heafo.exe"37⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Users\Admin\qeusouc.exe"C:\Users\Admin\qeusouc.exe"38⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296 -
C:\Users\Admin\bhcus.exe"C:\Users\Admin\bhcus.exe"39⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Users\Admin\saaogad.exe"C:\Users\Admin\saaogad.exe"40⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Users\Admin\woiciw.exe"C:\Users\Admin\woiciw.exe"41⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Users\Admin\rqrap.exe"C:\Users\Admin\rqrap.exe"42⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1068 -
C:\Users\Admin\luetey.exe"C:\Users\Admin\luetey.exe"43⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Users\Admin\jieeb.exe"C:\Users\Admin\jieeb.exe"44⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Users\Admin\keideok.exe"C:\Users\Admin\keideok.exe"45⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448 -
C:\Users\Admin\zoudas.exe"C:\Users\Admin\zoudas.exe"46⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Users\Admin\feafooz.exe"C:\Users\Admin\feafooz.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Users\Admin\tiiovu.exe"C:\Users\Admin\tiiovu.exe"48⤵PID:2152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5cd8e50c53e5bc33956937efe38de528f
SHA1f00be45f5e045a12a8e1832196a3bbf0af85b067
SHA2567fb3be3d525a318edc18493a6c6d77ce377c9333448a4538ea0cf3ed640d20e9
SHA512e9124d71de6b03cf878e8c76a8f944b112c8545c745ce883db813126566c1d21bdeadbb233f9608992ba198317c195d98b48453d76897288f2a371f686c99c8d
-
Filesize
124KB
MD5075bf1d900377dabd2e22cd90ec59df8
SHA1281b84dbaccb31e5b6993339fbd9a89c9f5bdaf7
SHA256aa4f4b85f8e6be884adb5f9d91b1c08bf905850049b418c4b53a5c3764d21e5b
SHA51278658a51f818206c772363cf80f368006181827737a5bdf56bc5744578e28f759f75a6adfb6e1697ea71961a2e1a713f5e272b1975dc2f06493ee77be84d949c
-
Filesize
124KB
MD5bb810e4614db8012665e0f5165bc784f
SHA1a2f8b0c77ab65d30643c6a0e94abbc386b9d0931
SHA2564828246632aaeed2c0c819299049a09792b81ab361298f5f6eacf2f05e66dc11
SHA512db928c83ed443118379de8e56aead8de468736df6fc17298840e712543d505ebc2b6e0293eaee12b09257b002068e8b3e62db2f755ca13c32a41bf0220910717
-
Filesize
124KB
MD57d5abbc332f4e6d78a4b95a10d9b88c3
SHA1a2352ae3c71bce5f57b9899d7a4b90d3cb9466a7
SHA2563fbb2d79bbabe5b3f21a64882da3634d6f66d8bc926335325b5a421674c0e40c
SHA5127220f2bd118b2d98e879261021e6ab893ed383ac89d91be68b58c03205b1140686ae5de19fdec4de6f06bce01d47c11879741f51824b00d4d1e1a74be7a2ebcb
-
Filesize
124KB
MD52ac582338bb73d7e6fa6aebc9cfa248e
SHA1a566112ae9fa3513c38abd145d76aafc6702abde
SHA256c6a7f3e3492ce8c3c8be04a884ee15d6e4249114c4bfe917400b76bb829f8109
SHA512a805833ff48be328d4d45f5fc2142448fc280b7d5e8f487057e32acd4ab2caa212a4c16268458b370fb14af34e16575c02621b71072118378101512073963933
-
Filesize
124KB
MD5076efc0046adafba9e1f642e89560ae4
SHA1ef9d1e5400b2a6e77954b30d395127dac8cbaa71
SHA256711cd3d568cbc214250dd04353053b588541a132263f7309f840b1a179749974
SHA51257645f6a7ac82f37a36ca8a4fb3ed98c8597d169aa6bdfd7f55dda3cec5512761a4450238c5327ae3eb423be3c35e08ea4240cc8a0c1b1ea4a510f3b346951a1
-
Filesize
124KB
MD5dee43c0f0cebb14155c3b8bc52ac1f9c
SHA12509dc6d73801fb77daabf9b8b422519a91ee961
SHA256b4b208cc1b510283766e0145ae943e1ccfb9d9ff1f580cfab8a201ca9fdf5d1b
SHA512c6d7275fbcfa78563071ef9ad49c646565287124a000fd47ea5bc3546f53b19298a9ab94f9251d5412b3f294f6a71d6b1ba8fccdd4b3c2a795240c8fbe38ef4b
-
Filesize
124KB
MD58be235f29083cbc6a1be94c36b822f9e
SHA12ddae69151dea9d014c351559bf39147d191dbbd
SHA256f01cccaa2da7ec3d3c9e14ccf511dfc99ac55138b29eb3b59ce12d14aeeae4e5
SHA51261677e7507e1bd3080ce3ff99a9a3ded1790be32fe652e115928dbe83ea915ac3a60f8d021d30bdc764db834fee56552efa0fbf571eec07dbf50300d841d3b83
-
Filesize
124KB
MD5f40f8914dff335871f9b08ac52fa11be
SHA1d93fe345e6dd7969378bad4db74fa3d990c92aa7
SHA2562531a311702302b822066980b19686add5ff0d507c9139fb22fd5e46b8bd6ee2
SHA512545cbfbbc27c19ba2064310769ca1991ac0f72f4833187e4751e6ca648fbc49cfceb7af938270f61a9b5235b03b3ea28a675fe5f28967270ed070b48b8affc0a
-
Filesize
124KB
MD5726f5c1831156e1e3e31718801a2873c
SHA1a88bd2fe8d9f602be55f0ff3c3755c22487702c0
SHA256e72f923925a30ad3904dae59c332e7660b8c989017d61d5483f4c066c797337f
SHA5120d552a71a04b219cfededf935d97d49ff80276f5aa2377dff68a2f7bf57c31bc873b04f0a75db793b8b0ecf1bff8f10c80e35eab000aed9906e6ac786e7dd9ad
-
Filesize
124KB
MD537618afb019479c25ef4bd760e6ae6c1
SHA1a0e896a90dc82c52c0de65d013d6bf711866b402
SHA256f2450450ef7e8ea0198ede49aa1c00586371d3a2777aea810a40f3841b5b7b08
SHA5123a4896f29b1cf40d2d4238b6c69616cc0e928e0b2b0522ed16dec5df0faedf5d8ee626078fa7587400008860e8cc5e1034ec080f7f22914a33160d3cf1264bf0
-
Filesize
124KB
MD592f9d6179e229c1ccf33bb5e3507b912
SHA16e6ee0a7e0f5f67ec81633aa44e3753a70969fbd
SHA25618fd147e6415fe81176f1b318d985cd4d690eb3ffd22517c402ae3966a3e93d8
SHA5129683c337dab2c39a05df62edd0c40f787725522351c17a6b0bf6ba7f30bb420103bcb596b94746269176dcc7fbba9e754e96118367b42c6d99a8f042b3bc4d6b
-
Filesize
124KB
MD5fcb7a0db341a694d5fe70665e6076a13
SHA1dc5f4eacd80622ebb566831c5d0da254f2d80a5d
SHA2566c57b85c34dde9b22bc5c560578a91cd65d0d6bf51a062b564893900788479fa
SHA512c4efe42caefbf8c154abb8c93ba372b5202a7a54f12780f7b8be42611e96ea89b79092bf6780652dbfa415338d3257d4b7724bb4e96df27bee0afd1e7a0cb85b
-
Filesize
124KB
MD506a8a76d866cf0da2e0fdeb5db40f57d
SHA14318e468d8ea09076f94841d48c058f65d278573
SHA256ce8a0875494a47a0412e1d82177a13bf421c5bf6e11dd1a50ef636fa10844907
SHA5126c661a709bda9d64e6a48124f65fece88e4d94aadb06246658f8cd421b4b99c66c218638c5aa60a6be686f9a3f1c59cbfada2910e9f261577ef55e6ba3183b6f
-
Filesize
124KB
MD5499a01ecab46d61496c3cd4ba3c6c28f
SHA19028d1dbff80173d8e646b0e31421591248a15df
SHA2560021a069aa447db702e53a06ca5172f13d0aa396fc87be6de50f07cbc6c5ed0d
SHA5124adc6a22a44fc9b2d7602aec79727223a39b6c3a7d15fd4d53e08516163a22c6a986c5587405ecdc5d69ed717bc9da0f74cbc35649ae1a3e4991e8007cc2d78f
-
Filesize
124KB
MD5bfe8de80ddefe1efff4e9e8be620e91e
SHA121a3c658d6cab20632cd0432a6596a4a1104bea9
SHA2566f347c6206afcb1e1c96b9adf722f7c994d84115261cf1f1ace5706a48796097
SHA5123f3f3c4c7bfa8d5793d82eccd161386db680223b1592ac7293df65c0b61606c4ce0b97065f2a6f8db27e61d9853a716a13e97f27f6b6482306bfd195cf69563b