Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-dxk7vadg77
Target d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e
SHA256 d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e

Threat Level: Known bad

The file d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:23

Reported

2024-05-26 03:25

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\luetey.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fuheq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\raiqaiy.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vgcew.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\heafo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\qeusouc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zoudas.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ruuavu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\kqtoeb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yaros.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\tnvaix.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ftkar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yapen.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\liagib.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vaamen.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\wauxoim.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vswox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\deudeuv.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\bjyaoc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\bhcus.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\saaogad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\maoreo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hioab.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\quinaez.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zaoigi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\racev.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\tlmof.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\rqrap.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\keideok.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xaaxi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\gaiez.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\viejoob.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\coecuo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\woucae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mieas.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ziafa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fuaecuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sueku.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\leuyeun.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\woiciw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jieeb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zxhem.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zaziv.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\boewi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\saauv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fuheq.exe N/A
N/A N/A C:\Users\Admin\mieas.exe N/A
N/A N/A C:\Users\Admin\raiqaiy.exe N/A
N/A N/A C:\Users\Admin\maoreo.exe N/A
N/A N/A C:\Users\Admin\xaaxi.exe N/A
N/A N/A C:\Users\Admin\zxhem.exe N/A
N/A N/A C:\Users\Admin\ziafa.exe N/A
N/A N/A C:\Users\Admin\zaziv.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\liagib.exe N/A
N/A N/A C:\Users\Admin\boewi.exe N/A
N/A N/A C:\Users\Admin\vaamen.exe N/A
N/A N/A C:\Users\Admin\fuaecuk.exe N/A
N/A N/A C:\Users\Admin\sueku.exe N/A
N/A N/A C:\Users\Admin\wauxoim.exe N/A
N/A N/A C:\Users\Admin\leuyeun.exe N/A
N/A N/A C:\Users\Admin\ruuavu.exe N/A
N/A N/A C:\Users\Admin\quinaez.exe N/A
N/A N/A C:\Users\Admin\kqtoeb.exe N/A
N/A N/A C:\Users\Admin\vswox.exe N/A
N/A N/A C:\Users\Admin\tlmof.exe N/A
N/A N/A C:\Users\Admin\vgcew.exe N/A
N/A N/A C:\Users\Admin\yaros.exe N/A
N/A N/A C:\Users\Admin\deudeuv.exe N/A
N/A N/A C:\Users\Admin\saauv.exe N/A
N/A N/A C:\Users\Admin\tnvaix.exe N/A
N/A N/A C:\Users\Admin\gaiez.exe N/A
N/A N/A C:\Users\Admin\yapen.exe N/A
N/A N/A C:\Users\Admin\woucae.exe N/A
N/A N/A C:\Users\Admin\zaoigi.exe N/A
N/A N/A C:\Users\Admin\ftkar.exe N/A
N/A N/A C:\Users\Admin\racev.exe N/A
N/A N/A C:\Users\Admin\viejoob.exe N/A
N/A N/A C:\Users\Admin\bjyaoc.exe N/A
N/A N/A C:\Users\Admin\coecuo.exe N/A
N/A N/A C:\Users\Admin\heafo.exe N/A
N/A N/A C:\Users\Admin\qeusouc.exe N/A
N/A N/A C:\Users\Admin\bhcus.exe N/A
N/A N/A C:\Users\Admin\saaogad.exe N/A
N/A N/A C:\Users\Admin\woiciw.exe N/A
N/A N/A C:\Users\Admin\rqrap.exe N/A
N/A N/A C:\Users\Admin\luetey.exe N/A
N/A N/A C:\Users\Admin\jieeb.exe N/A
N/A N/A C:\Users\Admin\keideok.exe N/A
N/A N/A C:\Users\Admin\zoudas.exe N/A
N/A N/A C:\Users\Admin\feafooz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\fuheq.exe N/A
N/A N/A C:\Users\Admin\fuheq.exe N/A
N/A N/A C:\Users\Admin\mieas.exe N/A
N/A N/A C:\Users\Admin\mieas.exe N/A
N/A N/A C:\Users\Admin\raiqaiy.exe N/A
N/A N/A C:\Users\Admin\raiqaiy.exe N/A
N/A N/A C:\Users\Admin\maoreo.exe N/A
N/A N/A C:\Users\Admin\maoreo.exe N/A
N/A N/A C:\Users\Admin\xaaxi.exe N/A
N/A N/A C:\Users\Admin\xaaxi.exe N/A
N/A N/A C:\Users\Admin\zxhem.exe N/A
N/A N/A C:\Users\Admin\zxhem.exe N/A
N/A N/A C:\Users\Admin\ziafa.exe N/A
N/A N/A C:\Users\Admin\ziafa.exe N/A
N/A N/A C:\Users\Admin\zaziv.exe N/A
N/A N/A C:\Users\Admin\zaziv.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\liagib.exe N/A
N/A N/A C:\Users\Admin\liagib.exe N/A
N/A N/A C:\Users\Admin\boewi.exe N/A
N/A N/A C:\Users\Admin\boewi.exe N/A
N/A N/A C:\Users\Admin\vaamen.exe N/A
N/A N/A C:\Users\Admin\vaamen.exe N/A
N/A N/A C:\Users\Admin\fuaecuk.exe N/A
N/A N/A C:\Users\Admin\fuaecuk.exe N/A
N/A N/A C:\Users\Admin\sueku.exe N/A
N/A N/A C:\Users\Admin\sueku.exe N/A
N/A N/A C:\Users\Admin\wauxoim.exe N/A
N/A N/A C:\Users\Admin\wauxoim.exe N/A
N/A N/A C:\Users\Admin\leuyeun.exe N/A
N/A N/A C:\Users\Admin\leuyeun.exe N/A
N/A N/A C:\Users\Admin\ruuavu.exe N/A
N/A N/A C:\Users\Admin\ruuavu.exe N/A
N/A N/A C:\Users\Admin\quinaez.exe N/A
N/A N/A C:\Users\Admin\quinaez.exe N/A
N/A N/A C:\Users\Admin\kqtoeb.exe N/A
N/A N/A C:\Users\Admin\kqtoeb.exe N/A
N/A N/A C:\Users\Admin\vswox.exe N/A
N/A N/A C:\Users\Admin\vswox.exe N/A
N/A N/A C:\Users\Admin\tlmof.exe N/A
N/A N/A C:\Users\Admin\tlmof.exe N/A
N/A N/A C:\Users\Admin\vgcew.exe N/A
N/A N/A C:\Users\Admin\vgcew.exe N/A
N/A N/A C:\Users\Admin\yaros.exe N/A
N/A N/A C:\Users\Admin\yaros.exe N/A
N/A N/A C:\Users\Admin\deudeuv.exe N/A
N/A N/A C:\Users\Admin\deudeuv.exe N/A
N/A N/A C:\Users\Admin\saauv.exe N/A
N/A N/A C:\Users\Admin\saauv.exe N/A
N/A N/A C:\Users\Admin\tnvaix.exe N/A
N/A N/A C:\Users\Admin\tnvaix.exe N/A
N/A N/A C:\Users\Admin\gaiez.exe N/A
N/A N/A C:\Users\Admin\gaiez.exe N/A
N/A N/A C:\Users\Admin\yapen.exe N/A
N/A N/A C:\Users\Admin\yapen.exe N/A
N/A N/A C:\Users\Admin\woucae.exe N/A
N/A N/A C:\Users\Admin\woucae.exe N/A
N/A N/A C:\Users\Admin\zaoigi.exe N/A
N/A N/A C:\Users\Admin\zaoigi.exe N/A
N/A N/A C:\Users\Admin\ftkar.exe N/A
N/A N/A C:\Users\Admin\ftkar.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuaecuk = "C:\\Users\\Admin\\fuaecuk.exe /d" C:\Users\Admin\vaamen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wauxoim = "C:\\Users\\Admin\\wauxoim.exe /y" C:\Users\Admin\sueku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\leuyeun = "C:\\Users\\Admin\\leuyeun.exe /S" C:\Users\Admin\wauxoim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqtoeb = "C:\\Users\\Admin\\kqtoeb.exe /S" C:\Users\Admin\quinaez.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\coecuo = "C:\\Users\\Admin\\coecuo.exe /t" C:\Users\Admin\bjyaoc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeusouc = "C:\\Users\\Admin\\qeusouc.exe /z" C:\Users\Admin\heafo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\feafooz = "C:\\Users\\Admin\\feafooz.exe /J" C:\Users\Admin\zoudas.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaaxi = "C:\\Users\\Admin\\xaaxi.exe /i" C:\Users\Admin\maoreo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnvaix = "C:\\Users\\Admin\\tnvaix.exe /v" C:\Users\Admin\saauv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjyaoc = "C:\\Users\\Admin\\bjyaoc.exe /k" C:\Users\Admin\viejoob.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\keideok = "C:\\Users\\Admin\\keideok.exe /s" C:\Users\Admin\jieeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuheq = "C:\\Users\\Admin\\fuheq.exe /l" C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zxhem = "C:\\Users\\Admin\\zxhem.exe /N" C:\Users\Admin\xaaxi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\liagib = "C:\\Users\\Admin\\liagib.exe /n" C:\Users\Admin\hioab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sueku = "C:\\Users\\Admin\\sueku.exe /W" C:\Users\Admin\fuaecuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vswox = "C:\\Users\\Admin\\vswox.exe /t" C:\Users\Admin\kqtoeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\yapen = "C:\\Users\\Admin\\yapen.exe /A" C:\Users\Admin\gaiez.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\viejoob = "C:\\Users\\Admin\\viejoob.exe /M" C:\Users\Admin\racev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoreo = "C:\\Users\\Admin\\maoreo.exe /Q" C:\Users\Admin\raiqaiy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\gaiez = "C:\\Users\\Admin\\gaiez.exe /T" C:\Users\Admin\tnvaix.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoigi = "C:\\Users\\Admin\\zaoigi.exe /r" C:\Users\Admin\woucae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiciw = "C:\\Users\\Admin\\woiciw.exe /Y" C:\Users\Admin\saaogad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoudas = "C:\\Users\\Admin\\zoudas.exe /t" C:\Users\Admin\keideok.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaros = "C:\\Users\\Admin\\yaros.exe /k" C:\Users\Admin\vgcew.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaziv = "C:\\Users\\Admin\\zaziv.exe /e" C:\Users\Admin\ziafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioab = "C:\\Users\\Admin\\hioab.exe /i" C:\Users\Admin\zaziv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\boewi = "C:\\Users\\Admin\\boewi.exe /t" C:\Users\Admin\liagib.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruuavu = "C:\\Users\\Admin\\ruuavu.exe /Q" C:\Users\Admin\leuyeun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\quinaez = "C:\\Users\\Admin\\quinaez.exe /i" C:\Users\Admin\ruuavu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlmof = "C:\\Users\\Admin\\tlmof.exe /h" C:\Users\Admin\vswox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bhcus = "C:\\Users\\Admin\\bhcus.exe /H" C:\Users\Admin\qeusouc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\raiqaiy = "C:\\Users\\Admin\\raiqaiy.exe /r" C:\Users\Admin\mieas.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\luetey = "C:\\Users\\Admin\\luetey.exe /w" C:\Users\Admin\rqrap.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\rqrap = "C:\\Users\\Admin\\rqrap.exe /c" C:\Users\Admin\woiciw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\saauv = "C:\\Users\\Admin\\saauv.exe /z" C:\Users\Admin\deudeuv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\saaogad = "C:\\Users\\Admin\\saaogad.exe /d" C:\Users\Admin\bhcus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\jieeb = "C:\\Users\\Admin\\jieeb.exe /q" C:\Users\Admin\luetey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\mieas = "C:\\Users\\Admin\\mieas.exe /z" C:\Users\Admin\fuheq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaamen = "C:\\Users\\Admin\\vaamen.exe /x" C:\Users\Admin\boewi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ftkar = "C:\\Users\\Admin\\ftkar.exe /m" C:\Users\Admin\zaoigi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziafa = "C:\\Users\\Admin\\ziafa.exe /P" C:\Users\Admin\zxhem.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\deudeuv = "C:\\Users\\Admin\\deudeuv.exe /E" C:\Users\Admin\yaros.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\woucae = "C:\\Users\\Admin\\woucae.exe /P" C:\Users\Admin\yapen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\racev = "C:\\Users\\Admin\\racev.exe /t" C:\Users\Admin\ftkar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\heafo = "C:\\Users\\Admin\\heafo.exe /t" C:\Users\Admin\coecuo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\vgcew = "C:\\Users\\Admin\\vgcew.exe /D" C:\Users\Admin\tlmof.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\fuheq.exe N/A
N/A N/A C:\Users\Admin\mieas.exe N/A
N/A N/A C:\Users\Admin\raiqaiy.exe N/A
N/A N/A C:\Users\Admin\maoreo.exe N/A
N/A N/A C:\Users\Admin\xaaxi.exe N/A
N/A N/A C:\Users\Admin\zxhem.exe N/A
N/A N/A C:\Users\Admin\ziafa.exe N/A
N/A N/A C:\Users\Admin\zaziv.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\liagib.exe N/A
N/A N/A C:\Users\Admin\boewi.exe N/A
N/A N/A C:\Users\Admin\vaamen.exe N/A
N/A N/A C:\Users\Admin\fuaecuk.exe N/A
N/A N/A C:\Users\Admin\sueku.exe N/A
N/A N/A C:\Users\Admin\wauxoim.exe N/A
N/A N/A C:\Users\Admin\leuyeun.exe N/A
N/A N/A C:\Users\Admin\ruuavu.exe N/A
N/A N/A C:\Users\Admin\quinaez.exe N/A
N/A N/A C:\Users\Admin\kqtoeb.exe N/A
N/A N/A C:\Users\Admin\vswox.exe N/A
N/A N/A C:\Users\Admin\tlmof.exe N/A
N/A N/A C:\Users\Admin\vgcew.exe N/A
N/A N/A C:\Users\Admin\yaros.exe N/A
N/A N/A C:\Users\Admin\deudeuv.exe N/A
N/A N/A C:\Users\Admin\saauv.exe N/A
N/A N/A C:\Users\Admin\tnvaix.exe N/A
N/A N/A C:\Users\Admin\gaiez.exe N/A
N/A N/A C:\Users\Admin\yapen.exe N/A
N/A N/A C:\Users\Admin\woucae.exe N/A
N/A N/A C:\Users\Admin\zaoigi.exe N/A
N/A N/A C:\Users\Admin\ftkar.exe N/A
N/A N/A C:\Users\Admin\racev.exe N/A
N/A N/A C:\Users\Admin\viejoob.exe N/A
N/A N/A C:\Users\Admin\bjyaoc.exe N/A
N/A N/A C:\Users\Admin\coecuo.exe N/A
N/A N/A C:\Users\Admin\heafo.exe N/A
N/A N/A C:\Users\Admin\qeusouc.exe N/A
N/A N/A C:\Users\Admin\bhcus.exe N/A
N/A N/A C:\Users\Admin\saaogad.exe N/A
N/A N/A C:\Users\Admin\woiciw.exe N/A
N/A N/A C:\Users\Admin\rqrap.exe N/A
N/A N/A C:\Users\Admin\luetey.exe N/A
N/A N/A C:\Users\Admin\jieeb.exe N/A
N/A N/A C:\Users\Admin\keideok.exe N/A
N/A N/A C:\Users\Admin\zoudas.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\fuheq.exe N/A
N/A N/A C:\Users\Admin\mieas.exe N/A
N/A N/A C:\Users\Admin\raiqaiy.exe N/A
N/A N/A C:\Users\Admin\maoreo.exe N/A
N/A N/A C:\Users\Admin\xaaxi.exe N/A
N/A N/A C:\Users\Admin\zxhem.exe N/A
N/A N/A C:\Users\Admin\ziafa.exe N/A
N/A N/A C:\Users\Admin\zaziv.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\liagib.exe N/A
N/A N/A C:\Users\Admin\boewi.exe N/A
N/A N/A C:\Users\Admin\vaamen.exe N/A
N/A N/A C:\Users\Admin\fuaecuk.exe N/A
N/A N/A C:\Users\Admin\sueku.exe N/A
N/A N/A C:\Users\Admin\wauxoim.exe N/A
N/A N/A C:\Users\Admin\leuyeun.exe N/A
N/A N/A C:\Users\Admin\ruuavu.exe N/A
N/A N/A C:\Users\Admin\quinaez.exe N/A
N/A N/A C:\Users\Admin\kqtoeb.exe N/A
N/A N/A C:\Users\Admin\vswox.exe N/A
N/A N/A C:\Users\Admin\tlmof.exe N/A
N/A N/A C:\Users\Admin\vgcew.exe N/A
N/A N/A C:\Users\Admin\yaros.exe N/A
N/A N/A C:\Users\Admin\deudeuv.exe N/A
N/A N/A C:\Users\Admin\saauv.exe N/A
N/A N/A C:\Users\Admin\tnvaix.exe N/A
N/A N/A C:\Users\Admin\gaiez.exe N/A
N/A N/A C:\Users\Admin\yapen.exe N/A
N/A N/A C:\Users\Admin\woucae.exe N/A
N/A N/A C:\Users\Admin\zaoigi.exe N/A
N/A N/A C:\Users\Admin\ftkar.exe N/A
N/A N/A C:\Users\Admin\racev.exe N/A
N/A N/A C:\Users\Admin\viejoob.exe N/A
N/A N/A C:\Users\Admin\bjyaoc.exe N/A
N/A N/A C:\Users\Admin\coecuo.exe N/A
N/A N/A C:\Users\Admin\heafo.exe N/A
N/A N/A C:\Users\Admin\qeusouc.exe N/A
N/A N/A C:\Users\Admin\bhcus.exe N/A
N/A N/A C:\Users\Admin\saaogad.exe N/A
N/A N/A C:\Users\Admin\woiciw.exe N/A
N/A N/A C:\Users\Admin\rqrap.exe N/A
N/A N/A C:\Users\Admin\luetey.exe N/A
N/A N/A C:\Users\Admin\jieeb.exe N/A
N/A N/A C:\Users\Admin\keideok.exe N/A
N/A N/A C:\Users\Admin\zoudas.exe N/A
N/A N/A C:\Users\Admin\feafooz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\fuheq.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\fuheq.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\fuheq.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\fuheq.exe
PID 1332 wrote to memory of 2752 N/A C:\Users\Admin\fuheq.exe C:\Users\Admin\mieas.exe
PID 1332 wrote to memory of 2752 N/A C:\Users\Admin\fuheq.exe C:\Users\Admin\mieas.exe
PID 1332 wrote to memory of 2752 N/A C:\Users\Admin\fuheq.exe C:\Users\Admin\mieas.exe
PID 1332 wrote to memory of 2752 N/A C:\Users\Admin\fuheq.exe C:\Users\Admin\mieas.exe
PID 2752 wrote to memory of 2592 N/A C:\Users\Admin\mieas.exe C:\Users\Admin\raiqaiy.exe
PID 2752 wrote to memory of 2592 N/A C:\Users\Admin\mieas.exe C:\Users\Admin\raiqaiy.exe
PID 2752 wrote to memory of 2592 N/A C:\Users\Admin\mieas.exe C:\Users\Admin\raiqaiy.exe
PID 2752 wrote to memory of 2592 N/A C:\Users\Admin\mieas.exe C:\Users\Admin\raiqaiy.exe
PID 2592 wrote to memory of 2588 N/A C:\Users\Admin\raiqaiy.exe C:\Users\Admin\maoreo.exe
PID 2592 wrote to memory of 2588 N/A C:\Users\Admin\raiqaiy.exe C:\Users\Admin\maoreo.exe
PID 2592 wrote to memory of 2588 N/A C:\Users\Admin\raiqaiy.exe C:\Users\Admin\maoreo.exe
PID 2592 wrote to memory of 2588 N/A C:\Users\Admin\raiqaiy.exe C:\Users\Admin\maoreo.exe
PID 2588 wrote to memory of 1700 N/A C:\Users\Admin\maoreo.exe C:\Users\Admin\xaaxi.exe
PID 2588 wrote to memory of 1700 N/A C:\Users\Admin\maoreo.exe C:\Users\Admin\xaaxi.exe
PID 2588 wrote to memory of 1700 N/A C:\Users\Admin\maoreo.exe C:\Users\Admin\xaaxi.exe
PID 2588 wrote to memory of 1700 N/A C:\Users\Admin\maoreo.exe C:\Users\Admin\xaaxi.exe
PID 1700 wrote to memory of 2928 N/A C:\Users\Admin\xaaxi.exe C:\Users\Admin\zxhem.exe
PID 1700 wrote to memory of 2928 N/A C:\Users\Admin\xaaxi.exe C:\Users\Admin\zxhem.exe
PID 1700 wrote to memory of 2928 N/A C:\Users\Admin\xaaxi.exe C:\Users\Admin\zxhem.exe
PID 1700 wrote to memory of 2928 N/A C:\Users\Admin\xaaxi.exe C:\Users\Admin\zxhem.exe
PID 2928 wrote to memory of 1576 N/A C:\Users\Admin\zxhem.exe C:\Users\Admin\ziafa.exe
PID 2928 wrote to memory of 1576 N/A C:\Users\Admin\zxhem.exe C:\Users\Admin\ziafa.exe
PID 2928 wrote to memory of 1576 N/A C:\Users\Admin\zxhem.exe C:\Users\Admin\ziafa.exe
PID 2928 wrote to memory of 1576 N/A C:\Users\Admin\zxhem.exe C:\Users\Admin\ziafa.exe
PID 1576 wrote to memory of 2828 N/A C:\Users\Admin\ziafa.exe C:\Users\Admin\zaziv.exe
PID 1576 wrote to memory of 2828 N/A C:\Users\Admin\ziafa.exe C:\Users\Admin\zaziv.exe
PID 1576 wrote to memory of 2828 N/A C:\Users\Admin\ziafa.exe C:\Users\Admin\zaziv.exe
PID 1576 wrote to memory of 2828 N/A C:\Users\Admin\ziafa.exe C:\Users\Admin\zaziv.exe
PID 2828 wrote to memory of 800 N/A C:\Users\Admin\zaziv.exe C:\Users\Admin\hioab.exe
PID 2828 wrote to memory of 800 N/A C:\Users\Admin\zaziv.exe C:\Users\Admin\hioab.exe
PID 2828 wrote to memory of 800 N/A C:\Users\Admin\zaziv.exe C:\Users\Admin\hioab.exe
PID 2828 wrote to memory of 800 N/A C:\Users\Admin\zaziv.exe C:\Users\Admin\hioab.exe
PID 800 wrote to memory of 2340 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\liagib.exe
PID 800 wrote to memory of 2340 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\liagib.exe
PID 800 wrote to memory of 2340 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\liagib.exe
PID 800 wrote to memory of 2340 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\liagib.exe
PID 2340 wrote to memory of 484 N/A C:\Users\Admin\liagib.exe C:\Users\Admin\boewi.exe
PID 2340 wrote to memory of 484 N/A C:\Users\Admin\liagib.exe C:\Users\Admin\boewi.exe
PID 2340 wrote to memory of 484 N/A C:\Users\Admin\liagib.exe C:\Users\Admin\boewi.exe
PID 2340 wrote to memory of 484 N/A C:\Users\Admin\liagib.exe C:\Users\Admin\boewi.exe
PID 484 wrote to memory of 2028 N/A C:\Users\Admin\boewi.exe C:\Users\Admin\vaamen.exe
PID 484 wrote to memory of 2028 N/A C:\Users\Admin\boewi.exe C:\Users\Admin\vaamen.exe
PID 484 wrote to memory of 2028 N/A C:\Users\Admin\boewi.exe C:\Users\Admin\vaamen.exe
PID 484 wrote to memory of 2028 N/A C:\Users\Admin\boewi.exe C:\Users\Admin\vaamen.exe
PID 2028 wrote to memory of 2432 N/A C:\Users\Admin\vaamen.exe C:\Users\Admin\fuaecuk.exe
PID 2028 wrote to memory of 2432 N/A C:\Users\Admin\vaamen.exe C:\Users\Admin\fuaecuk.exe
PID 2028 wrote to memory of 2432 N/A C:\Users\Admin\vaamen.exe C:\Users\Admin\fuaecuk.exe
PID 2028 wrote to memory of 2432 N/A C:\Users\Admin\vaamen.exe C:\Users\Admin\fuaecuk.exe
PID 2432 wrote to memory of 1980 N/A C:\Users\Admin\fuaecuk.exe C:\Users\Admin\sueku.exe
PID 2432 wrote to memory of 1980 N/A C:\Users\Admin\fuaecuk.exe C:\Users\Admin\sueku.exe
PID 2432 wrote to memory of 1980 N/A C:\Users\Admin\fuaecuk.exe C:\Users\Admin\sueku.exe
PID 2432 wrote to memory of 1980 N/A C:\Users\Admin\fuaecuk.exe C:\Users\Admin\sueku.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\sueku.exe C:\Users\Admin\wauxoim.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\sueku.exe C:\Users\Admin\wauxoim.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\sueku.exe C:\Users\Admin\wauxoim.exe
PID 1980 wrote to memory of 2104 N/A C:\Users\Admin\sueku.exe C:\Users\Admin\wauxoim.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\wauxoim.exe C:\Users\Admin\leuyeun.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\wauxoim.exe C:\Users\Admin\leuyeun.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\wauxoim.exe C:\Users\Admin\leuyeun.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\wauxoim.exe C:\Users\Admin\leuyeun.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe

"C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"

C:\Users\Admin\fuheq.exe

"C:\Users\Admin\fuheq.exe"

C:\Users\Admin\mieas.exe

"C:\Users\Admin\mieas.exe"

C:\Users\Admin\raiqaiy.exe

"C:\Users\Admin\raiqaiy.exe"

C:\Users\Admin\maoreo.exe

"C:\Users\Admin\maoreo.exe"

C:\Users\Admin\xaaxi.exe

"C:\Users\Admin\xaaxi.exe"

C:\Users\Admin\zxhem.exe

"C:\Users\Admin\zxhem.exe"

C:\Users\Admin\ziafa.exe

"C:\Users\Admin\ziafa.exe"

C:\Users\Admin\zaziv.exe

"C:\Users\Admin\zaziv.exe"

C:\Users\Admin\hioab.exe

"C:\Users\Admin\hioab.exe"

C:\Users\Admin\liagib.exe

"C:\Users\Admin\liagib.exe"

C:\Users\Admin\boewi.exe

"C:\Users\Admin\boewi.exe"

C:\Users\Admin\vaamen.exe

"C:\Users\Admin\vaamen.exe"

C:\Users\Admin\fuaecuk.exe

"C:\Users\Admin\fuaecuk.exe"

C:\Users\Admin\sueku.exe

"C:\Users\Admin\sueku.exe"

C:\Users\Admin\wauxoim.exe

"C:\Users\Admin\wauxoim.exe"

C:\Users\Admin\leuyeun.exe

"C:\Users\Admin\leuyeun.exe"

C:\Users\Admin\ruuavu.exe

"C:\Users\Admin\ruuavu.exe"

C:\Users\Admin\quinaez.exe

"C:\Users\Admin\quinaez.exe"

C:\Users\Admin\kqtoeb.exe

"C:\Users\Admin\kqtoeb.exe"

C:\Users\Admin\vswox.exe

"C:\Users\Admin\vswox.exe"

C:\Users\Admin\tlmof.exe

"C:\Users\Admin\tlmof.exe"

C:\Users\Admin\vgcew.exe

"C:\Users\Admin\vgcew.exe"

C:\Users\Admin\yaros.exe

"C:\Users\Admin\yaros.exe"

C:\Users\Admin\deudeuv.exe

"C:\Users\Admin\deudeuv.exe"

C:\Users\Admin\saauv.exe

"C:\Users\Admin\saauv.exe"

C:\Users\Admin\tnvaix.exe

"C:\Users\Admin\tnvaix.exe"

C:\Users\Admin\gaiez.exe

"C:\Users\Admin\gaiez.exe"

C:\Users\Admin\yapen.exe

"C:\Users\Admin\yapen.exe"

C:\Users\Admin\woucae.exe

"C:\Users\Admin\woucae.exe"

C:\Users\Admin\zaoigi.exe

"C:\Users\Admin\zaoigi.exe"

C:\Users\Admin\ftkar.exe

"C:\Users\Admin\ftkar.exe"

C:\Users\Admin\racev.exe

"C:\Users\Admin\racev.exe"

C:\Users\Admin\viejoob.exe

"C:\Users\Admin\viejoob.exe"

C:\Users\Admin\bjyaoc.exe

"C:\Users\Admin\bjyaoc.exe"

C:\Users\Admin\coecuo.exe

"C:\Users\Admin\coecuo.exe"

C:\Users\Admin\heafo.exe

"C:\Users\Admin\heafo.exe"

C:\Users\Admin\qeusouc.exe

"C:\Users\Admin\qeusouc.exe"

C:\Users\Admin\bhcus.exe

"C:\Users\Admin\bhcus.exe"

C:\Users\Admin\saaogad.exe

"C:\Users\Admin\saaogad.exe"

C:\Users\Admin\woiciw.exe

"C:\Users\Admin\woiciw.exe"

C:\Users\Admin\rqrap.exe

"C:\Users\Admin\rqrap.exe"

C:\Users\Admin\luetey.exe

"C:\Users\Admin\luetey.exe"

C:\Users\Admin\jieeb.exe

"C:\Users\Admin\jieeb.exe"

C:\Users\Admin\keideok.exe

"C:\Users\Admin\keideok.exe"

C:\Users\Admin\zoudas.exe

"C:\Users\Admin\zoudas.exe"

C:\Users\Admin\feafooz.exe

"C:\Users\Admin\feafooz.exe"

C:\Users\Admin\tiiovu.exe

"C:\Users\Admin\tiiovu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.player1352.net udp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 ns1.player1352.net tcp
US 107.178.223.183:8000 tcp

Files

C:\Users\Admin\fuheq.exe

MD5 cd8e50c53e5bc33956937efe38de528f
SHA1 f00be45f5e045a12a8e1832196a3bbf0af85b067
SHA256 7fb3be3d525a318edc18493a6c6d77ce377c9333448a4538ea0cf3ed640d20e9
SHA512 e9124d71de6b03cf878e8c76a8f944b112c8545c745ce883db813126566c1d21bdeadbb233f9608992ba198317c195d98b48453d76897288f2a371f686c99c8d

\Users\Admin\mieas.exe

MD5 726f5c1831156e1e3e31718801a2873c
SHA1 a88bd2fe8d9f602be55f0ff3c3755c22487702c0
SHA256 e72f923925a30ad3904dae59c332e7660b8c989017d61d5483f4c066c797337f
SHA512 0d552a71a04b219cfededf935d97d49ff80276f5aa2377dff68a2f7bf57c31bc873b04f0a75db793b8b0ecf1bff8f10c80e35eab000aed9906e6ac786e7dd9ad

\Users\Admin\raiqaiy.exe

MD5 37618afb019479c25ef4bd760e6ae6c1
SHA1 a0e896a90dc82c52c0de65d013d6bf711866b402
SHA256 f2450450ef7e8ea0198ede49aa1c00586371d3a2777aea810a40f3841b5b7b08
SHA512 3a4896f29b1cf40d2d4238b6c69616cc0e928e0b2b0522ed16dec5df0faedf5d8ee626078fa7587400008860e8cc5e1034ec080f7f22914a33160d3cf1264bf0

\Users\Admin\maoreo.exe

MD5 f40f8914dff335871f9b08ac52fa11be
SHA1 d93fe345e6dd7969378bad4db74fa3d990c92aa7
SHA256 2531a311702302b822066980b19686add5ff0d507c9139fb22fd5e46b8bd6ee2
SHA512 545cbfbbc27c19ba2064310769ca1991ac0f72f4833187e4751e6ca648fbc49cfceb7af938270f61a9b5235b03b3ea28a675fe5f28967270ed070b48b8affc0a

C:\Users\Admin\xaaxi.exe

MD5 bb810e4614db8012665e0f5165bc784f
SHA1 a2f8b0c77ab65d30643c6a0e94abbc386b9d0931
SHA256 4828246632aaeed2c0c819299049a09792b81ab361298f5f6eacf2f05e66dc11
SHA512 db928c83ed443118379de8e56aead8de468736df6fc17298840e712543d505ebc2b6e0293eaee12b09257b002068e8b3e62db2f755ca13c32a41bf0220910717

\Users\Admin\zxhem.exe

MD5 bfe8de80ddefe1efff4e9e8be620e91e
SHA1 21a3c658d6cab20632cd0432a6596a4a1104bea9
SHA256 6f347c6206afcb1e1c96b9adf722f7c994d84115261cf1f1ace5706a48796097
SHA512 3f3f3c4c7bfa8d5793d82eccd161386db680223b1592ac7293df65c0b61606c4ce0b97065f2a6f8db27e61d9853a716a13e97f27f6b6482306bfd195cf69563b

\Users\Admin\ziafa.exe

MD5 499a01ecab46d61496c3cd4ba3c6c28f
SHA1 9028d1dbff80173d8e646b0e31421591248a15df
SHA256 0021a069aa447db702e53a06ca5172f13d0aa396fc87be6de50f07cbc6c5ed0d
SHA512 4adc6a22a44fc9b2d7602aec79727223a39b6c3a7d15fd4d53e08516163a22c6a986c5587405ecdc5d69ed717bc9da0f74cbc35649ae1a3e4991e8007cc2d78f

\Users\Admin\zaziv.exe

MD5 06a8a76d866cf0da2e0fdeb5db40f57d
SHA1 4318e468d8ea09076f94841d48c058f65d278573
SHA256 ce8a0875494a47a0412e1d82177a13bf421c5bf6e11dd1a50ef636fa10844907
SHA512 6c661a709bda9d64e6a48124f65fece88e4d94aadb06246658f8cd421b4b99c66c218638c5aa60a6be686f9a3f1c59cbfada2910e9f261577ef55e6ba3183b6f

\Users\Admin\hioab.exe

MD5 076efc0046adafba9e1f642e89560ae4
SHA1 ef9d1e5400b2a6e77954b30d395127dac8cbaa71
SHA256 711cd3d568cbc214250dd04353053b588541a132263f7309f840b1a179749974
SHA512 57645f6a7ac82f37a36ca8a4fb3ed98c8597d169aa6bdfd7f55dda3cec5512761a4450238c5327ae3eb423be3c35e08ea4240cc8a0c1b1ea4a510f3b346951a1

\Users\Admin\liagib.exe

MD5 8be235f29083cbc6a1be94c36b822f9e
SHA1 2ddae69151dea9d014c351559bf39147d191dbbd
SHA256 f01cccaa2da7ec3d3c9e14ccf511dfc99ac55138b29eb3b59ce12d14aeeae4e5
SHA512 61677e7507e1bd3080ce3ff99a9a3ded1790be32fe652e115928dbe83ea915ac3a60f8d021d30bdc764db834fee56552efa0fbf571eec07dbf50300d841d3b83

\Users\Admin\boewi.exe

MD5 7d5abbc332f4e6d78a4b95a10d9b88c3
SHA1 a2352ae3c71bce5f57b9899d7a4b90d3cb9466a7
SHA256 3fbb2d79bbabe5b3f21a64882da3634d6f66d8bc926335325b5a421674c0e40c
SHA512 7220f2bd118b2d98e879261021e6ab893ed383ac89d91be68b58c03205b1140686ae5de19fdec4de6f06bce01d47c11879741f51824b00d4d1e1a74be7a2ebcb

\Users\Admin\vaamen.exe

MD5 fcb7a0db341a694d5fe70665e6076a13
SHA1 dc5f4eacd80622ebb566831c5d0da254f2d80a5d
SHA256 6c57b85c34dde9b22bc5c560578a91cd65d0d6bf51a062b564893900788479fa
SHA512 c4efe42caefbf8c154abb8c93ba372b5202a7a54f12780f7b8be42611e96ea89b79092bf6780652dbfa415338d3257d4b7724bb4e96df27bee0afd1e7a0cb85b

\Users\Admin\fuaecuk.exe

MD5 2ac582338bb73d7e6fa6aebc9cfa248e
SHA1 a566112ae9fa3513c38abd145d76aafc6702abde
SHA256 c6a7f3e3492ce8c3c8be04a884ee15d6e4249114c4bfe917400b76bb829f8109
SHA512 a805833ff48be328d4d45f5fc2142448fc280b7d5e8f487057e32acd4ab2caa212a4c16268458b370fb14af34e16575c02621b71072118378101512073963933

\Users\Admin\sueku.exe

MD5 92f9d6179e229c1ccf33bb5e3507b912
SHA1 6e6ee0a7e0f5f67ec81633aa44e3753a70969fbd
SHA256 18fd147e6415fe81176f1b318d985cd4d690eb3ffd22517c402ae3966a3e93d8
SHA512 9683c337dab2c39a05df62edd0c40f787725522351c17a6b0bf6ba7f30bb420103bcb596b94746269176dcc7fbba9e754e96118367b42c6d99a8f042b3bc4d6b

C:\Users\Admin\wauxoim.exe

MD5 075bf1d900377dabd2e22cd90ec59df8
SHA1 281b84dbaccb31e5b6993339fbd9a89c9f5bdaf7
SHA256 aa4f4b85f8e6be884adb5f9d91b1c08bf905850049b418c4b53a5c3764d21e5b
SHA512 78658a51f818206c772363cf80f368006181827737a5bdf56bc5744578e28f759f75a6adfb6e1697ea71961a2e1a713f5e272b1975dc2f06493ee77be84d949c

\Users\Admin\leuyeun.exe

MD5 dee43c0f0cebb14155c3b8bc52ac1f9c
SHA1 2509dc6d73801fb77daabf9b8b422519a91ee961
SHA256 b4b208cc1b510283766e0145ae943e1ccfb9d9ff1f580cfab8a201ca9fdf5d1b
SHA512 c6d7275fbcfa78563071ef9ad49c646565287124a000fd47ea5bc3546f53b19298a9ab94f9251d5412b3f294f6a71d6b1ba8fccdd4b3c2a795240c8fbe38ef4b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:23

Reported

2024-05-26 03:26

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\puejui.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\woikae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\weoeq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\dqwid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\wiuloon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xuease.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\faieyu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\juagoh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\baayii.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\weeulu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\saiucir.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\duemoa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\trzuac.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\gzxuep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\bauboe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xhcug.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\piibeuw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\wauib.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\keoom.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vdpiap.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ceoikep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\keuzea.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\dootu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zucoq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hioab.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mxnog.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mdtiir.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\liehual.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\coazu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\gaoxou.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vitow.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\liiox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jiiiwo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\muuopa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\weoeq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\puejui.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\keoom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\weeulu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\gaoxou.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\trzuac.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\liehual.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\gzxuep.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\vdpiap.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\wauib.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\muuopa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\piibeuw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\faieyu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xhcug.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mdtiir.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\vitow.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\liiox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\baayii.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hioab.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\woikae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\bauboe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dootu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\coazu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\keuzea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\juagoh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\duemoa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xuease.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ceoikep.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\saiucir.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mxnog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dqwid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\wiuloon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\jiiiwo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\zucoq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coazu = "C:\\Users\\Admin\\coazu.exe /E" C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaoxou = "C:\\Users\\Admin\\gaoxou.exe /B" C:\Users\Admin\xhcug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trzuac = "C:\\Users\\Admin\\trzuac.exe /C" C:\Users\Admin\mdtiir.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liehual = "C:\\Users\\Admin\\liehual.exe /W" C:\Users\Admin\vitow.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liiox = "C:\\Users\\Admin\\liiox.exe /P" C:\Users\Admin\vdpiap.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baayii = "C:\\Users\\Admin\\baayii.exe /E" C:\Users\Admin\juagoh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keoom = "C:\\Users\\Admin\\keoom.exe /h" C:\Users\Admin\puejui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muuopa = "C:\\Users\\Admin\\muuopa.exe /K" C:\Users\Admin\zucoq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weoeq = "C:\\Users\\Admin\\weoeq.exe /z" C:\Users\Admin\saiucir.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vitow = "C:\\Users\\Admin\\vitow.exe /L" C:\Users\Admin\trzuac.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoikep = "C:\\Users\\Admin\\ceoikep.exe /U" C:\Users\Admin\dootu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woikae = "C:\\Users\\Admin\\woikae.exe /c" C:\Users\Admin\hioab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiiiwo = "C:\\Users\\Admin\\jiiiwo.exe /O" C:\Users\Admin\keoom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weeulu = "C:\\Users\\Admin\\weeulu.exe /w" C:\Users\Admin\coazu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdpiap = "C:\\Users\\Admin\\vdpiap.exe /y" C:\Users\Admin\gzxuep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dqwid = "C:\\Users\\Admin\\dqwid.exe /T" C:\Users\Admin\bauboe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuloon = "C:\\Users\\Admin\\wiuloon.exe /q" C:\Users\Admin\baayii.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puejui = "C:\\Users\\Admin\\puejui.exe /t" C:\Users\Admin\wiuloon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dootu = "C:\\Users\\Admin\\dootu.exe /W" C:\Users\Admin\jiiiwo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saiucir = "C:\\Users\\Admin\\saiucir.exe /h" C:\Users\Admin\woikae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxnog = "C:\\Users\\Admin\\mxnog.exe /l" C:\Users\Admin\duemoa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faieyu = "C:\\Users\\Admin\\faieyu.exe /W" C:\Users\Admin\xuease.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauboe = "C:\\Users\\Admin\\bauboe.exe /N" C:\Users\Admin\keuzea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdtiir = "C:\\Users\\Admin\\mdtiir.exe /I" C:\Users\Admin\mxnog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuease = "C:\\Users\\Admin\\xuease.exe /G" C:\Users\Admin\liehual.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hioab = "C:\\Users\\Admin\\hioab.exe /i" C:\Users\Admin\weeulu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piibeuw = "C:\\Users\\Admin\\piibeuw.exe /R" C:\Users\Admin\gaoxou.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keuzea = "C:\\Users\\Admin\\keuzea.exe /m" C:\Users\Admin\liiox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zucoq = "C:\\Users\\Admin\\zucoq.exe /a" C:\Users\Admin\ceoikep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weioz = "C:\\Users\\Admin\\weioz.exe /j" C:\Users\Admin\muuopa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhcug = "C:\\Users\\Admin\\xhcug.exe /p" C:\Users\Admin\weoeq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duemoa = "C:\\Users\\Admin\\duemoa.exe /Q" C:\Users\Admin\piibeuw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gzxuep = "C:\\Users\\Admin\\gzxuep.exe /E" C:\Users\Admin\faieyu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wauib = "C:\\Users\\Admin\\wauib.exe /s" C:\Users\Admin\dqwid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juagoh = "C:\\Users\\Admin\\juagoh.exe /w" C:\Users\Admin\wauib.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\coazu.exe N/A
N/A N/A C:\Users\Admin\coazu.exe N/A
N/A N/A C:\Users\Admin\weeulu.exe N/A
N/A N/A C:\Users\Admin\weeulu.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\woikae.exe N/A
N/A N/A C:\Users\Admin\woikae.exe N/A
N/A N/A C:\Users\Admin\saiucir.exe N/A
N/A N/A C:\Users\Admin\saiucir.exe N/A
N/A N/A C:\Users\Admin\weoeq.exe N/A
N/A N/A C:\Users\Admin\weoeq.exe N/A
N/A N/A C:\Users\Admin\xhcug.exe N/A
N/A N/A C:\Users\Admin\xhcug.exe N/A
N/A N/A C:\Users\Admin\gaoxou.exe N/A
N/A N/A C:\Users\Admin\gaoxou.exe N/A
N/A N/A C:\Users\Admin\piibeuw.exe N/A
N/A N/A C:\Users\Admin\piibeuw.exe N/A
N/A N/A C:\Users\Admin\duemoa.exe N/A
N/A N/A C:\Users\Admin\duemoa.exe N/A
N/A N/A C:\Users\Admin\mxnog.exe N/A
N/A N/A C:\Users\Admin\mxnog.exe N/A
N/A N/A C:\Users\Admin\mdtiir.exe N/A
N/A N/A C:\Users\Admin\mdtiir.exe N/A
N/A N/A C:\Users\Admin\trzuac.exe N/A
N/A N/A C:\Users\Admin\trzuac.exe N/A
N/A N/A C:\Users\Admin\vitow.exe N/A
N/A N/A C:\Users\Admin\vitow.exe N/A
N/A N/A C:\Users\Admin\liehual.exe N/A
N/A N/A C:\Users\Admin\liehual.exe N/A
N/A N/A C:\Users\Admin\xuease.exe N/A
N/A N/A C:\Users\Admin\xuease.exe N/A
N/A N/A C:\Users\Admin\faieyu.exe N/A
N/A N/A C:\Users\Admin\faieyu.exe N/A
N/A N/A C:\Users\Admin\gzxuep.exe N/A
N/A N/A C:\Users\Admin\gzxuep.exe N/A
N/A N/A C:\Users\Admin\vdpiap.exe N/A
N/A N/A C:\Users\Admin\vdpiap.exe N/A
N/A N/A C:\Users\Admin\liiox.exe N/A
N/A N/A C:\Users\Admin\liiox.exe N/A
N/A N/A C:\Users\Admin\keuzea.exe N/A
N/A N/A C:\Users\Admin\keuzea.exe N/A
N/A N/A C:\Users\Admin\bauboe.exe N/A
N/A N/A C:\Users\Admin\bauboe.exe N/A
N/A N/A C:\Users\Admin\dqwid.exe N/A
N/A N/A C:\Users\Admin\dqwid.exe N/A
N/A N/A C:\Users\Admin\wauib.exe N/A
N/A N/A C:\Users\Admin\wauib.exe N/A
N/A N/A C:\Users\Admin\juagoh.exe N/A
N/A N/A C:\Users\Admin\juagoh.exe N/A
N/A N/A C:\Users\Admin\baayii.exe N/A
N/A N/A C:\Users\Admin\baayii.exe N/A
N/A N/A C:\Users\Admin\wiuloon.exe N/A
N/A N/A C:\Users\Admin\wiuloon.exe N/A
N/A N/A C:\Users\Admin\puejui.exe N/A
N/A N/A C:\Users\Admin\puejui.exe N/A
N/A N/A C:\Users\Admin\keoom.exe N/A
N/A N/A C:\Users\Admin\keoom.exe N/A
N/A N/A C:\Users\Admin\jiiiwo.exe N/A
N/A N/A C:\Users\Admin\jiiiwo.exe N/A
N/A N/A C:\Users\Admin\dootu.exe N/A
N/A N/A C:\Users\Admin\dootu.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe N/A
N/A N/A C:\Users\Admin\coazu.exe N/A
N/A N/A C:\Users\Admin\weeulu.exe N/A
N/A N/A C:\Users\Admin\hioab.exe N/A
N/A N/A C:\Users\Admin\woikae.exe N/A
N/A N/A C:\Users\Admin\saiucir.exe N/A
N/A N/A C:\Users\Admin\weoeq.exe N/A
N/A N/A C:\Users\Admin\xhcug.exe N/A
N/A N/A C:\Users\Admin\gaoxou.exe N/A
N/A N/A C:\Users\Admin\piibeuw.exe N/A
N/A N/A C:\Users\Admin\duemoa.exe N/A
N/A N/A C:\Users\Admin\mxnog.exe N/A
N/A N/A C:\Users\Admin\mdtiir.exe N/A
N/A N/A C:\Users\Admin\trzuac.exe N/A
N/A N/A C:\Users\Admin\vitow.exe N/A
N/A N/A C:\Users\Admin\liehual.exe N/A
N/A N/A C:\Users\Admin\xuease.exe N/A
N/A N/A C:\Users\Admin\faieyu.exe N/A
N/A N/A C:\Users\Admin\gzxuep.exe N/A
N/A N/A C:\Users\Admin\vdpiap.exe N/A
N/A N/A C:\Users\Admin\liiox.exe N/A
N/A N/A C:\Users\Admin\keuzea.exe N/A
N/A N/A C:\Users\Admin\bauboe.exe N/A
N/A N/A C:\Users\Admin\dqwid.exe N/A
N/A N/A C:\Users\Admin\wauib.exe N/A
N/A N/A C:\Users\Admin\juagoh.exe N/A
N/A N/A C:\Users\Admin\baayii.exe N/A
N/A N/A C:\Users\Admin\wiuloon.exe N/A
N/A N/A C:\Users\Admin\puejui.exe N/A
N/A N/A C:\Users\Admin\keoom.exe N/A
N/A N/A C:\Users\Admin\jiiiwo.exe N/A
N/A N/A C:\Users\Admin\dootu.exe N/A
N/A N/A C:\Users\Admin\ceoikep.exe N/A
N/A N/A C:\Users\Admin\zucoq.exe N/A
N/A N/A C:\Users\Admin\muuopa.exe N/A
N/A N/A C:\Users\Admin\weioz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\coazu.exe
PID 4248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\coazu.exe
PID 4248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe C:\Users\Admin\coazu.exe
PID 4516 wrote to memory of 3700 N/A C:\Users\Admin\coazu.exe C:\Users\Admin\weeulu.exe
PID 4516 wrote to memory of 3700 N/A C:\Users\Admin\coazu.exe C:\Users\Admin\weeulu.exe
PID 4516 wrote to memory of 3700 N/A C:\Users\Admin\coazu.exe C:\Users\Admin\weeulu.exe
PID 3700 wrote to memory of 3464 N/A C:\Users\Admin\weeulu.exe C:\Users\Admin\hioab.exe
PID 3700 wrote to memory of 3464 N/A C:\Users\Admin\weeulu.exe C:\Users\Admin\hioab.exe
PID 3700 wrote to memory of 3464 N/A C:\Users\Admin\weeulu.exe C:\Users\Admin\hioab.exe
PID 3464 wrote to memory of 1536 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\woikae.exe
PID 3464 wrote to memory of 1536 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\woikae.exe
PID 3464 wrote to memory of 1536 N/A C:\Users\Admin\hioab.exe C:\Users\Admin\woikae.exe
PID 1536 wrote to memory of 2672 N/A C:\Users\Admin\woikae.exe C:\Users\Admin\saiucir.exe
PID 1536 wrote to memory of 2672 N/A C:\Users\Admin\woikae.exe C:\Users\Admin\saiucir.exe
PID 1536 wrote to memory of 2672 N/A C:\Users\Admin\woikae.exe C:\Users\Admin\saiucir.exe
PID 2672 wrote to memory of 1208 N/A C:\Users\Admin\saiucir.exe C:\Users\Admin\weoeq.exe
PID 2672 wrote to memory of 1208 N/A C:\Users\Admin\saiucir.exe C:\Users\Admin\weoeq.exe
PID 2672 wrote to memory of 1208 N/A C:\Users\Admin\saiucir.exe C:\Users\Admin\weoeq.exe
PID 1208 wrote to memory of 2668 N/A C:\Users\Admin\weoeq.exe C:\Users\Admin\xhcug.exe
PID 1208 wrote to memory of 2668 N/A C:\Users\Admin\weoeq.exe C:\Users\Admin\xhcug.exe
PID 1208 wrote to memory of 2668 N/A C:\Users\Admin\weoeq.exe C:\Users\Admin\xhcug.exe
PID 2668 wrote to memory of 3044 N/A C:\Users\Admin\xhcug.exe C:\Users\Admin\gaoxou.exe
PID 2668 wrote to memory of 3044 N/A C:\Users\Admin\xhcug.exe C:\Users\Admin\gaoxou.exe
PID 2668 wrote to memory of 3044 N/A C:\Users\Admin\xhcug.exe C:\Users\Admin\gaoxou.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\gaoxou.exe C:\Users\Admin\piibeuw.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\gaoxou.exe C:\Users\Admin\piibeuw.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\gaoxou.exe C:\Users\Admin\piibeuw.exe
PID 228 wrote to memory of 4984 N/A C:\Users\Admin\piibeuw.exe C:\Users\Admin\duemoa.exe
PID 228 wrote to memory of 4984 N/A C:\Users\Admin\piibeuw.exe C:\Users\Admin\duemoa.exe
PID 228 wrote to memory of 4984 N/A C:\Users\Admin\piibeuw.exe C:\Users\Admin\duemoa.exe
PID 4984 wrote to memory of 1148 N/A C:\Users\Admin\duemoa.exe C:\Users\Admin\mxnog.exe
PID 4984 wrote to memory of 1148 N/A C:\Users\Admin\duemoa.exe C:\Users\Admin\mxnog.exe
PID 4984 wrote to memory of 1148 N/A C:\Users\Admin\duemoa.exe C:\Users\Admin\mxnog.exe
PID 1148 wrote to memory of 2396 N/A C:\Users\Admin\mxnog.exe C:\Users\Admin\mdtiir.exe
PID 1148 wrote to memory of 2396 N/A C:\Users\Admin\mxnog.exe C:\Users\Admin\mdtiir.exe
PID 1148 wrote to memory of 2396 N/A C:\Users\Admin\mxnog.exe C:\Users\Admin\mdtiir.exe
PID 2396 wrote to memory of 4088 N/A C:\Users\Admin\mdtiir.exe C:\Users\Admin\trzuac.exe
PID 2396 wrote to memory of 4088 N/A C:\Users\Admin\mdtiir.exe C:\Users\Admin\trzuac.exe
PID 2396 wrote to memory of 4088 N/A C:\Users\Admin\mdtiir.exe C:\Users\Admin\trzuac.exe
PID 4088 wrote to memory of 3772 N/A C:\Users\Admin\trzuac.exe C:\Users\Admin\vitow.exe
PID 4088 wrote to memory of 3772 N/A C:\Users\Admin\trzuac.exe C:\Users\Admin\vitow.exe
PID 4088 wrote to memory of 3772 N/A C:\Users\Admin\trzuac.exe C:\Users\Admin\vitow.exe
PID 3772 wrote to memory of 2916 N/A C:\Users\Admin\vitow.exe C:\Users\Admin\liehual.exe
PID 3772 wrote to memory of 2916 N/A C:\Users\Admin\vitow.exe C:\Users\Admin\liehual.exe
PID 3772 wrote to memory of 2916 N/A C:\Users\Admin\vitow.exe C:\Users\Admin\liehual.exe
PID 2916 wrote to memory of 4724 N/A C:\Users\Admin\liehual.exe C:\Users\Admin\xuease.exe
PID 2916 wrote to memory of 4724 N/A C:\Users\Admin\liehual.exe C:\Users\Admin\xuease.exe
PID 2916 wrote to memory of 4724 N/A C:\Users\Admin\liehual.exe C:\Users\Admin\xuease.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\xuease.exe C:\Users\Admin\faieyu.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\xuease.exe C:\Users\Admin\faieyu.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\xuease.exe C:\Users\Admin\faieyu.exe
PID 4728 wrote to memory of 3064 N/A C:\Users\Admin\faieyu.exe C:\Users\Admin\gzxuep.exe
PID 4728 wrote to memory of 3064 N/A C:\Users\Admin\faieyu.exe C:\Users\Admin\gzxuep.exe
PID 4728 wrote to memory of 3064 N/A C:\Users\Admin\faieyu.exe C:\Users\Admin\gzxuep.exe
PID 3064 wrote to memory of 3244 N/A C:\Users\Admin\gzxuep.exe C:\Users\Admin\vdpiap.exe
PID 3064 wrote to memory of 3244 N/A C:\Users\Admin\gzxuep.exe C:\Users\Admin\vdpiap.exe
PID 3064 wrote to memory of 3244 N/A C:\Users\Admin\gzxuep.exe C:\Users\Admin\vdpiap.exe
PID 3244 wrote to memory of 3220 N/A C:\Users\Admin\vdpiap.exe C:\Users\Admin\liiox.exe
PID 3244 wrote to memory of 3220 N/A C:\Users\Admin\vdpiap.exe C:\Users\Admin\liiox.exe
PID 3244 wrote to memory of 3220 N/A C:\Users\Admin\vdpiap.exe C:\Users\Admin\liiox.exe
PID 3220 wrote to memory of 4916 N/A C:\Users\Admin\liiox.exe C:\Users\Admin\keuzea.exe
PID 3220 wrote to memory of 4916 N/A C:\Users\Admin\liiox.exe C:\Users\Admin\keuzea.exe
PID 3220 wrote to memory of 4916 N/A C:\Users\Admin\liiox.exe C:\Users\Admin\keuzea.exe
PID 4916 wrote to memory of 5036 N/A C:\Users\Admin\keuzea.exe C:\Users\Admin\bauboe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe

"C:\Users\Admin\AppData\Local\Temp\d408eeb83751d2a835fe35a3c25053d956fe35215d29f0e1c85ddd097f3abf4e.exe"

C:\Users\Admin\coazu.exe

"C:\Users\Admin\coazu.exe"

C:\Users\Admin\weeulu.exe

"C:\Users\Admin\weeulu.exe"

C:\Users\Admin\hioab.exe

"C:\Users\Admin\hioab.exe"

C:\Users\Admin\woikae.exe

"C:\Users\Admin\woikae.exe"

C:\Users\Admin\saiucir.exe

"C:\Users\Admin\saiucir.exe"

C:\Users\Admin\weoeq.exe

"C:\Users\Admin\weoeq.exe"

C:\Users\Admin\xhcug.exe

"C:\Users\Admin\xhcug.exe"

C:\Users\Admin\gaoxou.exe

"C:\Users\Admin\gaoxou.exe"

C:\Users\Admin\piibeuw.exe

"C:\Users\Admin\piibeuw.exe"

C:\Users\Admin\duemoa.exe

"C:\Users\Admin\duemoa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\mxnog.exe

"C:\Users\Admin\mxnog.exe"

C:\Users\Admin\mdtiir.exe

"C:\Users\Admin\mdtiir.exe"

C:\Users\Admin\trzuac.exe

"C:\Users\Admin\trzuac.exe"

C:\Users\Admin\vitow.exe

"C:\Users\Admin\vitow.exe"

C:\Users\Admin\liehual.exe

"C:\Users\Admin\liehual.exe"

C:\Users\Admin\xuease.exe

"C:\Users\Admin\xuease.exe"

C:\Users\Admin\faieyu.exe

"C:\Users\Admin\faieyu.exe"

C:\Users\Admin\gzxuep.exe

"C:\Users\Admin\gzxuep.exe"

C:\Users\Admin\vdpiap.exe

"C:\Users\Admin\vdpiap.exe"

C:\Users\Admin\liiox.exe

"C:\Users\Admin\liiox.exe"

C:\Users\Admin\keuzea.exe

"C:\Users\Admin\keuzea.exe"

C:\Users\Admin\bauboe.exe

"C:\Users\Admin\bauboe.exe"

C:\Users\Admin\dqwid.exe

"C:\Users\Admin\dqwid.exe"

C:\Users\Admin\wauib.exe

"C:\Users\Admin\wauib.exe"

C:\Users\Admin\juagoh.exe

"C:\Users\Admin\juagoh.exe"

C:\Users\Admin\baayii.exe

"C:\Users\Admin\baayii.exe"

C:\Users\Admin\wiuloon.exe

"C:\Users\Admin\wiuloon.exe"

C:\Users\Admin\puejui.exe

"C:\Users\Admin\puejui.exe"

C:\Users\Admin\keoom.exe

"C:\Users\Admin\keoom.exe"

C:\Users\Admin\jiiiwo.exe

"C:\Users\Admin\jiiiwo.exe"

C:\Users\Admin\dootu.exe

"C:\Users\Admin\dootu.exe"

C:\Users\Admin\ceoikep.exe

"C:\Users\Admin\ceoikep.exe"

C:\Users\Admin\zucoq.exe

"C:\Users\Admin\zucoq.exe"

C:\Users\Admin\muuopa.exe

"C:\Users\Admin\muuopa.exe"

C:\Users\Admin\weioz.exe

"C:\Users\Admin\weioz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.player1352.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp

Files

C:\Users\Admin\coazu.exe

MD5 0ef8ed73b2afd4b0d34b5fc8fe875208
SHA1 4fe9148c79e69216928148ed0626ef5758448188
SHA256 8f9617d3014f0ae33cfebcca85a96c594ad89e4ebcf900541d1f1f6f6b883bd5
SHA512 ef01a33ea5f3dd4a832b2752754040c86a89e378bf89cbb823fbc7065e4a1632d0f97ec3b014209e5d42e4e4e27aacf02a09d4f12fcf6043c98c09ccf1588744

C:\Users\Admin\weeulu.exe

MD5 c3a2683c316fbd2d3708a3f16ea3f4dc
SHA1 2ae9b252cef41515843b6dcd063b9d916bb66f10
SHA256 204d9d02e7f6fa6ba7ceaf2bf744751dc160ec5451b6ea9d01facc88bcd182a8
SHA512 4418a9038905decf4a48738e69dfba7162805103938ca2ce21c82694c2dd2e6f7a79a390404a0bd7973210e62da2fa9dc3356032da36bdc34fb72c4cd7af7dab

C:\Users\Admin\hioab.exe

MD5 076efc0046adafba9e1f642e89560ae4
SHA1 ef9d1e5400b2a6e77954b30d395127dac8cbaa71
SHA256 711cd3d568cbc214250dd04353053b588541a132263f7309f840b1a179749974
SHA512 57645f6a7ac82f37a36ca8a4fb3ed98c8597d169aa6bdfd7f55dda3cec5512761a4450238c5327ae3eb423be3c35e08ea4240cc8a0c1b1ea4a510f3b346951a1

C:\Users\Admin\woikae.exe

MD5 5e29e17403ca734cc1b08e46eb05e13c
SHA1 dcba0478b25408bee242bc20bd1af96ff2e50a1b
SHA256 f66151ee108f4484a266b67328230269f82ca0feda594ab62fb5a3c115915f8a
SHA512 8a49b4625794d6ccd47f9540f32d463e962d1a0b992570af2dda8c3c7e5f995c0af3e07c7d5c75fa5c9aacec5e40c3d8aa81fcbba8c6977b2e0a8885014c515e

C:\Users\Admin\saiucir.exe

MD5 07e8896de0196d0a2bea002404215ea5
SHA1 3c484c78d6f0b9027e3e94b4882ca87dc541d93e
SHA256 7646d980ae5fb41ed326371b0461df72ac82e5bfa3ba46ff6f9abc8994c81c05
SHA512 0bb04e29ffba63b70c5aede90103149fd4b36923b41631ea717513b9e6bf414bed8c65b915b5a550dda5538d7ce2636df949c824b4290d9572d6303d39d91ddc

C:\Users\Admin\weoeq.exe

MD5 af21cffbe6d5d29f6af30e328666f44c
SHA1 6a63dc30744032e8f53c9b7151d330d5f60ebb2b
SHA256 b2199045ba2fa0d7ca1dc847f2783a304d5b96f156aba35e1c9c19efa7ad0f2f
SHA512 4f7e76c7232d5eb2036e821e0a449ed658f7bbe4893f27c6a3005c46154e1781223fc69a2510994a4a39ac0435e175d670363a332539b2aa0d488f7222d231ed

C:\Users\Admin\xhcug.exe

MD5 90cea57ee151269e7c8301c29e158730
SHA1 bc2952922f97bf16692f7a9a1f5555b6535619bd
SHA256 ff99551101c1865fb1f7f0ff9250708fddcd12b45955c9cf1a616c9faf34b44a
SHA512 608cadad7a1b56b12ca985eff5aa96e1fa204ee08188ae9fa2438a29e3471b3b984fa8fd847b33bf1d46de19a8514b4ae2739814759212fcf9f92ad1b71c40fc

C:\Users\Admin\gaoxou.exe

MD5 9a1270b6c93a47ffc756625ab0ddfcac
SHA1 f00711f561689ce1f9178d9fe49f87b1abfd48d4
SHA256 9742611caa3ea75847055a3ba29e2b9097f5b2da4c556200073005ab0ec69763
SHA512 9fa2fd79bf7d3dcc9bdefcb8ec6086be6f94ba5e5a681b1a59bfd8182a8df3c6c2b92d90ab41898ffdfc88936e347ad76a24fdec89b2ab3b9a1d0119c0df9bbc

C:\Users\Admin\piibeuw.exe

MD5 14b835288b0b4fc9ff10be35bac4ee3e
SHA1 f0c906541cc535ac553fab8e3506a45203dc2635
SHA256 1b9424243957b4f4fafe9d714bf1aed817308207b16f1e12d843e145b8b623c2
SHA512 108feaee7a7ca6d2b6ebd940e6cf0f3b291b95eaa65d2d382006e8c546fd8cff6fe75e56f55e3f83e7cdce139394e4bb71cda1e5ed2230c4054917bf273c4e53

C:\Users\Admin\duemoa.exe

MD5 da9c71b5fe2647b8e7871b51b3c27062
SHA1 8247442adbdb38243d002743a1d730c378ec79a8
SHA256 0fa67141742250def65eb16c58b2ba8221263af30b21cf821d46cd22003798cf
SHA512 117f01e678854410d2378fd91133047618d92a10672fbc29d34b57003047d82a75fef421911ecbad51fc166b7e3dbeb9f621ea9f64c4d98c6045d8f960f77409

C:\Users\Admin\mxnog.exe

MD5 01589526d7e591fda07fa51e77f02a1d
SHA1 88c66fa21bbbc1298bfa48e407ec5afea56ffff6
SHA256 b82810f16c463f35db6a3ae83a7101a1beb92e5e4c5757b439a8e8a069b49ae5
SHA512 84f5afea5e763d5b0e0df5ee4d515b1b24b2cb59ed9d82a176047a9d4dd31fd808399e4f75ff66b697d200d69c7b1f1b5ecd3d987c0b2edde7792d2c236263d4

C:\Users\Admin\mdtiir.exe

MD5 14f3cee84fd130b7b0d9f8d2dd7d4e41
SHA1 1031c0c0077939260ef6b03bc08b94f05b3b66fc
SHA256 2d5a04ebdaba2697436bbbd4613a8a2c81330c8c122d49b18d98c43c4983479c
SHA512 262be381bf280fab7218e998bd46453763ac034e3a9e78b53ba3dc78fa3c36fd76bd650d8ebd961be871d49741f384a0e14ad9417eb90b962784864adf539590

C:\Users\Admin\trzuac.exe

MD5 3db949b37a5d9901e9b533d983b5f373
SHA1 60b3f5a23229e24d291dd6050e66ff8c35a7b90c
SHA256 85857ec83bc28bb4b5440e01a2c401a9822db1045fdcd8620015c17f2fd7544b
SHA512 36ca3eefefa1d83a43b861cafa37e564c236304b3a3b302354f5590f5734886db3a8e1d1ca5e9b3402902108c0205818306ce6d6cffa9a42b52942cd30b05fa8

C:\Users\Admin\vitow.exe

MD5 d2075f1bd02cf903cf7fb6f54be35a01
SHA1 995de058af40ae57425e9ad3eb619eebb0bd1db8
SHA256 de842b60a58e7b2e47cae352b4a2de1f4026e650b60b65b5d3dca356dababeb4
SHA512 859c501ba4053912ce8597265b068faf642b1d32494a5f56bbb7f63507abeb22de59cc34522ceabb1d7233071011241c879a10a8c10642338c2b5cc42bd18ce0

C:\Users\Admin\liehual.exe

MD5 6e1ec44925513ad35467c6112ed946ca
SHA1 6c04ad35411f845de38672c2f1d2a61c71ee64b0
SHA256 8a6b1750c7bc4f4a389e995940b3ebb6ae69cada392657098548d18fffe4276f
SHA512 c6ccce9f6d6c9a1f1117bca5827df2216f5916b8858a1351b61025134d3f74931caadc92b76ea46e536d103b65ed2a1e1e4975f441ae700de0badbaf3b9167ce

C:\Users\Admin\xuease.exe

MD5 518db18c45d528561a4e4020ab35a96c
SHA1 5c4bb8b2508ad80e78d8923a8f5bd24d25b345f7
SHA256 b25255301ddd46e50e505bd66edb26650818050946da3d123e635193df330a74
SHA512 90e124aa93db617661d7b98c67fb666856478ec361080856aeaff26788721052439cf88d434b7d5794b97130ece23096b953143d0e78fe266cb8a0993a4788d5

C:\Users\Admin\faieyu.exe

MD5 255a9b093f52f32b9aa7173bc449d5f0
SHA1 a509175e291683a64c101503dd2d61558b949beb
SHA256 62ffc97f949d9d5d93cf64c54c52594408552055c7fdc8eb16344f6642aed47c
SHA512 968e31cc9fa664ef321101d7e6a1c2b8be9cb6de101a54bd9320ec9aec5265fb55e36b6ed77cd941df14deeb1d79f02fb888fd495fc601b46f668ff8a49a0752

C:\Users\Admin\gzxuep.exe

MD5 0f63aa38fee386042d3ce207595fb42e
SHA1 e1a300089c7b6dd65b6b860be258c94efa0d55d7
SHA256 a327d075814601f76745af50b0cce3cf1d96b18eb4d8f4cc7b1d2ea2c9d6511c
SHA512 c16102b46ee1aa3c708a95a075f9bd59296f3ba66c4666b16d8576253a8f20edc58ce1ddf4ad615853e8bd94750413924c3dfa1dee3cafb7e717b996794b150d

C:\Users\Admin\vdpiap.exe

MD5 e7d50e5661f30451c25ed684f39edd6a
SHA1 3be87eee66fe66bfe9f7272035e6e5d655eb8caf
SHA256 5d8568a58d7a0cd45c4d5a2e4bcd389788476644f645ae35bbc6983ab4a2c98f
SHA512 53ef1ac421a2aa530340cf60512fd4e306ba62d7be41c3eaf54cdeb3229802b7e4b71a654bc74ff864180b32a25609d7a991bce1182fb02431c8965a30ec3b97

C:\Users\Admin\liiox.exe

MD5 5f0de05d8cc2b099b1565939664ae1c4
SHA1 f9d9431354ca611a59869920c484d11bea7b8aff
SHA256 47d092c7fc56baf104fdb829f3ee3aa44ba080e712175edea7c7956bf93410f1
SHA512 6c64342e8a89cf9483882e19860c34e9840513bfa8671ba9b84357eeb76eb144be82eb853c7bbc9b81755c308b0267646dc97de1e939393b460a0cc29e0f8d77

C:\Users\Admin\keuzea.exe

MD5 89fc281d4b1a6182da8921be37bcaf94
SHA1 c73b136f12e7cc3f4518cf851036299401aa7dc0
SHA256 c0e5a9e00e839b4beda7aced9c121bc4c0be3909e561eb0f070218821da1281d
SHA512 7718d8ec2c0dcf592225b5a7037c5bfa3d51343ee035add9b1cd8af34275c195bffdf03d9f6a6c9f02833fc1b8f96457f71adccce49ba9d2dde2fe0edf1a4739

C:\Users\Admin\bauboe.exe

MD5 3bfe0547d68b57e74aa6f51d4d1f43fa
SHA1 21036bf4f0f3d3bc46b8d4b36a1c9fc5243336b3
SHA256 940ade9971f86a569e1aa1e479e3da5e0d48a453ddd0b8841306e5d2eea70991
SHA512 d34c06c43640e332df3a498c5d94418c05af0060944ccf4dd60c4757f6543bb06389b3cc1f188b1f844f8d96d24f6a2c9abbdfb7ef084fb3eae731e51315d03e

C:\Users\Admin\dqwid.exe

MD5 369a805b42db536e70482c7e8c2461d3
SHA1 109d7c8fe359e1d8e379954ccf7d07fd8a030c9d
SHA256 a41af7e60867d1b2c780f9dc019b4496d2688d92573b40f736d7fb8221df169f
SHA512 3f2c60d62f7b625cb89cf3175a3d29043e20e6508f5b95f4f9e4da16433cc50f2da072f741214adec7cc3b744e374a60c7335b0a59f154a6b73a3994c73ac3e2

C:\Users\Admin\wauib.exe

MD5 d846a69541abc3e8885ec5cdea5817ad
SHA1 03f4e6e3f670a408cad75fb906589df1f47e1608
SHA256 5e186c7485d9ce184be4053bb933b9bf67c82e580ec4eeca1127c603edab91c4
SHA512 281ae9fecd9e529de86f6bb0965a24b2a827f4031e71ecbc28a00da67e7f7fb7e0b757ceb58ad0c8348fdfdae53f0d6a1eea4ef3f1dfaf18245b04fa2380569a

C:\Users\Admin\juagoh.exe

MD5 1071985d5237733b521ffbe725e5e0cf
SHA1 37bf752d7e5e785246aad794b1cd1525b92e31b4
SHA256 cad3ebbb12c3447e21c22c6fb36df1232bc011a5fbac9664dc424371df670f34
SHA512 e1e10c318bf4ab02d1725b373232478f7bd72d97fe8aba7e46cb6a40eff0632fc0c4f2fb8319f71b349f48093df43c86f5241c4f1a92f6738b3908ae0ad3873a

C:\Users\Admin\baayii.exe

MD5 1239a7307f02875d0970900c5db79cf3
SHA1 1dcfa34912d6743bcc538e29c6ec76791259dfef
SHA256 d1df7f0e13e27f92071a2b9f8af58adc5e51af96cd102bd455851d33826fed3f
SHA512 a0c662690dd30e1e5c2b393b1a393833df742b6467a8611a43101452cb1932f2b55e9f24454af5fdf2efe33152ea73e62851f228bd8a5a9951e878afbeef4545

C:\Users\Admin\wiuloon.exe

MD5 e92c334918df39ce3659e09cfae2f9e6
SHA1 df5f9d9268da146058ccd42b438767ff7e18b609
SHA256 243049450eb98f320df32043a8582278c89703db70a190b7a69b1de20abc39b8
SHA512 4ea60d8e11d099632ca05986e5f928cd545cd8ac1b1ad7314ed87528f9e3ff6fe080fff83d7f5488b1409487913cc7a6bcbbcde7db0192a0883c3401a1584789

C:\Users\Admin\puejui.exe

MD5 aad0005b10104141ce3cc2343060c29f
SHA1 7f95cbd03cb594888bd83ca925f02007b540f9f9
SHA256 951a545203943f458c59b3ce322c00e318f05b1f238a36e0602b338996221783
SHA512 48bc39a866da8118d4fb278ad4fae53a9873ed3e9a4ae36fd0b9b841dab308e7c7253ac015165d406d142d7e383c2ba8855eb8226d21b1f41f3a21114a450792

C:\Users\Admin\keoom.exe

MD5 50083daa834286cab34dd77eacd80344
SHA1 284731a03ab59537ea741a0f821f62e456b56350
SHA256 26ecf7ca2c3b198e5e3b77e68fb45fad36f739ee727a34cf835dbc16aec8cfde
SHA512 08cd64ae48367a27392164d3ec6dd347c78590cf05c14fd133c3c7488325baf7068a351d9153e8f080af73bbefbbd96953ca0abebe9aa49cae95d0ef7f162e54

C:\Users\Admin\jiiiwo.exe

MD5 82e90c27c4ecf2a28bad98b71375206e
SHA1 c239775e407b9219858ddd187f1ad3ac5bd7bbde
SHA256 136370b5eda77da418e660f3e8cb2f3462fd879d41bb959d031de2fd8ae935d7
SHA512 17f36330e8e611efa84009c836463d4c320bfc740d8d8f523a73d1da45d6727329e0aaac80533bcf10e71c0db290914b1a971bfb4d45f4b5de950880d49b5bec

C:\Users\Admin\dootu.exe

MD5 430aac988bdd3e9fa8009771e34c3e52
SHA1 3afef442a2f0c192d4e15c8ac2f9c33397da5d03
SHA256 cda43bc1a1f009b4c5091c5f685d902ef40a7bc9cd4d439d69a6edf10f7feb76
SHA512 9138781953d4ed16e18cb887ff635426f459400b6084679f93e20921396b9292914d0486c64c16180ac5869729b33da16950776eb3bb61ad92b5ad7dd081061b

C:\Users\Admin\ceoikep.exe

MD5 d967534ee23769a5b89658af2ca78d60
SHA1 efe9a36da68356db3a7e5b9b15747bfe4ea5cfc2
SHA256 31a90d0fbcb039e2350a0d1bd950078f4760ea060773bcd773d7d05060b4f29b
SHA512 1df141345011a0a37e50416eb2ce6e2c37ec50c8f95bd6ff7d3280de6149fe7085d0ef54216ee1c20960627d5ae591db64d312ee4b60d632ea7ce63fe5c6f235