Malware Analysis Report

2025-01-06 10:18

Sample ID 240601-evfp1sab64
Target de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02
SHA256 de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02

Threat Level: Known bad

The file de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:15

Reported

2024-06-01 04:18

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xuupeu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuupeu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /d" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /G" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /C" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /X" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /e" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /c" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /J" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /v" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /N" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /T" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /A" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /l" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /a" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /z" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /I" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /i" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /p" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /H" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /o" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /g" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /W" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /D" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /E" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /Q" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /t" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /k" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /V" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /m" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /M" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /F" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /L" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /K" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /B" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /P" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /u" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /s" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /n" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /S" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /h" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /R" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /j" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /O" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /r" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /U" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /q" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /Y" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /x" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /y" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /f" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /w" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /Z" C:\Users\Admin\xuupeu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuupeu = "C:\\Users\\Admin\\xuupeu.exe /b" C:\Users\Admin\xuupeu.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe N/A
N/A N/A C:\Users\Admin\xuupeu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\xuupeu.exe
PID 1400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\xuupeu.exe
PID 1400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\xuupeu.exe
PID 1400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\xuupeu.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 2688 wrote to memory of 1400 N/A C:\Users\Admin\xuupeu.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe

"C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe"

C:\Users\Admin\xuupeu.exe

"C:\Users\Admin\xuupeu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 107.178.223.183:8003 ns1.mediashares.org tcp

Files

memory/1400-0-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\xuupeu.exe

MD5 c4aafbac6776dd3159103d24694faf84
SHA1 c32a1440d28dc6bcc85050e1ec7963cfeae51a70
SHA256 097d06e5483bd4c809293dbc447b319dcd611e8eff874e0e4fc1612dd2a4d4a3
SHA512 dc2de25955985a6560e5393c8c596ebb0aa4bb569aeca239ce0dfe1ba7906957444199ad97277eb8c0f1b5208532b5b271e7f12ecb5a55d56a83b8da522bcd0f

memory/1400-9-0x0000000002EE0000-0x0000000002F33000-memory.dmp

memory/1400-15-0x0000000002EE0000-0x0000000002F33000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:15

Reported

2024-06-01 04:18

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\souwej.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\souwej.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /V" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /H" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /G" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /c" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /K" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /n" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /w" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /T" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /f" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /Y" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /N" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /r" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /B" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /P" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /O" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /L" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /C" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /E" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /h" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /S" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /k" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /p" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /l" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /Q" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /v" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /j" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /g" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /o" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /u" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /Z" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /M" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /e" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /R" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /z" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /y" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /i" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /q" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /d" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /U" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /D" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /I" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /J" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /x" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /A" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /X" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /s" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /b" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /a" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /t" C:\Users\Admin\souwej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souwej = "C:\\Users\\Admin\\souwej.exe /W" C:\Users\Admin\souwej.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe N/A
N/A N/A C:\Users\Admin\souwej.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\souwej.exe
PID 1128 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\souwej.exe
PID 1128 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe C:\Users\Admin\souwej.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe
PID 1584 wrote to memory of 1128 N/A C:\Users\Admin\souwej.exe C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe

"C:\Users\Admin\AppData\Local\Temp\de4dbec2803906a8cbb126618ede6f91127efed8323288b2e72e62e6e32fcf02.exe"

C:\Users\Admin\souwej.exe

"C:\Users\Admin\souwej.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1128-0-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\souwej.exe

MD5 e9ed9786a2c4124fc58cee34c7e9999a
SHA1 8d8b10556c9954bfe3f7ef940fc6aaabc24d381a
SHA256 dc7648b76d5c1d801281e82bf163ec3fd61efaa3a9d8e9f092b302c2b741b3cd
SHA512 1f10bf68b32c6e9ff2c33f05b3b452d3c64de473aa72eb2504195da1d72a754042c0fa869f2b1551ce0a072afa756a17181ca4a360646c0ac3db2a6aab52f841

memory/1584-22-0x0000000000400000-0x0000000000453000-memory.dmp