Malware Analysis Report

2024-11-16 10:49

Sample ID 240614-cageps1bmh
Target 9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806
SHA256 9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806

Threat Level: Known bad

The file 9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:52

Reported

2024-06-14 01:54

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\bauuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\huago.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\duieya.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\cuoero.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zoootak.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ziaruc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\webaq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ttpuc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\leilic.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yoobi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jynued.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\tuurouq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jiujoe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mauoc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ruumeuc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fiuov.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\tuiqooz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hiewex.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\weeizef.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\baonaog.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\wuakeus.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jifay.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sxqoz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\kaoeviz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yuheg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\kuhib.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\haeqae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mlzeex.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\queawa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\qauico.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xouiheh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fiyik.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\qshus.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\keexa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\niumeo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\beauxe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mueina.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hiuzoeb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\meaip.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mlzeex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\wuakeus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\jifay.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tuiqooz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\haeqae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\meaip.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\duieya.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\cuoero.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hiewex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\zoootak.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\bauuk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\beauxe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mueina.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\sxqoz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ttpuc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\webaq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\fiyik.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\qshus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\yuheg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\huago.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\kuhib.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\yoobi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\weeizef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\baonaog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\queawa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\jynued.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\keexa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\kaoeviz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hiuzoeb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\niumeo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xouiheh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\qauico.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\jiujoe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mauoc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ruumeuc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\fiuov.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\leilic.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tuurouq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ziaruc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ttpuc.exe N/A
N/A N/A C:\Users\Admin\jiujoe.exe N/A
N/A N/A C:\Users\Admin\mauoc.exe N/A
N/A N/A C:\Users\Admin\cuoero.exe N/A
N/A N/A C:\Users\Admin\wuakeus.exe N/A
N/A N/A C:\Users\Admin\jifay.exe N/A
N/A N/A C:\Users\Admin\ruumeuc.exe N/A
N/A N/A C:\Users\Admin\hiuzoeb.exe N/A
N/A N/A C:\Users\Admin\yoobi.exe N/A
N/A N/A C:\Users\Admin\fiuov.exe N/A
N/A N/A C:\Users\Admin\qshus.exe N/A
N/A N/A C:\Users\Admin\jynued.exe N/A
N/A N/A C:\Users\Admin\tuiqooz.exe N/A
N/A N/A C:\Users\Admin\hiewex.exe N/A
N/A N/A C:\Users\Admin\zoootak.exe N/A
N/A N/A C:\Users\Admin\haeqae.exe N/A
N/A N/A C:\Users\Admin\meaip.exe N/A
N/A N/A C:\Users\Admin\yuheg.exe N/A
N/A N/A C:\Users\Admin\weeizef.exe N/A
N/A N/A C:\Users\Admin\niumeo.exe N/A
N/A N/A C:\Users\Admin\bauuk.exe N/A
N/A N/A C:\Users\Admin\leilic.exe N/A
N/A N/A C:\Users\Admin\tuurouq.exe N/A
N/A N/A C:\Users\Admin\ziaruc.exe N/A
N/A N/A C:\Users\Admin\baonaog.exe N/A
N/A N/A C:\Users\Admin\keexa.exe N/A
N/A N/A C:\Users\Admin\beauxe.exe N/A
N/A N/A C:\Users\Admin\queawa.exe N/A
N/A N/A C:\Users\Admin\xouiheh.exe N/A
N/A N/A C:\Users\Admin\huago.exe N/A
N/A N/A C:\Users\Admin\kuhib.exe N/A
N/A N/A C:\Users\Admin\qauico.exe N/A
N/A N/A C:\Users\Admin\duieya.exe N/A
N/A N/A C:\Users\Admin\mueina.exe N/A
N/A N/A C:\Users\Admin\sxqoz.exe N/A
N/A N/A C:\Users\Admin\mlzeex.exe N/A
N/A N/A C:\Users\Admin\webaq.exe N/A
N/A N/A C:\Users\Admin\kaoeviz.exe N/A
N/A N/A C:\Users\Admin\fiyik.exe N/A
N/A N/A C:\Users\Admin\wrvuek.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xouiheh = "C:\\Users\\Admin\\xouiheh.exe /C" C:\Users\Admin\queawa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuakeus = "C:\\Users\\Admin\\wuakeus.exe /b" C:\Users\Admin\cuoero.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jifay = "C:\\Users\\Admin\\jifay.exe /b" C:\Users\Admin\wuakeus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruumeuc = "C:\\Users\\Admin\\ruumeuc.exe /X" C:\Users\Admin\jifay.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuov = "C:\\Users\\Admin\\fiuov.exe /d" C:\Users\Admin\yoobi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qshus = "C:\\Users\\Admin\\qshus.exe /X" C:\Users\Admin\fiuov.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauuk = "C:\\Users\\Admin\\bauuk.exe /Y" C:\Users\Admin\niumeo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baonaog = "C:\\Users\\Admin\\baonaog.exe /E" C:\Users\Admin\ziaruc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuoero = "C:\\Users\\Admin\\cuoero.exe /W" C:\Users\Admin\mauoc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuzoeb = "C:\\Users\\Admin\\hiuzoeb.exe /s" C:\Users\Admin\ruumeuc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jynued = "C:\\Users\\Admin\\jynued.exe /J" C:\Users\Admin\qshus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuiqooz = "C:\\Users\\Admin\\tuiqooz.exe /W" C:\Users\Admin\jynued.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mueina = "C:\\Users\\Admin\\mueina.exe /T" C:\Users\Admin\duieya.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqoz = "C:\\Users\\Admin\\sxqoz.exe /W" C:\Users\Admin\mueina.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttpuc = "C:\\Users\\Admin\\ttpuc.exe /o" C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauoc = "C:\\Users\\Admin\\mauoc.exe /J" C:\Users\Admin\jiujoe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yoobi = "C:\\Users\\Admin\\yoobi.exe /g" C:\Users\Admin\hiuzoeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niumeo = "C:\\Users\\Admin\\niumeo.exe /W" C:\Users\Admin\weeizef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leilic = "C:\\Users\\Admin\\leilic.exe /e" C:\Users\Admin\bauuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaruc = "C:\\Users\\Admin\\ziaruc.exe /J" C:\Users\Admin\tuurouq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keexa = "C:\\Users\\Admin\\keexa.exe /M" C:\Users\Admin\baonaog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlzeex = "C:\\Users\\Admin\\mlzeex.exe /H" C:\Users\Admin\sxqoz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meaip = "C:\\Users\\Admin\\meaip.exe /J" C:\Users\Admin\haeqae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weeizef = "C:\\Users\\Admin\\weeizef.exe /u" C:\Users\Admin\yuheg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qauico = "C:\\Users\\Admin\\qauico.exe /F" C:\Users\Admin\kuhib.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiewex = "C:\\Users\\Admin\\hiewex.exe /u" C:\Users\Admin\tuiqooz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haeqae = "C:\\Users\\Admin\\haeqae.exe /U" C:\Users\Admin\zoootak.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuhib = "C:\\Users\\Admin\\kuhib.exe /l" C:\Users\Admin\huago.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webaq = "C:\\Users\\Admin\\webaq.exe /m" C:\Users\Admin\mlzeex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyik = "C:\\Users\\Admin\\fiyik.exe /y" C:\Users\Admin\kaoeviz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiujoe = "C:\\Users\\Admin\\jiujoe.exe /a" C:\Users\Admin\ttpuc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\queawa = "C:\\Users\\Admin\\queawa.exe /l" C:\Users\Admin\beauxe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuheg = "C:\\Users\\Admin\\yuheg.exe /Q" C:\Users\Admin\meaip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beauxe = "C:\\Users\\Admin\\beauxe.exe /I" C:\Users\Admin\keexa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duieya = "C:\\Users\\Admin\\duieya.exe /T" C:\Users\Admin\qauico.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoootak = "C:\\Users\\Admin\\zoootak.exe /M" C:\Users\Admin\hiewex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuurouq = "C:\\Users\\Admin\\tuurouq.exe /j" C:\Users\Admin\leilic.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\huago = "C:\\Users\\Admin\\huago.exe /f" C:\Users\Admin\xouiheh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaoeviz = "C:\\Users\\Admin\\kaoeviz.exe /Q" C:\Users\Admin\webaq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrvuek = "C:\\Users\\Admin\\wrvuek.exe /G" C:\Users\Admin\fiyik.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\ttpuc.exe N/A
N/A N/A C:\Users\Admin\ttpuc.exe N/A
N/A N/A C:\Users\Admin\jiujoe.exe N/A
N/A N/A C:\Users\Admin\jiujoe.exe N/A
N/A N/A C:\Users\Admin\mauoc.exe N/A
N/A N/A C:\Users\Admin\mauoc.exe N/A
N/A N/A C:\Users\Admin\cuoero.exe N/A
N/A N/A C:\Users\Admin\cuoero.exe N/A
N/A N/A C:\Users\Admin\wuakeus.exe N/A
N/A N/A C:\Users\Admin\wuakeus.exe N/A
N/A N/A C:\Users\Admin\jifay.exe N/A
N/A N/A C:\Users\Admin\jifay.exe N/A
N/A N/A C:\Users\Admin\ruumeuc.exe N/A
N/A N/A C:\Users\Admin\ruumeuc.exe N/A
N/A N/A C:\Users\Admin\hiuzoeb.exe N/A
N/A N/A C:\Users\Admin\hiuzoeb.exe N/A
N/A N/A C:\Users\Admin\yoobi.exe N/A
N/A N/A C:\Users\Admin\yoobi.exe N/A
N/A N/A C:\Users\Admin\fiuov.exe N/A
N/A N/A C:\Users\Admin\fiuov.exe N/A
N/A N/A C:\Users\Admin\qshus.exe N/A
N/A N/A C:\Users\Admin\qshus.exe N/A
N/A N/A C:\Users\Admin\jynued.exe N/A
N/A N/A C:\Users\Admin\jynued.exe N/A
N/A N/A C:\Users\Admin\tuiqooz.exe N/A
N/A N/A C:\Users\Admin\tuiqooz.exe N/A
N/A N/A C:\Users\Admin\hiewex.exe N/A
N/A N/A C:\Users\Admin\hiewex.exe N/A
N/A N/A C:\Users\Admin\zoootak.exe N/A
N/A N/A C:\Users\Admin\zoootak.exe N/A
N/A N/A C:\Users\Admin\haeqae.exe N/A
N/A N/A C:\Users\Admin\haeqae.exe N/A
N/A N/A C:\Users\Admin\meaip.exe N/A
N/A N/A C:\Users\Admin\meaip.exe N/A
N/A N/A C:\Users\Admin\yuheg.exe N/A
N/A N/A C:\Users\Admin\yuheg.exe N/A
N/A N/A C:\Users\Admin\weeizef.exe N/A
N/A N/A C:\Users\Admin\weeizef.exe N/A
N/A N/A C:\Users\Admin\niumeo.exe N/A
N/A N/A C:\Users\Admin\niumeo.exe N/A
N/A N/A C:\Users\Admin\bauuk.exe N/A
N/A N/A C:\Users\Admin\bauuk.exe N/A
N/A N/A C:\Users\Admin\leilic.exe N/A
N/A N/A C:\Users\Admin\leilic.exe N/A
N/A N/A C:\Users\Admin\tuurouq.exe N/A
N/A N/A C:\Users\Admin\tuurouq.exe N/A
N/A N/A C:\Users\Admin\ziaruc.exe N/A
N/A N/A C:\Users\Admin\ziaruc.exe N/A
N/A N/A C:\Users\Admin\baonaog.exe N/A
N/A N/A C:\Users\Admin\baonaog.exe N/A
N/A N/A C:\Users\Admin\keexa.exe N/A
N/A N/A C:\Users\Admin\keexa.exe N/A
N/A N/A C:\Users\Admin\beauxe.exe N/A
N/A N/A C:\Users\Admin\beauxe.exe N/A
N/A N/A C:\Users\Admin\queawa.exe N/A
N/A N/A C:\Users\Admin\queawa.exe N/A
N/A N/A C:\Users\Admin\xouiheh.exe N/A
N/A N/A C:\Users\Admin\xouiheh.exe N/A
N/A N/A C:\Users\Admin\huago.exe N/A
N/A N/A C:\Users\Admin\huago.exe N/A
N/A N/A C:\Users\Admin\kuhib.exe N/A
N/A N/A C:\Users\Admin\kuhib.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\ttpuc.exe N/A
N/A N/A C:\Users\Admin\jiujoe.exe N/A
N/A N/A C:\Users\Admin\mauoc.exe N/A
N/A N/A C:\Users\Admin\cuoero.exe N/A
N/A N/A C:\Users\Admin\wuakeus.exe N/A
N/A N/A C:\Users\Admin\jifay.exe N/A
N/A N/A C:\Users\Admin\ruumeuc.exe N/A
N/A N/A C:\Users\Admin\hiuzoeb.exe N/A
N/A N/A C:\Users\Admin\yoobi.exe N/A
N/A N/A C:\Users\Admin\fiuov.exe N/A
N/A N/A C:\Users\Admin\qshus.exe N/A
N/A N/A C:\Users\Admin\jynued.exe N/A
N/A N/A C:\Users\Admin\tuiqooz.exe N/A
N/A N/A C:\Users\Admin\hiewex.exe N/A
N/A N/A C:\Users\Admin\zoootak.exe N/A
N/A N/A C:\Users\Admin\haeqae.exe N/A
N/A N/A C:\Users\Admin\meaip.exe N/A
N/A N/A C:\Users\Admin\yuheg.exe N/A
N/A N/A C:\Users\Admin\weeizef.exe N/A
N/A N/A C:\Users\Admin\niumeo.exe N/A
N/A N/A C:\Users\Admin\bauuk.exe N/A
N/A N/A C:\Users\Admin\leilic.exe N/A
N/A N/A C:\Users\Admin\tuurouq.exe N/A
N/A N/A C:\Users\Admin\ziaruc.exe N/A
N/A N/A C:\Users\Admin\baonaog.exe N/A
N/A N/A C:\Users\Admin\keexa.exe N/A
N/A N/A C:\Users\Admin\beauxe.exe N/A
N/A N/A C:\Users\Admin\queawa.exe N/A
N/A N/A C:\Users\Admin\xouiheh.exe N/A
N/A N/A C:\Users\Admin\huago.exe N/A
N/A N/A C:\Users\Admin\kuhib.exe N/A
N/A N/A C:\Users\Admin\qauico.exe N/A
N/A N/A C:\Users\Admin\duieya.exe N/A
N/A N/A C:\Users\Admin\mueina.exe N/A
N/A N/A C:\Users\Admin\sxqoz.exe N/A
N/A N/A C:\Users\Admin\mlzeex.exe N/A
N/A N/A C:\Users\Admin\webaq.exe N/A
N/A N/A C:\Users\Admin\kaoeviz.exe N/A
N/A N/A C:\Users\Admin\fiyik.exe N/A
N/A N/A C:\Users\Admin\wrvuek.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\ttpuc.exe
PID 3164 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\ttpuc.exe
PID 3164 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\ttpuc.exe
PID 5108 wrote to memory of 4116 N/A C:\Users\Admin\ttpuc.exe C:\Users\Admin\jiujoe.exe
PID 5108 wrote to memory of 4116 N/A C:\Users\Admin\ttpuc.exe C:\Users\Admin\jiujoe.exe
PID 5108 wrote to memory of 4116 N/A C:\Users\Admin\ttpuc.exe C:\Users\Admin\jiujoe.exe
PID 4116 wrote to memory of 1300 N/A C:\Users\Admin\jiujoe.exe C:\Users\Admin\mauoc.exe
PID 4116 wrote to memory of 1300 N/A C:\Users\Admin\jiujoe.exe C:\Users\Admin\mauoc.exe
PID 4116 wrote to memory of 1300 N/A C:\Users\Admin\jiujoe.exe C:\Users\Admin\mauoc.exe
PID 1300 wrote to memory of 3160 N/A C:\Users\Admin\mauoc.exe C:\Users\Admin\cuoero.exe
PID 1300 wrote to memory of 3160 N/A C:\Users\Admin\mauoc.exe C:\Users\Admin\cuoero.exe
PID 1300 wrote to memory of 3160 N/A C:\Users\Admin\mauoc.exe C:\Users\Admin\cuoero.exe
PID 3160 wrote to memory of 2120 N/A C:\Users\Admin\cuoero.exe C:\Users\Admin\wuakeus.exe
PID 3160 wrote to memory of 2120 N/A C:\Users\Admin\cuoero.exe C:\Users\Admin\wuakeus.exe
PID 3160 wrote to memory of 2120 N/A C:\Users\Admin\cuoero.exe C:\Users\Admin\wuakeus.exe
PID 2120 wrote to memory of 1256 N/A C:\Users\Admin\wuakeus.exe C:\Users\Admin\jifay.exe
PID 2120 wrote to memory of 1256 N/A C:\Users\Admin\wuakeus.exe C:\Users\Admin\jifay.exe
PID 2120 wrote to memory of 1256 N/A C:\Users\Admin\wuakeus.exe C:\Users\Admin\jifay.exe
PID 1256 wrote to memory of 3944 N/A C:\Users\Admin\jifay.exe C:\Users\Admin\ruumeuc.exe
PID 1256 wrote to memory of 3944 N/A C:\Users\Admin\jifay.exe C:\Users\Admin\ruumeuc.exe
PID 1256 wrote to memory of 3944 N/A C:\Users\Admin\jifay.exe C:\Users\Admin\ruumeuc.exe
PID 3944 wrote to memory of 4964 N/A C:\Users\Admin\ruumeuc.exe C:\Users\Admin\hiuzoeb.exe
PID 3944 wrote to memory of 4964 N/A C:\Users\Admin\ruumeuc.exe C:\Users\Admin\hiuzoeb.exe
PID 3944 wrote to memory of 4964 N/A C:\Users\Admin\ruumeuc.exe C:\Users\Admin\hiuzoeb.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\hiuzoeb.exe C:\Users\Admin\yoobi.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\hiuzoeb.exe C:\Users\Admin\yoobi.exe
PID 4964 wrote to memory of 4316 N/A C:\Users\Admin\hiuzoeb.exe C:\Users\Admin\yoobi.exe
PID 4316 wrote to memory of 3464 N/A C:\Users\Admin\yoobi.exe C:\Users\Admin\fiuov.exe
PID 4316 wrote to memory of 3464 N/A C:\Users\Admin\yoobi.exe C:\Users\Admin\fiuov.exe
PID 4316 wrote to memory of 3464 N/A C:\Users\Admin\yoobi.exe C:\Users\Admin\fiuov.exe
PID 3464 wrote to memory of 3748 N/A C:\Users\Admin\fiuov.exe C:\Users\Admin\qshus.exe
PID 3464 wrote to memory of 3748 N/A C:\Users\Admin\fiuov.exe C:\Users\Admin\qshus.exe
PID 3464 wrote to memory of 3748 N/A C:\Users\Admin\fiuov.exe C:\Users\Admin\qshus.exe
PID 3748 wrote to memory of 1936 N/A C:\Users\Admin\qshus.exe C:\Users\Admin\jynued.exe
PID 3748 wrote to memory of 1936 N/A C:\Users\Admin\qshus.exe C:\Users\Admin\jynued.exe
PID 3748 wrote to memory of 1936 N/A C:\Users\Admin\qshus.exe C:\Users\Admin\jynued.exe
PID 1936 wrote to memory of 3696 N/A C:\Users\Admin\jynued.exe C:\Users\Admin\tuiqooz.exe
PID 1936 wrote to memory of 3696 N/A C:\Users\Admin\jynued.exe C:\Users\Admin\tuiqooz.exe
PID 1936 wrote to memory of 3696 N/A C:\Users\Admin\jynued.exe C:\Users\Admin\tuiqooz.exe
PID 3696 wrote to memory of 2016 N/A C:\Users\Admin\tuiqooz.exe C:\Users\Admin\hiewex.exe
PID 3696 wrote to memory of 2016 N/A C:\Users\Admin\tuiqooz.exe C:\Users\Admin\hiewex.exe
PID 3696 wrote to memory of 2016 N/A C:\Users\Admin\tuiqooz.exe C:\Users\Admin\hiewex.exe
PID 2016 wrote to memory of 3732 N/A C:\Users\Admin\hiewex.exe C:\Users\Admin\zoootak.exe
PID 2016 wrote to memory of 3732 N/A C:\Users\Admin\hiewex.exe C:\Users\Admin\zoootak.exe
PID 2016 wrote to memory of 3732 N/A C:\Users\Admin\hiewex.exe C:\Users\Admin\zoootak.exe
PID 3732 wrote to memory of 4532 N/A C:\Users\Admin\zoootak.exe C:\Users\Admin\haeqae.exe
PID 3732 wrote to memory of 4532 N/A C:\Users\Admin\zoootak.exe C:\Users\Admin\haeqae.exe
PID 3732 wrote to memory of 4532 N/A C:\Users\Admin\zoootak.exe C:\Users\Admin\haeqae.exe
PID 4532 wrote to memory of 1048 N/A C:\Users\Admin\haeqae.exe C:\Users\Admin\meaip.exe
PID 4532 wrote to memory of 1048 N/A C:\Users\Admin\haeqae.exe C:\Users\Admin\meaip.exe
PID 4532 wrote to memory of 1048 N/A C:\Users\Admin\haeqae.exe C:\Users\Admin\meaip.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\meaip.exe C:\Users\Admin\yuheg.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\meaip.exe C:\Users\Admin\yuheg.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\meaip.exe C:\Users\Admin\yuheg.exe
PID 4920 wrote to memory of 1868 N/A C:\Users\Admin\yuheg.exe C:\Users\Admin\weeizef.exe
PID 4920 wrote to memory of 1868 N/A C:\Users\Admin\yuheg.exe C:\Users\Admin\weeizef.exe
PID 4920 wrote to memory of 1868 N/A C:\Users\Admin\yuheg.exe C:\Users\Admin\weeizef.exe
PID 1868 wrote to memory of 2812 N/A C:\Users\Admin\weeizef.exe C:\Users\Admin\niumeo.exe
PID 1868 wrote to memory of 2812 N/A C:\Users\Admin\weeizef.exe C:\Users\Admin\niumeo.exe
PID 1868 wrote to memory of 2812 N/A C:\Users\Admin\weeizef.exe C:\Users\Admin\niumeo.exe
PID 2812 wrote to memory of 3992 N/A C:\Users\Admin\niumeo.exe C:\Users\Admin\bauuk.exe
PID 2812 wrote to memory of 3992 N/A C:\Users\Admin\niumeo.exe C:\Users\Admin\bauuk.exe
PID 2812 wrote to memory of 3992 N/A C:\Users\Admin\niumeo.exe C:\Users\Admin\bauuk.exe
PID 3992 wrote to memory of 4616 N/A C:\Users\Admin\bauuk.exe C:\Users\Admin\leilic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe

"C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe"

C:\Users\Admin\ttpuc.exe

"C:\Users\Admin\ttpuc.exe"

C:\Users\Admin\jiujoe.exe

"C:\Users\Admin\jiujoe.exe"

C:\Users\Admin\mauoc.exe

"C:\Users\Admin\mauoc.exe"

C:\Users\Admin\cuoero.exe

"C:\Users\Admin\cuoero.exe"

C:\Users\Admin\wuakeus.exe

"C:\Users\Admin\wuakeus.exe"

C:\Users\Admin\jifay.exe

"C:\Users\Admin\jifay.exe"

C:\Users\Admin\ruumeuc.exe

"C:\Users\Admin\ruumeuc.exe"

C:\Users\Admin\hiuzoeb.exe

"C:\Users\Admin\hiuzoeb.exe"

C:\Users\Admin\yoobi.exe

"C:\Users\Admin\yoobi.exe"

C:\Users\Admin\fiuov.exe

"C:\Users\Admin\fiuov.exe"

C:\Users\Admin\qshus.exe

"C:\Users\Admin\qshus.exe"

C:\Users\Admin\jynued.exe

"C:\Users\Admin\jynued.exe"

C:\Users\Admin\tuiqooz.exe

"C:\Users\Admin\tuiqooz.exe"

C:\Users\Admin\hiewex.exe

"C:\Users\Admin\hiewex.exe"

C:\Users\Admin\zoootak.exe

"C:\Users\Admin\zoootak.exe"

C:\Users\Admin\haeqae.exe

"C:\Users\Admin\haeqae.exe"

C:\Users\Admin\meaip.exe

"C:\Users\Admin\meaip.exe"

C:\Users\Admin\yuheg.exe

"C:\Users\Admin\yuheg.exe"

C:\Users\Admin\weeizef.exe

"C:\Users\Admin\weeizef.exe"

C:\Users\Admin\niumeo.exe

"C:\Users\Admin\niumeo.exe"

C:\Users\Admin\bauuk.exe

"C:\Users\Admin\bauuk.exe"

C:\Users\Admin\leilic.exe

"C:\Users\Admin\leilic.exe"

C:\Users\Admin\tuurouq.exe

"C:\Users\Admin\tuurouq.exe"

C:\Users\Admin\ziaruc.exe

"C:\Users\Admin\ziaruc.exe"

C:\Users\Admin\baonaog.exe

"C:\Users\Admin\baonaog.exe"

C:\Users\Admin\keexa.exe

"C:\Users\Admin\keexa.exe"

C:\Users\Admin\beauxe.exe

"C:\Users\Admin\beauxe.exe"

C:\Users\Admin\queawa.exe

"C:\Users\Admin\queawa.exe"

C:\Users\Admin\xouiheh.exe

"C:\Users\Admin\xouiheh.exe"

C:\Users\Admin\huago.exe

"C:\Users\Admin\huago.exe"

C:\Users\Admin\kuhib.exe

"C:\Users\Admin\kuhib.exe"

C:\Users\Admin\qauico.exe

"C:\Users\Admin\qauico.exe"

C:\Users\Admin\duieya.exe

"C:\Users\Admin\duieya.exe"

C:\Users\Admin\mueina.exe

"C:\Users\Admin\mueina.exe"

C:\Users\Admin\sxqoz.exe

"C:\Users\Admin\sxqoz.exe"

C:\Users\Admin\mlzeex.exe

"C:\Users\Admin\mlzeex.exe"

C:\Users\Admin\webaq.exe

"C:\Users\Admin\webaq.exe"

C:\Users\Admin\kaoeviz.exe

"C:\Users\Admin\kaoeviz.exe"

C:\Users\Admin\fiyik.exe

"C:\Users\Admin\fiyik.exe"

C:\Users\Admin\wrvuek.exe

"C:\Users\Admin\wrvuek.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.player1352.net udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp

Files

C:\Users\Admin\ttpuc.exe

MD5 1201458ba5890e1e4af3fb0099e4f8ae
SHA1 49060f1d399a55fda019b2f4195e3db84ac0521f
SHA256 ca35a0243d828cecab6d59c338cc3d3e01d4b619229176bd913632375d45962c
SHA512 d75108ce619ba0edcff80168a145ec791c8683ed30b933a69b6f1ef8b0af03fd8115d553c303448b51cdf53e6b1f34db63d5c05eea58e3d17afb1842c1e1dafc

C:\Users\Admin\jiujoe.exe

MD5 85db02aec66c6a20c05b83534279b6b0
SHA1 2a2c21316fee9ccc47eaf05d45a0be344cffbc51
SHA256 9dfd38770f2676979ec6195ed6be448d08ac34bbc002c1918ab56c9927b5720e
SHA512 eea4586f44f043fb312460111f68422ac4d7278037dbb023d64ed8dd5a9fe92ddd5130029c2e63b348aa0f4d3786cca55d6ee941d4365f8c91b2ea76e61dd25c

C:\Users\Admin\mauoc.exe

MD5 d46096551acc483fa094419092c7c1eb
SHA1 0a8cd9c77a668df0c66b931cdea3b6b738528a69
SHA256 d2e198b6e507c6ae530e9a8aaf62d85f10c20f54bc01e933c1db4c7fa108ef09
SHA512 589b883de8b3ac6ad692352ee17a2fdc19f88ee9b4a9f78583fafbfcb06be170a795d4c0eb40bb6c8a0b1027c58e9fd4cc92c9974142d47950250e22efb41cb3

C:\Users\Admin\cuoero.exe

MD5 86a604378517a1e5cd4a8a020ef49fe5
SHA1 e48b282f3e926743e115be8698d51ab9b8faf381
SHA256 bc61593dce82955c04fb8d2bc78b46202cd490ca86d2784b4791ffc3bce16a62
SHA512 aae0409226d5b3659b0fd81e6ab2e5d83d5cc8a0224f8fa2caa76b17811c12c7672a3c62b1c44c5afcf67afdeef8016d79b969f60a095f66cf50659b6154f564

C:\Users\Admin\wuakeus.exe

MD5 3ebde25de4fa9265c2d58e19578870f6
SHA1 38dda12fbc662fdb579387ff0b2f5ab74d5ae453
SHA256 98c94ac1e57558168ad23260d82e29dad3c5df38614b46df1e0cdb579f822a73
SHA512 caf971529d660644418d1f6ae118a794ff14f911ddf9d5172b38f13b3e9207b8cc77e859e36070b066103c2537fe238295dfaaad14e06177f004b689a83e833c

C:\Users\Admin\jifay.exe

MD5 7cbd10d47590859862cee9a24eafd1da
SHA1 a0750a7d0b727b87c59b4f65b2bf5dafa4c3a0ee
SHA256 1455102593c1c38fdf214ae372aa5893b1bec40d785ff6f056c7d98440e06e7e
SHA512 bb1c3037e962752186950cbeac3e9f43575be55832677b12e63be0e0ab306a9f6205fcd3487b5e32241f837151ca8e7efed9c24483a19412fc512c082cfa6b14

C:\Users\Admin\ruumeuc.exe

MD5 0217aecbd5922323a4e3528336bb4585
SHA1 1495903750332639f636ce950344a687ef984e30
SHA256 362d64f591bc3960de45e544971d24ab3326c8d978fd5b8ebbea5bf742d2e960
SHA512 9127ac6b03ef259a302405593b320c0fdce94612790f9c1784e81cff344356cad4bf345c9c2eeb07792657efda500f80e91d4fcda89ac306528425b479ff92b2

C:\Users\Admin\hiuzoeb.exe

MD5 4715d23f0f59c5a2d65a97560c55d13b
SHA1 e8518bd83a19f7443193b8c9bd9554be456fe8f4
SHA256 bc6f27ff97cdee07df375d78e0bcb42bc823985bb57783c151c39d66f557bab1
SHA512 2400d00fb5120e7130107b43646c3debfb84204215687b1b89875cd27601692803e46ccb6405b82488b61e4e691c32c2fc1ba355fa57b4333b8f751805c4bec9

C:\Users\Admin\yoobi.exe

MD5 193f3668427bc4d4b652eaba284a7e9d
SHA1 c7816242389a6c20cf8c57e6532174298be7d8ff
SHA256 4f6cd8af5e4336c21b6bd2a87ea1dd7b2ae0f29bedb79ec25417ced866eb55cf
SHA512 2b0bf323cea62595c8199f65912ddea3ad6041fcf83f9b12a340ae8e8603d7aacb927a5562e9ccec804a555819c94644a936782dc28e137822676d6e0332fcdd

C:\Users\Admin\fiuov.exe

MD5 882d9c375f4ba8cc008706fc01d0e29f
SHA1 ede81b61c36f6dc2c5c53bb30f3d1c823b925baa
SHA256 e9cbdf7b0ddb593a6d8321d36ed4c09bd68a4a73358d135f2b9d87336088beb2
SHA512 503932b8d0f15b8f05ce0d1089ce3674c22ce8d2d1da19a258795d6c460851635bc3ec4b99f2e03ea93959c0f353a989a13a127ed9edf8f1dace050a27da8cff

C:\Users\Admin\qshus.exe

MD5 4f8c5f52d177933cd6fd5a2cbd19762b
SHA1 d807812af50c9d414c532d3773af4d178aa8d70c
SHA256 df29a162ac4b2fce781405c0cfdd33c319cb3959226f88d894a8c07c989f0442
SHA512 3480b038c0b879c5b115ec3aa53b81fbf343952d3cb26f22400e0f631030df607e3ce84377cc92a6a8e304a47171671499f035d40ffdca8d274aabf6e72857c8

C:\Users\Admin\jynued.exe

MD5 856d21a89a7c966b22ec2f25b859adde
SHA1 1d0be2f87d11258ed197e38d4945df6822c7b392
SHA256 d6fb8d5fe97188f6b4c168432dde741f72a9e504b3a946eba0147b8ada395619
SHA512 2356fa77573efa48ff202e53ab2b3e83eeb44a86cd488c7f151993f36320e7a854a87e14f1e67ef8a94760caa34e07d4c4fbc4c922a15ccddb0632a94d469cce

C:\Users\Admin\tuiqooz.exe

MD5 170172c3e5de4b3836c2290f4ac0048c
SHA1 0f624f37d88a9d13970025811cbada1ce5ca83de
SHA256 a9d55e4efe23f9e3464a0ca4ff79e6316fc074b19b46a6c7e83af0869cc18847
SHA512 093377c85e03e8f434ef202ade745af413a2c3c0c135a0e0dffabe2581c7ef8d8e7fa4bdd78c7c8136edaef7b8c048dccc3b1cfbc8fe1bf6c69a9f6fb08c6b88

C:\Users\Admin\hiewex.exe

MD5 8121f9d2de1f4327e4287fbbf0100a4e
SHA1 5748b361e88b3a9cbb11ae22c28b27ee57b933c3
SHA256 89a5ed3f7cdeb8ecc3e715a5d311cf8e3abc8ba6f4929a1c44310395435ce0b6
SHA512 9a6370d53600eb7b209755ffa6ef2df2865a43ce1f14fbe820edc7d2c052c69999c5a27676b4b3268d64e14ef3cc816eae71a4f135448f901727b584f2f207f7

C:\Users\Admin\zoootak.exe

MD5 854817f4e9f1f605ecfb92cf8732da1c
SHA1 26083abf12c5386b23237b9e75bf5a44d434a097
SHA256 c9f10e67d2ce93a3b438c6ec81aaf99361cd1f82b69e761e1cc13a9d8963907b
SHA512 e42309efebe1ef72026dd39cf50dd483c0717530adc5dede04e4e063746c5b66d85169740f729e49aec0948f568273eab01f7de710139045b725f60558648c30

C:\Users\Admin\haeqae.exe

MD5 dc58849a9d80f044e0ec0fa625358938
SHA1 5955b57db3f2bebaa68457b1e7170af60450827f
SHA256 50bc77986e9ed5cf2fa719ecee3a7469ae84ecc63aa35686c00d56852c735bb3
SHA512 d926776c8cceb91d98305be8bd665f4bd022f937a59021fbe401aca0dd63bc700f89fcd3f7b049e5469758bdb45a774e9211a95cab47712103164b72b0da4d7c

C:\Users\Admin\meaip.exe

MD5 6536ca91b817a282ec51407dc06f3942
SHA1 cf07f67f83cbaae599cf3336f9d2ff317373082d
SHA256 35174c0972ee3bf7f68dfe36784543e7948a06c68cd6a7a607d1cc3806ddb59e
SHA512 3d5ee0fe11d38dedb9d79a5a33bbe9106aceaa60fab3ab45591db2e52e40122c00eba24dce19112579dce11fae1117eb0acdf533d1b3bb4973eab3e548a89cf3

C:\Users\Admin\yuheg.exe

MD5 57e6416c1fe800ab0f808e172cc5d605
SHA1 902ecf5d8fc36599bd5df70055421a6c81c577a6
SHA256 0adc74c40e87c4183ee7fcc583909c3a7025878f21eb7d23d104ce89a618ecb8
SHA512 25ba56af059d769832e104f2513ff49a3eadf6ad1e370f51027868217ab9e145c013e624b2fe197f63099072c14d1e2a6e00be963a5e89964ba96f98eedb3b22

C:\Users\Admin\weeizef.exe

MD5 cce616f2c055883debf11fa821c21d32
SHA1 c723bf4661dfadb9354980695d1eaa558f3c72e8
SHA256 83c37b1725a5e51c9ed7d00c6e9e990261da0aaf5b6a272a1cf4fef2d275bda1
SHA512 50a107ea6a949387c38b0b8a27f96c264e9ed05fac5a1bb20fa647a86bcb9d9e246039581726b3a06eaa2d8e215eb278630feefefebe719d4092ff50f0bfe578

C:\Users\Admin\niumeo.exe

MD5 a3286bfe82682fe6e41c03ef2805df5b
SHA1 ab49c20aa589a0315da028e3dd942b46ae8f6e67
SHA256 26c85bee2588bb3501286265a647a70d5d62a3a6f5db4f88711701c6b43a680f
SHA512 93a519aaf7e7b7dc3225293b6ffa9b6c17004778467433e7748c503e400118d5cbdef334a0592a4475e7720c76bca6c016558afee64baea6ef1d164684c96745

C:\Users\Admin\bauuk.exe

MD5 4a27eaaea826f7352c37bddfc502a096
SHA1 de8d13aab03628b2718be8eb65492f4b785d3c6e
SHA256 03d75ec1e061b4ad52979bb27f4c3f789daa1d4971a9e42af6fb010287d4bc0a
SHA512 5b06ed6e38b94cea6bec52061bbfc1afac0cce7f03c2ef927a5d47b4514f20e4616621f43a858da179dbd9edfab3cd5729d5878a5d1b3979af0843aebbae87bd

C:\Users\Admin\leilic.exe

MD5 02490d32fef2dd397bd12f9e85db2ece
SHA1 ccf2edf6799e86daa0fbfc8b4c8abbdc00c0863e
SHA256 2db0bf124f73a7a735e5b7e5d0fe92b7c5d4e2655d8503d05dcdd1b6112fe444
SHA512 5b93dc964322aef74a6556d20b800dc9ce8612a981469982aae26262fa1e117f8dcdb8a66ec4546d26fcc5812243581b7545e8820648d4017a529f0c0125488b

C:\Users\Admin\tuurouq.exe

MD5 7d963282e7301a0f44299a372e629b9c
SHA1 9502ceaf86f5630b3197c6fc849d02423ba9f1ab
SHA256 39e8d6fd40441fed02f3c17d8460ce580fede21c9c3fe880a8d67f39229dcd65
SHA512 5a6002e36dd5dfdf56c97d7607006d6272f341260af01e2f64e9058a0dcd3948caea6ffdb42b4ec7588f8514a96ed6d014ad0bc58f360561f092a3cfcd35d517

C:\Users\Admin\ziaruc.exe

MD5 78c02ba8976d91c67a0519fc3e5d42ca
SHA1 7ef43e28e81fa7d27dd640221ee5e1fe6707b426
SHA256 acb7f6b431eb9d4c62548bb62afbd2568cec0698127747c6da2b0c5acfffe264
SHA512 6006bda68c0114ba045a9681310942e3d5cf723f8c785b259222df25b54c82c7d24cbd81710f498e86b3f9240d4d1d0e77dd6aedc1dac7d35fa8a270bb66af81

C:\Users\Admin\baonaog.exe

MD5 26bcf27523ba5b4c0c5fa83dfa4b2af3
SHA1 081f58fbe599bb4e95e65abb4ceb8b95a95f4f56
SHA256 c7a6e5218fd93c3fffd30290e9b5a846d90519a4bf7bc940a80c2993e14c4c2d
SHA512 4eb344d9741dbe18f9ee418413c3b3d3e24c3e406c040a2ebc31a91409095c248d718a58709416ad7bf49dba19ca340245724d66e839dfb650b420977ef55f9d

C:\Users\Admin\keexa.exe

MD5 d84c7677fc1fbd98a08719933a9b4d2f
SHA1 467e17e8671d13cce0471ddb86ba27ba7a0b7791
SHA256 79d95b2794870719a4936f1410caddb1829027a0616e523d674250a92921b431
SHA512 4c2895868caed15ceda2390c04a8ccde4ff9bbf3b2b701d2963fed04515ac663e1d5673ee9e32b07f17cfcf6da95c2554452928881b40f9ac26f44a2eceee3e2

C:\Users\Admin\beauxe.exe

MD5 fa85781bebc74e5bdefac626cf3dcc63
SHA1 eed66e6b6dbf038194e2468978afbe08e4876bf8
SHA256 90aa104cbf2110effcf9c66bd9e8c790327664ada37324af12e9b1c4cff60ecd
SHA512 c863660f6102117e855d68c412dfdf206caf3578b27c8ce0bea96cf693497d4de14b18db860174a8d029c0469f777d1da0447b4a1f61ad4e3937f6dbadd2373e

C:\Users\Admin\queawa.exe

MD5 9869dc174d8b82c7262451d8c1315ffe
SHA1 7e50613d2f854c8196089f3e3c7ded7a90fcc057
SHA256 ea34a62d4153e2b4cb7a9d7176887b031a9370fdbc7c7b085ddb1ec4d2183c78
SHA512 fea263cc899586f9c3094405b90f6dcbde65a3d828d56c5b1ace80ae5c5931f87367c2f242427838f15f52ecded6724c696b3ad5e55f9e8681687a35b8ea10a1

C:\Users\Admin\xouiheh.exe

MD5 01b4804f3a999c5fbd028cbed5d0c21d
SHA1 7eae607427a972deb3a35e23dd0928947a562952
SHA256 e171c9b0259e9fd33663072dd26350f0f442438bf96ea29450d58aa9d225cf9e
SHA512 ba0748b996a9ce5d40910858fa3cf127884f50f8442265c45bb592ea149a95fdf9501f0a70512d16e42a83e9cda2be3cda4fdf540d82f48098312476f9c3d41c

C:\Users\Admin\huago.exe

MD5 b37ed6eb3265e1ff23591154e60563f3
SHA1 5bd59c25c0494962c44ac8e4cf975ddffa49123b
SHA256 5bed68b842339c9f986fbab2e1194ad289075c356acd9014afccb57d3139f064
SHA512 abf06bc435fe44ea88d50890f832eb7a47cfcf66cb384767d498985376d58130b64202243700bf717806979fdbbd57ed4fbdb69b73b98d6ec5f13c0ae9c7f194

C:\Users\Admin\kuhib.exe

MD5 cc98072883956d00fe2e99423a050279
SHA1 3d2a4d30a8931bcb791e5a18edc623b385b71789
SHA256 2671467f234180f9aca6c080f9aed899520fb7edc3b3043a5b13a7a22d9d41b2
SHA512 3fb0cc3c4d5cc3e0b85b19d47dc9bcd1da39db0143f1451097573e9b177b8aef8b6b925d0fefcc8141828c652dea8c3d8a527c9e943eefc4aa891bd35f5ce7c8

C:\Users\Admin\qauico.exe

MD5 1b0c4adacbac67d0b0a73aecf02ba602
SHA1 e36a8d5b1bbcab4b81d7c62ee87c017fba9ee69e
SHA256 988e7106758931641aac8b773100ef82fe37bc72e88425350b0b9049f45a0839
SHA512 2d7e44fb4c963001a6dc35c8b8fa1af1ff6e0e05577d26b683b026d718b2f4fdfd74e2799eb85b1ed28372176a4cc09672c7c1af46a763165edb05363ada5e3b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:52

Reported

2024-06-14 01:54

Platform

win7-20240611-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\thkes.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\mimoq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\rahom.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\haemien.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\daebid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\pfbuf.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\juouhu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\wtzaj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\doutax.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\juouc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sywez.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\neaak.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\tqnon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\neiuzo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\kaegoag.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zauwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\keixooh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sosuw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sauex.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\souvez.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\miriv.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\lkqiq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\bueone.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ziiix.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\lafoq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fauco.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\naovou.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\qthies.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jmpuuy.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\zecug.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hjxoh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\maopead.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\werij.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\pueuxo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\phcooh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\voasio.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\weofeo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\saikeo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\foejuy.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\limoq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\dohod.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\qeevi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zauwi.exe N/A
N/A N/A C:\Users\Admin\dohod.exe N/A
N/A N/A C:\Users\Admin\jmpuuy.exe N/A
N/A N/A C:\Users\Admin\bueone.exe N/A
N/A N/A C:\Users\Admin\pueuxo.exe N/A
N/A N/A C:\Users\Admin\zecug.exe N/A
N/A N/A C:\Users\Admin\phcooh.exe N/A
N/A N/A C:\Users\Admin\neaak.exe N/A
N/A N/A C:\Users\Admin\keixooh.exe N/A
N/A N/A C:\Users\Admin\sosuw.exe N/A
N/A N/A C:\Users\Admin\juouhu.exe N/A
N/A N/A C:\Users\Admin\pfbuf.exe N/A
N/A N/A C:\Users\Admin\tqnon.exe N/A
N/A N/A C:\Users\Admin\thkes.exe N/A
N/A N/A C:\Users\Admin\mimoq.exe N/A
N/A N/A C:\Users\Admin\voasio.exe N/A
N/A N/A C:\Users\Admin\ziiix.exe N/A
N/A N/A C:\Users\Admin\rahom.exe N/A
N/A N/A C:\Users\Admin\wtzaj.exe N/A
N/A N/A C:\Users\Admin\lafoq.exe N/A
N/A N/A C:\Users\Admin\weofeo.exe N/A
N/A N/A C:\Users\Admin\saikeo.exe N/A
N/A N/A C:\Users\Admin\fauco.exe N/A
N/A N/A C:\Users\Admin\foejuy.exe N/A
N/A N/A C:\Users\Admin\hjxoh.exe N/A
N/A N/A C:\Users\Admin\sauex.exe N/A
N/A N/A C:\Users\Admin\limoq.exe N/A
N/A N/A C:\Users\Admin\haemien.exe N/A
N/A N/A C:\Users\Admin\naovou.exe N/A
N/A N/A C:\Users\Admin\souvez.exe N/A
N/A N/A C:\Users\Admin\doutax.exe N/A
N/A N/A C:\Users\Admin\miriv.exe N/A
N/A N/A C:\Users\Admin\maopead.exe N/A
N/A N/A C:\Users\Admin\lkqiq.exe N/A
N/A N/A C:\Users\Admin\juouc.exe N/A
N/A N/A C:\Users\Admin\neiuzo.exe N/A
N/A N/A C:\Users\Admin\qeevi.exe N/A
N/A N/A C:\Users\Admin\qthies.exe N/A
N/A N/A C:\Users\Admin\sywez.exe N/A
N/A N/A C:\Users\Admin\kaegoag.exe N/A
N/A N/A C:\Users\Admin\werij.exe N/A
N/A N/A C:\Users\Admin\daebid.exe N/A
N/A N/A C:\Users\Admin\tuuona.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\zauwi.exe N/A
N/A N/A C:\Users\Admin\zauwi.exe N/A
N/A N/A C:\Users\Admin\dohod.exe N/A
N/A N/A C:\Users\Admin\dohod.exe N/A
N/A N/A C:\Users\Admin\jmpuuy.exe N/A
N/A N/A C:\Users\Admin\jmpuuy.exe N/A
N/A N/A C:\Users\Admin\bueone.exe N/A
N/A N/A C:\Users\Admin\bueone.exe N/A
N/A N/A C:\Users\Admin\pueuxo.exe N/A
N/A N/A C:\Users\Admin\pueuxo.exe N/A
N/A N/A C:\Users\Admin\zecug.exe N/A
N/A N/A C:\Users\Admin\zecug.exe N/A
N/A N/A C:\Users\Admin\phcooh.exe N/A
N/A N/A C:\Users\Admin\phcooh.exe N/A
N/A N/A C:\Users\Admin\neaak.exe N/A
N/A N/A C:\Users\Admin\neaak.exe N/A
N/A N/A C:\Users\Admin\keixooh.exe N/A
N/A N/A C:\Users\Admin\keixooh.exe N/A
N/A N/A C:\Users\Admin\sosuw.exe N/A
N/A N/A C:\Users\Admin\sosuw.exe N/A
N/A N/A C:\Users\Admin\juouhu.exe N/A
N/A N/A C:\Users\Admin\juouhu.exe N/A
N/A N/A C:\Users\Admin\pfbuf.exe N/A
N/A N/A C:\Users\Admin\pfbuf.exe N/A
N/A N/A C:\Users\Admin\tqnon.exe N/A
N/A N/A C:\Users\Admin\tqnon.exe N/A
N/A N/A C:\Users\Admin\thkes.exe N/A
N/A N/A C:\Users\Admin\thkes.exe N/A
N/A N/A C:\Users\Admin\mimoq.exe N/A
N/A N/A C:\Users\Admin\mimoq.exe N/A
N/A N/A C:\Users\Admin\voasio.exe N/A
N/A N/A C:\Users\Admin\voasio.exe N/A
N/A N/A C:\Users\Admin\ziiix.exe N/A
N/A N/A C:\Users\Admin\ziiix.exe N/A
N/A N/A C:\Users\Admin\rahom.exe N/A
N/A N/A C:\Users\Admin\rahom.exe N/A
N/A N/A C:\Users\Admin\wtzaj.exe N/A
N/A N/A C:\Users\Admin\wtzaj.exe N/A
N/A N/A C:\Users\Admin\lafoq.exe N/A
N/A N/A C:\Users\Admin\lafoq.exe N/A
N/A N/A C:\Users\Admin\weofeo.exe N/A
N/A N/A C:\Users\Admin\weofeo.exe N/A
N/A N/A C:\Users\Admin\saikeo.exe N/A
N/A N/A C:\Users\Admin\saikeo.exe N/A
N/A N/A C:\Users\Admin\fauco.exe N/A
N/A N/A C:\Users\Admin\fauco.exe N/A
N/A N/A C:\Users\Admin\foejuy.exe N/A
N/A N/A C:\Users\Admin\foejuy.exe N/A
N/A N/A C:\Users\Admin\hjxoh.exe N/A
N/A N/A C:\Users\Admin\hjxoh.exe N/A
N/A N/A C:\Users\Admin\sauex.exe N/A
N/A N/A C:\Users\Admin\sauex.exe N/A
N/A N/A C:\Users\Admin\limoq.exe N/A
N/A N/A C:\Users\Admin\limoq.exe N/A
N/A N/A C:\Users\Admin\haemien.exe N/A
N/A N/A C:\Users\Admin\haemien.exe N/A
N/A N/A C:\Users\Admin\naovou.exe N/A
N/A N/A C:\Users\Admin\naovou.exe N/A
N/A N/A C:\Users\Admin\souvez.exe N/A
N/A N/A C:\Users\Admin\souvez.exe N/A
N/A N/A C:\Users\Admin\doutax.exe N/A
N/A N/A C:\Users\Admin\doutax.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\sosuw = "C:\\Users\\Admin\\sosuw.exe /E" C:\Users\Admin\keixooh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\souvez = "C:\\Users\\Admin\\souvez.exe /N" C:\Users\Admin\naovou.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkqiq = "C:\\Users\\Admin\\lkqiq.exe /t" C:\Users\Admin\maopead.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\haemien = "C:\\Users\\Admin\\haemien.exe /r" C:\Users\Admin\limoq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\miriv = "C:\\Users\\Admin\\miriv.exe /p" C:\Users\Admin\doutax.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaegoag = "C:\\Users\\Admin\\kaegoag.exe /Q" C:\Users\Admin\sywez.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\zauwi = "C:\\Users\\Admin\\zauwi.exe /o" C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tqnon = "C:\\Users\\Admin\\tqnon.exe /u" C:\Users\Admin\pfbuf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiix = "C:\\Users\\Admin\\ziiix.exe /i" C:\Users\Admin\voasio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\sauex = "C:\\Users\\Admin\\sauex.exe /n" C:\Users\Admin\hjxoh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\phcooh = "C:\\Users\\Admin\\phcooh.exe /P" C:\Users\Admin\zecug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\thkes = "C:\\Users\\Admin\\thkes.exe /n" C:\Users\Admin\tqnon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\mimoq = "C:\\Users\\Admin\\mimoq.exe /j" C:\Users\Admin\thkes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuuona = "C:\\Users\\Admin\\tuuona.exe /f" C:\Users\Admin\daebid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\sywez = "C:\\Users\\Admin\\sywez.exe /l" C:\Users\Admin\qthies.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\bueone = "C:\\Users\\Admin\\bueone.exe /A" C:\Users\Admin\jmpuuy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\zecug = "C:\\Users\\Admin\\zecug.exe /A" C:\Users\Admin\pueuxo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\fauco = "C:\\Users\\Admin\\fauco.exe /P" C:\Users\Admin\saikeo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qthies = "C:\\Users\\Admin\\qthies.exe /f" C:\Users\Admin\qeevi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjxoh = "C:\\Users\\Admin\\hjxoh.exe /F" C:\Users\Admin\foejuy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\juouc = "C:\\Users\\Admin\\juouc.exe /m" C:\Users\Admin\lkqiq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\werij = "C:\\Users\\Admin\\werij.exe /Q" C:\Users\Admin\kaegoag.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\dohod = "C:\\Users\\Admin\\dohod.exe /W" C:\Users\Admin\zauwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\jmpuuy = "C:\\Users\\Admin\\jmpuuy.exe /X" C:\Users\Admin\dohod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\lafoq = "C:\\Users\\Admin\\lafoq.exe /Z" C:\Users\Admin\wtzaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\foejuy = "C:\\Users\\Admin\\foejuy.exe /g" C:\Users\Admin\fauco.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\doutax = "C:\\Users\\Admin\\doutax.exe /m" C:\Users\Admin\souvez.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeevi = "C:\\Users\\Admin\\qeevi.exe /x" C:\Users\Admin\neiuzo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\keixooh = "C:\\Users\\Admin\\keixooh.exe /g" C:\Users\Admin\neaak.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\pfbuf = "C:\\Users\\Admin\\pfbuf.exe /l" C:\Users\Admin\juouhu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\saikeo = "C:\\Users\\Admin\\saikeo.exe /h" C:\Users\Admin\weofeo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\naovou = "C:\\Users\\Admin\\naovou.exe /C" C:\Users\Admin\haemien.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\limoq = "C:\\Users\\Admin\\limoq.exe /Y" C:\Users\Admin\sauex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\maopead = "C:\\Users\\Admin\\maopead.exe /C" C:\Users\Admin\miriv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\neiuzo = "C:\\Users\\Admin\\neiuzo.exe /o" C:\Users\Admin\juouc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\juouhu = "C:\\Users\\Admin\\juouhu.exe /z" C:\Users\Admin\sosuw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\voasio = "C:\\Users\\Admin\\voasio.exe /k" C:\Users\Admin\mimoq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\rahom = "C:\\Users\\Admin\\rahom.exe /I" C:\Users\Admin\ziiix.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\weofeo = "C:\\Users\\Admin\\weofeo.exe /N" C:\Users\Admin\lafoq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\pueuxo = "C:\\Users\\Admin\\pueuxo.exe /W" C:\Users\Admin\bueone.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaak = "C:\\Users\\Admin\\neaak.exe /Y" C:\Users\Admin\phcooh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtzaj = "C:\\Users\\Admin\\wtzaj.exe /Y" C:\Users\Admin\rahom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\daebid = "C:\\Users\\Admin\\daebid.exe /i" C:\Users\Admin\werij.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\zauwi.exe N/A
N/A N/A C:\Users\Admin\dohod.exe N/A
N/A N/A C:\Users\Admin\jmpuuy.exe N/A
N/A N/A C:\Users\Admin\bueone.exe N/A
N/A N/A C:\Users\Admin\pueuxo.exe N/A
N/A N/A C:\Users\Admin\zecug.exe N/A
N/A N/A C:\Users\Admin\phcooh.exe N/A
N/A N/A C:\Users\Admin\neaak.exe N/A
N/A N/A C:\Users\Admin\keixooh.exe N/A
N/A N/A C:\Users\Admin\sosuw.exe N/A
N/A N/A C:\Users\Admin\juouhu.exe N/A
N/A N/A C:\Users\Admin\pfbuf.exe N/A
N/A N/A C:\Users\Admin\tqnon.exe N/A
N/A N/A C:\Users\Admin\thkes.exe N/A
N/A N/A C:\Users\Admin\mimoq.exe N/A
N/A N/A C:\Users\Admin\voasio.exe N/A
N/A N/A C:\Users\Admin\ziiix.exe N/A
N/A N/A C:\Users\Admin\rahom.exe N/A
N/A N/A C:\Users\Admin\wtzaj.exe N/A
N/A N/A C:\Users\Admin\lafoq.exe N/A
N/A N/A C:\Users\Admin\weofeo.exe N/A
N/A N/A C:\Users\Admin\saikeo.exe N/A
N/A N/A C:\Users\Admin\fauco.exe N/A
N/A N/A C:\Users\Admin\foejuy.exe N/A
N/A N/A C:\Users\Admin\hjxoh.exe N/A
N/A N/A C:\Users\Admin\sauex.exe N/A
N/A N/A C:\Users\Admin\limoq.exe N/A
N/A N/A C:\Users\Admin\haemien.exe N/A
N/A N/A C:\Users\Admin\naovou.exe N/A
N/A N/A C:\Users\Admin\souvez.exe N/A
N/A N/A C:\Users\Admin\doutax.exe N/A
N/A N/A C:\Users\Admin\miriv.exe N/A
N/A N/A C:\Users\Admin\maopead.exe N/A
N/A N/A C:\Users\Admin\lkqiq.exe N/A
N/A N/A C:\Users\Admin\juouc.exe N/A
N/A N/A C:\Users\Admin\neiuzo.exe N/A
N/A N/A C:\Users\Admin\qeevi.exe N/A
N/A N/A C:\Users\Admin\qthies.exe N/A
N/A N/A C:\Users\Admin\sywez.exe N/A
N/A N/A C:\Users\Admin\kaegoag.exe N/A
N/A N/A C:\Users\Admin\werij.exe N/A
N/A N/A C:\Users\Admin\daebid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe N/A
N/A N/A C:\Users\Admin\zauwi.exe N/A
N/A N/A C:\Users\Admin\dohod.exe N/A
N/A N/A C:\Users\Admin\jmpuuy.exe N/A
N/A N/A C:\Users\Admin\bueone.exe N/A
N/A N/A C:\Users\Admin\pueuxo.exe N/A
N/A N/A C:\Users\Admin\zecug.exe N/A
N/A N/A C:\Users\Admin\phcooh.exe N/A
N/A N/A C:\Users\Admin\neaak.exe N/A
N/A N/A C:\Users\Admin\keixooh.exe N/A
N/A N/A C:\Users\Admin\sosuw.exe N/A
N/A N/A C:\Users\Admin\juouhu.exe N/A
N/A N/A C:\Users\Admin\pfbuf.exe N/A
N/A N/A C:\Users\Admin\tqnon.exe N/A
N/A N/A C:\Users\Admin\thkes.exe N/A
N/A N/A C:\Users\Admin\mimoq.exe N/A
N/A N/A C:\Users\Admin\voasio.exe N/A
N/A N/A C:\Users\Admin\ziiix.exe N/A
N/A N/A C:\Users\Admin\rahom.exe N/A
N/A N/A C:\Users\Admin\wtzaj.exe N/A
N/A N/A C:\Users\Admin\lafoq.exe N/A
N/A N/A C:\Users\Admin\weofeo.exe N/A
N/A N/A C:\Users\Admin\saikeo.exe N/A
N/A N/A C:\Users\Admin\fauco.exe N/A
N/A N/A C:\Users\Admin\foejuy.exe N/A
N/A N/A C:\Users\Admin\hjxoh.exe N/A
N/A N/A C:\Users\Admin\sauex.exe N/A
N/A N/A C:\Users\Admin\limoq.exe N/A
N/A N/A C:\Users\Admin\haemien.exe N/A
N/A N/A C:\Users\Admin\naovou.exe N/A
N/A N/A C:\Users\Admin\souvez.exe N/A
N/A N/A C:\Users\Admin\doutax.exe N/A
N/A N/A C:\Users\Admin\miriv.exe N/A
N/A N/A C:\Users\Admin\maopead.exe N/A
N/A N/A C:\Users\Admin\lkqiq.exe N/A
N/A N/A C:\Users\Admin\juouc.exe N/A
N/A N/A C:\Users\Admin\neiuzo.exe N/A
N/A N/A C:\Users\Admin\qeevi.exe N/A
N/A N/A C:\Users\Admin\qthies.exe N/A
N/A N/A C:\Users\Admin\sywez.exe N/A
N/A N/A C:\Users\Admin\kaegoag.exe N/A
N/A N/A C:\Users\Admin\werij.exe N/A
N/A N/A C:\Users\Admin\daebid.exe N/A
N/A N/A C:\Users\Admin\tuuona.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\zauwi.exe
PID 3020 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\zauwi.exe
PID 3020 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\zauwi.exe
PID 3020 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe C:\Users\Admin\zauwi.exe
PID 2780 wrote to memory of 2768 N/A C:\Users\Admin\zauwi.exe C:\Users\Admin\dohod.exe
PID 2780 wrote to memory of 2768 N/A C:\Users\Admin\zauwi.exe C:\Users\Admin\dohod.exe
PID 2780 wrote to memory of 2768 N/A C:\Users\Admin\zauwi.exe C:\Users\Admin\dohod.exe
PID 2780 wrote to memory of 2768 N/A C:\Users\Admin\zauwi.exe C:\Users\Admin\dohod.exe
PID 2768 wrote to memory of 1424 N/A C:\Users\Admin\dohod.exe C:\Users\Admin\jmpuuy.exe
PID 2768 wrote to memory of 1424 N/A C:\Users\Admin\dohod.exe C:\Users\Admin\jmpuuy.exe
PID 2768 wrote to memory of 1424 N/A C:\Users\Admin\dohod.exe C:\Users\Admin\jmpuuy.exe
PID 2768 wrote to memory of 1424 N/A C:\Users\Admin\dohod.exe C:\Users\Admin\jmpuuy.exe
PID 1424 wrote to memory of 2216 N/A C:\Users\Admin\jmpuuy.exe C:\Users\Admin\bueone.exe
PID 1424 wrote to memory of 2216 N/A C:\Users\Admin\jmpuuy.exe C:\Users\Admin\bueone.exe
PID 1424 wrote to memory of 2216 N/A C:\Users\Admin\jmpuuy.exe C:\Users\Admin\bueone.exe
PID 1424 wrote to memory of 2216 N/A C:\Users\Admin\jmpuuy.exe C:\Users\Admin\bueone.exe
PID 2216 wrote to memory of 2488 N/A C:\Users\Admin\bueone.exe C:\Users\Admin\pueuxo.exe
PID 2216 wrote to memory of 2488 N/A C:\Users\Admin\bueone.exe C:\Users\Admin\pueuxo.exe
PID 2216 wrote to memory of 2488 N/A C:\Users\Admin\bueone.exe C:\Users\Admin\pueuxo.exe
PID 2216 wrote to memory of 2488 N/A C:\Users\Admin\bueone.exe C:\Users\Admin\pueuxo.exe
PID 2488 wrote to memory of 2408 N/A C:\Users\Admin\pueuxo.exe C:\Users\Admin\zecug.exe
PID 2488 wrote to memory of 2408 N/A C:\Users\Admin\pueuxo.exe C:\Users\Admin\zecug.exe
PID 2488 wrote to memory of 2408 N/A C:\Users\Admin\pueuxo.exe C:\Users\Admin\zecug.exe
PID 2488 wrote to memory of 2408 N/A C:\Users\Admin\pueuxo.exe C:\Users\Admin\zecug.exe
PID 2408 wrote to memory of 1664 N/A C:\Users\Admin\zecug.exe C:\Users\Admin\phcooh.exe
PID 2408 wrote to memory of 1664 N/A C:\Users\Admin\zecug.exe C:\Users\Admin\phcooh.exe
PID 2408 wrote to memory of 1664 N/A C:\Users\Admin\zecug.exe C:\Users\Admin\phcooh.exe
PID 2408 wrote to memory of 1664 N/A C:\Users\Admin\zecug.exe C:\Users\Admin\phcooh.exe
PID 1664 wrote to memory of 1120 N/A C:\Users\Admin\phcooh.exe C:\Users\Admin\neaak.exe
PID 1664 wrote to memory of 1120 N/A C:\Users\Admin\phcooh.exe C:\Users\Admin\neaak.exe
PID 1664 wrote to memory of 1120 N/A C:\Users\Admin\phcooh.exe C:\Users\Admin\neaak.exe
PID 1664 wrote to memory of 1120 N/A C:\Users\Admin\phcooh.exe C:\Users\Admin\neaak.exe
PID 1120 wrote to memory of 2604 N/A C:\Users\Admin\neaak.exe C:\Users\Admin\keixooh.exe
PID 1120 wrote to memory of 2604 N/A C:\Users\Admin\neaak.exe C:\Users\Admin\keixooh.exe
PID 1120 wrote to memory of 2604 N/A C:\Users\Admin\neaak.exe C:\Users\Admin\keixooh.exe
PID 1120 wrote to memory of 2604 N/A C:\Users\Admin\neaak.exe C:\Users\Admin\keixooh.exe
PID 2604 wrote to memory of 2208 N/A C:\Users\Admin\keixooh.exe C:\Users\Admin\sosuw.exe
PID 2604 wrote to memory of 2208 N/A C:\Users\Admin\keixooh.exe C:\Users\Admin\sosuw.exe
PID 2604 wrote to memory of 2208 N/A C:\Users\Admin\keixooh.exe C:\Users\Admin\sosuw.exe
PID 2604 wrote to memory of 2208 N/A C:\Users\Admin\keixooh.exe C:\Users\Admin\sosuw.exe
PID 2208 wrote to memory of 2344 N/A C:\Users\Admin\sosuw.exe C:\Users\Admin\juouhu.exe
PID 2208 wrote to memory of 2344 N/A C:\Users\Admin\sosuw.exe C:\Users\Admin\juouhu.exe
PID 2208 wrote to memory of 2344 N/A C:\Users\Admin\sosuw.exe C:\Users\Admin\juouhu.exe
PID 2208 wrote to memory of 2344 N/A C:\Users\Admin\sosuw.exe C:\Users\Admin\juouhu.exe
PID 2344 wrote to memory of 1696 N/A C:\Users\Admin\juouhu.exe C:\Users\Admin\pfbuf.exe
PID 2344 wrote to memory of 1696 N/A C:\Users\Admin\juouhu.exe C:\Users\Admin\pfbuf.exe
PID 2344 wrote to memory of 1696 N/A C:\Users\Admin\juouhu.exe C:\Users\Admin\pfbuf.exe
PID 2344 wrote to memory of 1696 N/A C:\Users\Admin\juouhu.exe C:\Users\Admin\pfbuf.exe
PID 1696 wrote to memory of 460 N/A C:\Users\Admin\pfbuf.exe C:\Users\Admin\tqnon.exe
PID 1696 wrote to memory of 460 N/A C:\Users\Admin\pfbuf.exe C:\Users\Admin\tqnon.exe
PID 1696 wrote to memory of 460 N/A C:\Users\Admin\pfbuf.exe C:\Users\Admin\tqnon.exe
PID 1696 wrote to memory of 460 N/A C:\Users\Admin\pfbuf.exe C:\Users\Admin\tqnon.exe
PID 460 wrote to memory of 2004 N/A C:\Users\Admin\tqnon.exe C:\Users\Admin\thkes.exe
PID 460 wrote to memory of 2004 N/A C:\Users\Admin\tqnon.exe C:\Users\Admin\thkes.exe
PID 460 wrote to memory of 2004 N/A C:\Users\Admin\tqnon.exe C:\Users\Admin\thkes.exe
PID 460 wrote to memory of 2004 N/A C:\Users\Admin\tqnon.exe C:\Users\Admin\thkes.exe
PID 2004 wrote to memory of 2008 N/A C:\Users\Admin\thkes.exe C:\Users\Admin\mimoq.exe
PID 2004 wrote to memory of 2008 N/A C:\Users\Admin\thkes.exe C:\Users\Admin\mimoq.exe
PID 2004 wrote to memory of 2008 N/A C:\Users\Admin\thkes.exe C:\Users\Admin\mimoq.exe
PID 2004 wrote to memory of 2008 N/A C:\Users\Admin\thkes.exe C:\Users\Admin\mimoq.exe
PID 2008 wrote to memory of 2992 N/A C:\Users\Admin\mimoq.exe C:\Users\Admin\voasio.exe
PID 2008 wrote to memory of 2992 N/A C:\Users\Admin\mimoq.exe C:\Users\Admin\voasio.exe
PID 2008 wrote to memory of 2992 N/A C:\Users\Admin\mimoq.exe C:\Users\Admin\voasio.exe
PID 2008 wrote to memory of 2992 N/A C:\Users\Admin\mimoq.exe C:\Users\Admin\voasio.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe

"C:\Users\Admin\AppData\Local\Temp\9ccf519b92f4c4fb4bd1c4c3f3f0a89d6541c24665100454f5c7953e459ee806.exe"

C:\Users\Admin\zauwi.exe

"C:\Users\Admin\zauwi.exe"

C:\Users\Admin\dohod.exe

"C:\Users\Admin\dohod.exe"

C:\Users\Admin\jmpuuy.exe

"C:\Users\Admin\jmpuuy.exe"

C:\Users\Admin\bueone.exe

"C:\Users\Admin\bueone.exe"

C:\Users\Admin\pueuxo.exe

"C:\Users\Admin\pueuxo.exe"

C:\Users\Admin\zecug.exe

"C:\Users\Admin\zecug.exe"

C:\Users\Admin\phcooh.exe

"C:\Users\Admin\phcooh.exe"

C:\Users\Admin\neaak.exe

"C:\Users\Admin\neaak.exe"

C:\Users\Admin\keixooh.exe

"C:\Users\Admin\keixooh.exe"

C:\Users\Admin\sosuw.exe

"C:\Users\Admin\sosuw.exe"

C:\Users\Admin\juouhu.exe

"C:\Users\Admin\juouhu.exe"

C:\Users\Admin\pfbuf.exe

"C:\Users\Admin\pfbuf.exe"

C:\Users\Admin\tqnon.exe

"C:\Users\Admin\tqnon.exe"

C:\Users\Admin\thkes.exe

"C:\Users\Admin\thkes.exe"

C:\Users\Admin\mimoq.exe

"C:\Users\Admin\mimoq.exe"

C:\Users\Admin\voasio.exe

"C:\Users\Admin\voasio.exe"

C:\Users\Admin\ziiix.exe

"C:\Users\Admin\ziiix.exe"

C:\Users\Admin\rahom.exe

"C:\Users\Admin\rahom.exe"

C:\Users\Admin\wtzaj.exe

"C:\Users\Admin\wtzaj.exe"

C:\Users\Admin\lafoq.exe

"C:\Users\Admin\lafoq.exe"

C:\Users\Admin\weofeo.exe

"C:\Users\Admin\weofeo.exe"

C:\Users\Admin\saikeo.exe

"C:\Users\Admin\saikeo.exe"

C:\Users\Admin\fauco.exe

"C:\Users\Admin\fauco.exe"

C:\Users\Admin\foejuy.exe

"C:\Users\Admin\foejuy.exe"

C:\Users\Admin\hjxoh.exe

"C:\Users\Admin\hjxoh.exe"

C:\Users\Admin\sauex.exe

"C:\Users\Admin\sauex.exe"

C:\Users\Admin\limoq.exe

"C:\Users\Admin\limoq.exe"

C:\Users\Admin\haemien.exe

"C:\Users\Admin\haemien.exe"

C:\Users\Admin\naovou.exe

"C:\Users\Admin\naovou.exe"

C:\Users\Admin\souvez.exe

"C:\Users\Admin\souvez.exe"

C:\Users\Admin\doutax.exe

"C:\Users\Admin\doutax.exe"

C:\Users\Admin\miriv.exe

"C:\Users\Admin\miriv.exe"

C:\Users\Admin\maopead.exe

"C:\Users\Admin\maopead.exe"

C:\Users\Admin\lkqiq.exe

"C:\Users\Admin\lkqiq.exe"

C:\Users\Admin\juouc.exe

"C:\Users\Admin\juouc.exe"

C:\Users\Admin\neiuzo.exe

"C:\Users\Admin\neiuzo.exe"

C:\Users\Admin\qeevi.exe

"C:\Users\Admin\qeevi.exe"

C:\Users\Admin\qthies.exe

"C:\Users\Admin\qthies.exe"

C:\Users\Admin\sywez.exe

"C:\Users\Admin\sywez.exe"

C:\Users\Admin\kaegoag.exe

"C:\Users\Admin\kaegoag.exe"

C:\Users\Admin\werij.exe

"C:\Users\Admin\werij.exe"

C:\Users\Admin\daebid.exe

"C:\Users\Admin\daebid.exe"

C:\Users\Admin\tuuona.exe

"C:\Users\Admin\tuuona.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.spansearcher.net udp
US 8.8.8.8:53 ns1.spinsearcher.org udp
US 8.8.8.8:53 ns1.player1352.net udp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp
US 104.155.138.21:8000 ns1.player1352.net tcp

Files

\Users\Admin\zauwi.exe

MD5 1810134afe0bc4a0ab29c73bc13a0125
SHA1 5e36df150bd544a11ce25115317a3fe2986d5837
SHA256 570c12fcda305b592151d3f30bfe40fbca9eeb8150336f686c2ad954531f5ff8
SHA512 a8341b78ac2bee2e61c5706df69c1286a0ab85494fdf9462465987fed64be4fdc967d458aa5ae7132b2fa991c6c9d85a6b566e9027ec489c7b5c3b31aa308620

\Users\Admin\dohod.exe

MD5 a7481ea7461c62b5b16fd6d804dc0ac7
SHA1 3ddc33a3616e90bbc05e032dcf899be7f926f3a6
SHA256 7ad1faf79d45ec9d8efe6e37b0b83f6173c91694b5c3d8b5ccc64eee875ba0b2
SHA512 7a2921622d8c8856c3ec439da4af52d44db44ff788ae5bf4215c988718fd56791bb193770b76e764f20377987e41cd82da652e516e95044d490dbe9ee3ef3f16

\Users\Admin\jmpuuy.exe

MD5 150b4b9f5d0be13a5d05f4130ce793ca
SHA1 db4212790ce2d4fbd75926d65a2f7275a269afc3
SHA256 b14d0279d1296d54d2f2cb57a82d8a7206a40474410aa249d6d63d1f7eff0f14
SHA512 5c447fa0e8071ca7797f018914c102394775363d21ba3b30c3317487eebf844f4c79bba245476cf7046a82af119b3711f89d35e94c259f46a073004b98c247e0

\Users\Admin\bueone.exe

MD5 fa6ba58ba2545874157997c15a5f7be4
SHA1 7bd73838f61a52aa4d8df7fcf260490ba03174ab
SHA256 5fe953c60327774593f636ec12dd275cbe329f11e2257f350ede3caef584a8cb
SHA512 f20067cb109f3b8a9a9eb878484bc7630ff581f5a26c09f25de1bf7260a0dd3ed9b9556e5b374c9c30464428e624feb7290e9c335b173c33e961818a864dab52

\Users\Admin\pueuxo.exe

MD5 a38ecff293d5ce85b1b1dabbd6301e26
SHA1 3530ce0236e5536f09093f9fc7033593c5561d20
SHA256 63912615f83221170a02a85e70ef52a555f0ff27047c498d25dd08d453bc5f46
SHA512 50ade1267b3d00f37585b20c07e3f49153042749a655d51aabb1cbb59ad3a112b158861f8d3c683be91bf0a84bc57d97908338230b189ac49e4a1473aa7f2989

\Users\Admin\zecug.exe

MD5 70270ef0da79bcfe70c31b7405955603
SHA1 baa095c4e585c1ce75478fa5d46bc573974a87a4
SHA256 c8aca7e62df8922bebbdac7b34ff80d5565a0d79fd46e9755af03830f2c4d1c7
SHA512 e9b1ec335b0e701e000d98bae943bf901cffcba8d0fcf6bac42b7124aa6efe8ceeb40f2971ca0e4a265e1f9741d94d4b8f77e4e87ebcad31feb36880e881b028

\Users\Admin\phcooh.exe

MD5 c9fd2138d9094f3ba077ef58a038c839
SHA1 5adfd5faf0a4d43bf3be4e09478088423829d5fe
SHA256 7c7841a707af3ef04f419c1dafc9117ab4d43ce275262368c024596c5231aa61
SHA512 885aaf2ebeb5e57799a6abc297d235a520d76d1a724c717f4adef9b5b3dc3f23b7ecd44871dd6ed062b3502f664ea2262b06c24a0a09e4417199f2823bcbbdd1

\Users\Admin\neaak.exe

MD5 2333cee3d5dbb2b42a92d51f05ee1613
SHA1 eb719b1f3be63deeb6b6485fab4ec10046bc77a7
SHA256 d370eb55739f9b3b609a9c56c2430d0064bbd72b0236374e83ec57d3cd8381dd
SHA512 523275d28e77bb081974c707e2628a387fbe54ca6efa269fcd645ca92360099773715181de759a124cc49fc505d650f031ee4d8c9f60a0ad783446d4a89228cd

\Users\Admin\keixooh.exe

MD5 0e693ef880d7e5febcc7ca4558e610a3
SHA1 7dea4f4eef8b2d175d89ad8a914ef764ef3f3f02
SHA256 1eda8d22b22e569ae09243a59363edec9e5d1247774e6846fce29f4490d765a1
SHA512 0cc7937823967e44967337db0938ad34d19fdcb4bd07ff98bc882a8e7b7b95f9677c41576d8ea8afdbd6298ba8a5baaa742c31f603d1e87c8ecb2e3e2b4ea37c

\Users\Admin\sosuw.exe

MD5 77e59ef1dc77b367c86301a24d286835
SHA1 ae332cbf59a8b60a7f8873e3f27cb917d5597050
SHA256 7f2e7a8b5860b9359662645b0627c83e8d158d5518f57f95c1f165394963c178
SHA512 20e4dff0cdb083be99a26e9423f33dcd6085cdae3f85caf2e603eb9bf2920aa589757607380f381088f1338b48c82b17c0346744e318538b6894684baee4502d

\Users\Admin\juouhu.exe

MD5 427b18f8697503d9f48992c5fb1937d4
SHA1 a7f1f24c6b4e52beb68c1a2c7b0da1552b2b859a
SHA256 ecbe2418dfa43ec9c5cf2a912f5613aa4ccbb27dbb8f1f880261c0e84e50c648
SHA512 25e672e720f6a030056e650b88133e01aff985b8333a4505e246ebd0e83754c70ccfab95eb13fff15ff61bdc32dad444ad7215d1732b98fd822e55772e8cf6a7

\Users\Admin\pfbuf.exe

MD5 e8014a310fb9ac7880d5f776ae59a073
SHA1 6e1acd724d6439fb71fd13cdb1c11cafddf8480f
SHA256 b64c43ba79c983731c76a6468b8e6567352fc129ee095f75609872d8ec7a704b
SHA512 0c94683ba0633f965e7832972b1229899520a7218d78cb5081a80986ac780cade383685f4157acc65b4c9399aace99bb7f0bb0f2b04d9cf95b05fcfff60f03ca

\Users\Admin\tqnon.exe

MD5 fe578db1da52340bbdfe258057b5a22d
SHA1 c09a7be1f29e320860c1993cc4f29e103220dc74
SHA256 129db3ea4024118866c9d0e13ae5a9464a3467c6df0a51c4de979b4ac4233e34
SHA512 3e66127812e8a684c7993ce5efe5cb544a51e82a79bae34250f788d88998dbfca370f1c51dd5ca634ee83a2b62d26b79ede03ae4d6f721ad2e4f90f9527866ac

\Users\Admin\thkes.exe

MD5 41e0fecd15dd1faf9a8866145e722085
SHA1 1e9c9b215276bac09268d1898a364e321bfb3e38
SHA256 603f08819cf07c0e8b95f9ce9498fa1538fa01a421b4ee9e38abd8b8cd03a52b
SHA512 675bea2fd67653996d3175e9ba6ff7c90f04a4bf423eaebab7be155d4e305f64655f8b08f11bc797d204d76960ed5efdd65a7883c43f00904dc4f237032381ac

\Users\Admin\mimoq.exe

MD5 726bec4035c6180af697155f7ca0cb8c
SHA1 eb003fd11d9222f977e378cb13db4acca9eb1769
SHA256 927eed707d0bd69f92492b61a1cde52764d164ca074c7560351d1fce6fd42bb9
SHA512 f4ce0170c4a7b83a03c201accb045d082bac6d9dd1f6c9c2d723d7d5be1eab46f341dac969121f95a905e93e6830a7be54e2230f07c72b3722fe88d9fc96371c

\Users\Admin\voasio.exe

MD5 ffdee6b8b7872e20cbae61881b256029
SHA1 066a8d7069dd3baf4aa86f24d04d0364285785ca
SHA256 984518f0b5399246875400ea39b32ea0235824f8d78c80ee0be279171ad8f23b
SHA512 d9b4742b02f0c54369e737597c5079aa1b6bdc7a6d788007f422c793888e77fb9f5de52a60de88aad6880a6e944c432343ee0bdba06a2cd1957d9978c1888198