8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5

General

Target

cpcrs.exe
Size

419KB
MD5

7d20fa01a703afa8907e50417d27b0a4
SHA1

320116162d78afb8e00fd972591479a899d3dfee
SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe
SHA512

0dcebe2598e6ccb51f0609831c93071421049eb924f83871e95c5a280af0d2e76630dfc47c5a2780eb18d55ee9690d6c83aabd8f1043cc2cdc21d9fe5425b892

Score

8^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

Processes:

cpcrs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\hcw85cir.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\RNDISMP.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\HdAudio.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\serial.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\amdide.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\tsusbhub.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\hwpolicy.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\RDPENCDD.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\ataport.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\BTHUSB.SYS.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\lsi_sas2.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\Dot4usb.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\pci.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\modem.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\ULIAGPKX.SYS.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\FWPKCLNT.SYS	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\bthpan.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\fvevol.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\i8042prt.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\volsnap.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\tsusbflt.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\http.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\usbhub.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\amdppm.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\http.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\volmgr.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\rdpwd.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\usbrpm.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\amdk8.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\MTConfig.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\BrSerId.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\mouhid.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\hidbth.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\srv.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\amdide.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\msrpc.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\wfplwf.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\rdbss.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\rndismp6.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\rndismp6.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\amdppm.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\afd.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\fltmgr.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\mssmbios.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\mpsdrv.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\mouhid.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ks.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\VMBusHID.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\en-US\pci.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\null.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\wd.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\Dot4usb.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\portcls.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\amdide.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\rdpwd.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\volmgrx.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\wdf01000.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\luafv.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\srv.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\rdpvideominiport.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\TsUsbFlt.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\Wdf01000.sys	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\usbrpm.sys.mui	cpcrs.exe
File opened for modification	C:\Windows\system32\drivers\dxgkrnl.sys	cpcrs.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cpcrs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EditTrace.tiff	cpcrs.exe
File opened for modification	C:\Users\Admin\Pictures\SplitAssert.tiff	cpcrs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

cpcrs.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Documents\My Videos\Sample Videos\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XIWRAWIU\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Startup\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\My Documents\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\SendTo\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Documents\My Videos\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\Content.IE5\JV18Q8B8\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Documents\My Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\Content.IE5\ZUNPEB2H\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZUNPEB2H\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Documents\My Music\Sample Music\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DL4J84XN\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\System Tools\Desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Administrative Tools\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\Content.IE5\ZVKSVSRO\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\Content.IE5\XIWRAWIU\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Default\SendTo\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\My Documents\My Videos\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GMEWETP4\desktop.ini	cpcrs.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Games\Desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Documents\My Music\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Public\Documents\My Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\ProgramData\Documents\My Pictures\Sample Pictures\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Documents\My Music\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\Content.IE5\desktop.ini	cpcrs.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	cpcrs.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cpcrs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cpcrs.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cpcrs.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cpcrs.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cpcrs.exe

Drops file in Windows directory 64 IoCs

Processes:

cpcrs.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Playback\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Playback.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_fr_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.AutoGen\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.AutoGen.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\__AssemblyInfo__.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\microsoft.build.utilities.resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Runtime.Intl.dll	cpcrs.exe
File opened for modification	C:\Windows\AppPatch\AcRes.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.Shell\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Shell.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.RuntimeUi.dll	cpcrs.exe
File opened for modification	C:\Windows\AppCompat\Programs\RecentFileCache.bcf	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Client.Internal.Host\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	cpcrs.exe
File opened for modification	C:\Windows\fveupdate.exe	cpcrs.exe
File opened for modification	C:\Windows\twain.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\mcstoredb.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	cpcrs.exe
File opened for modification	C:\Windows\splwow64.exe	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.SyncServices.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.dll	cpcrs.exe
File opened for modification	C:\Windows\PFRO.log	cpcrs.exe
File opened for modification	C:\Windows\assembly\PublisherPolicy.tme	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Access.BusinessDataCatalog.DLL	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\Mcx2Dvcs.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcstore\6.1.0.0__31bf3856ad364e35\mcstore.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Engine.resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcepg\6.1.0.0__31bf3856ad364e35\mcepg.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\setupact.log	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.SemiTrust\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.SemiTrust.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\14.0.0.0__71e9bce111e9429c\microsoft.office.businessdata.intl.dll	cpcrs.exe
File opened for modification	C:\Windows\hh.exe	cpcrs.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	cpcrs.exe

Modifies Control Panel 64 IoCs

evasion

Processes:

cpcrs.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\Keyboard Preference	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\ShowSounds	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000201	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\GlobalPowerPolicy	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Infrared	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\TimeOut	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\4\Sizes\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\4\Sizes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\Schemes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Cursors	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000203	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\1\Sizes\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\3	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\LanguageConfiguration	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Infrared\Global	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000200	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\MouseKeys	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\StickyKeys	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Keyboard	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\1\Sizes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Infrared\IrTranP	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Personalization\Desktop Slideshow	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Colors	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\4	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\5	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Sound	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\3\Sizes\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000071	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\HighContrast	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\WindowMetrics	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\ToggleKeys	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\MuiCached	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Mouse	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\1	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\0\Sizes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\Colors	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000104	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\3	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\2\Sizes\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\4	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000072	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000202	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000010	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\PowerCfg\PowerPolicies\2	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\AudioDescription	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\Keyboard Response	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility\On	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\2\Sizes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\3\Sizes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Accessibility	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\1	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Appearance\New Schemes\2	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000070	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Personalization	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Input Method\Hot Keys\00000011	cpcrs.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

cpcrs.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\SQM	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\19	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\23	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\25	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\9	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Desktop\General	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Document Windows	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TypedURLs	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\15	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\20	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\26	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\30	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\37	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Default Feeds\{2D8927DF-C5D3-48F6-9F7C-FC204B39292E}	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Default Feeds\{55AD267D-0A8E-43FD-B532-6F490585DEDA}	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Settings	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Suggested Sites	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\31	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\35	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\36	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Default Feeds	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\18	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\29	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\SearchUrl	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Services	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\11	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\32	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\8	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\SearchScopes	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Security	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\17	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\22	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\28	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LinksBar	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\New Windows	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\27	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\34	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\User Preferences	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\12	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ee8f5892_0	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\14	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\97e38b86_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Download	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\International\Scripts\4	cpcrs.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

cpcrs.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Colors	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000010	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\DeviceDisconnect	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\FeedDiscovered	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ShowSounds	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Preference	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000011	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Open	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MoveMenuItem	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\TimeOut	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\BlockedPopup	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MenuCommand	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\DeviceFail	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000071	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Navigating	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\RestoreDown	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SYSTEM	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemNotification	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemQuestion	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemAsterisk	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000104	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\LowBatteryAlarm	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SoundSentry	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000012	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000072	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\WindowsLogon	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MenuPopup	cpcrs.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemHand	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Blind Access	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000070	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\EUDC\936	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\Assemblies\0x00000409	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Keyboard Layout	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cpcrs.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cpcrs.exe

Modifies system certificate store 2 TTPs 1 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cpcrs.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\SystemCertificates\Root\ProtectedRoots	cpcrs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cpcrs.exe

pid process

1968 cpcrs.exe

pid	process
1968	cpcrs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

cpcrs.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1968	cpcrs.exe
Token: SeBackupPrivilege	1968	cpcrs.exe
Token: SeRestorePrivilege	1968	cpcrs.exe
Token: SeShutdownPrivilege	1968	cpcrs.exe
Token: SeDebugPrivilege	1968	cpcrs.exe

C:\Users\Admin\AppData\Local\Temp\cpcrs.exe
"C:\Users\Admin\AppData\Local\Temp\cpcrs.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-54-0x00000000001D0000-0x000000000023E000-memory.dmp

Filesize
440KB

Download
memory/1968-55-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-56-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads