c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

Analysis

max time kernel
143s
max time network
136s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Size

6.2MB
MD5

95e661012d34b52fb7e8373a40c7ca68
SHA1

10626926b31d603ee17931de6abff60c8b827b1e
SHA256

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb
SHA512

c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Score

10^/10

adware evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Drops file in Drivers directory 2 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File created	C:\Windows\System32\drivers\etc\hosts	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Executes dropped EXE 6 IoCs

Processes:

liyorxa.exexbfxaft.exe~hmuzpzm.exe~hmuzpzm.exeafaexrj.exe~hmuzpzm.exe

pid process

1124 liyorxa.exe
2028 xbfxaft.exe
240 ~hmuzpzm.exe
756 ~hmuzpzm.exe
1848 afaexrj.exe
1412 ~hmuzpzm.exe

pid	process
1124	liyorxa.exe
2028	xbfxaft.exe
240	~hmuzpzm.exe
756	~hmuzpzm.exe
1848	afaexrj.exe
1412	~hmuzpzm.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe	upx
\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe	upx
C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe	upx
C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe	upx
\Users\Admin\AppData\Local\Temp\xbfxaft.exe	upx
\Users\Admin\AppData\Local\Temp\xbfxaft.exe	upx
C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe	upx
C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe	upx
\Users\Admin\AppData\Local\Temp\afaexrj.exe	upx
\Users\Admin\AppData\Local\Temp\afaexrj.exe	upx
C:\Users\Admin\AppData\Local\Temp\afaexrj.exe	upx
C:\Users\Admin\AppData\Local\Temp\afaexrj.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1908 cmd.exe

pid	process
1908	cmd.exe

Drops startup file 1 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Loads dropped DLL 12 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
1756
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
552
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
1504

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exeRundll32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCEEX	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCEEX	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
File opened (read-only)	\??\b:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\f:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\g:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\l:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\v:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\x:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\z:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\i:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\j:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\m:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\p:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\y:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\e:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\h:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\k:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\n:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\q:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\a:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\o:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\r:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\s:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\t:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\u:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
File opened (read-only)	\??\w:	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 1 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Drops file in Windows directory 1 IoCs

Processes:

Rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe~hmuzpzm.exe~hmuzpzm.exe~hmuzpzm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~hmuzpzm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~hmuzpzm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~hmuzpzm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\Main	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.135978.com/?30524"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Modifies registry class 35 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1448 PING.EXE
1400 PING.EXE
580 PING.EXE

pid	process
1448	PING.EXE
1400	PING.EXE
580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exec11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
1576	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
1576	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
1576	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid process

604 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exec11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exexbfxaft.exeliyorxa.exe~hmuzpzm.exe~hmuzpzm.exeafaexrj.exe~hmuzpzm.exeRundll32.exe

description	pid	process
Token: SeDebugPrivilege	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Token: SeDebugPrivilege	1576	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Token: SeDebugPrivilege	2028	xbfxaft.exe
Token: SeRestorePrivilege	2028	xbfxaft.exe
Token: SeTakeOwnershipPrivilege	2028	xbfxaft.exe
Token: SeDebugPrivilege	2028	xbfxaft.exe
Token: SeSecurityPrivilege	2028	xbfxaft.exe
Token: SeDebugPrivilege	1124	liyorxa.exe
Token: SeBackupPrivilege	240	~hmuzpzm.exe
Token: SeRestorePrivilege	240	~hmuzpzm.exe
Token: SeTakeOwnershipPrivilege	240	~hmuzpzm.exe
Token: SeBackupPrivilege	756	~hmuzpzm.exe
Token: SeRestorePrivilege	756	~hmuzpzm.exe
Token: SeTakeOwnershipPrivilege	756	~hmuzpzm.exe
Token: SeDebugPrivilege	1848	afaexrj.exe
Token: SeRestorePrivilege	1848	afaexrj.exe
Token: SeTakeOwnershipPrivilege	1848	afaexrj.exe
Token: SeDebugPrivilege	1848	afaexrj.exe
Token: SeSecurityPrivilege	1848	afaexrj.exe
Token: SeBackupPrivilege	1412	~hmuzpzm.exe
Token: SeRestorePrivilege	1412	~hmuzpzm.exe
Token: SeTakeOwnershipPrivilege	1412	~hmuzpzm.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe
Token: SeRestorePrivilege	1812	Rundll32.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of SendNotifyMessage 55 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exeRundll32.exerunonce.exeliyorxa.execmd.execmd.execmd.exe

description	pid	process	target process
PID 604 wrote to memory of 1576	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 604 wrote to memory of 1576	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 604 wrote to memory of 1576	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 604 wrote to memory of 1576	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 604 wrote to memory of 1124	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	liyorxa.exe
PID 604 wrote to memory of 1124	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	liyorxa.exe
PID 604 wrote to memory of 1124	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	liyorxa.exe
PID 604 wrote to memory of 1124	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	liyorxa.exe
PID 604 wrote to memory of 2028	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	xbfxaft.exe
PID 604 wrote to memory of 2028	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	xbfxaft.exe
PID 604 wrote to memory of 2028	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	xbfxaft.exe
PID 604 wrote to memory of 2028	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	xbfxaft.exe
PID 604 wrote to memory of 240	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 240	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 240	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 240	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 756	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 756	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 756	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 756	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 1848	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	afaexrj.exe
PID 604 wrote to memory of 1848	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	afaexrj.exe
PID 604 wrote to memory of 1848	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	afaexrj.exe
PID 604 wrote to memory of 1848	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	afaexrj.exe
PID 604 wrote to memory of 1412	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 1412	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 1412	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 1412	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	~hmuzpzm.exe
PID 604 wrote to memory of 1812	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	Rundll32.exe
PID 604 wrote to memory of 1812	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	Rundll32.exe
PID 604 wrote to memory of 1812	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	Rundll32.exe
PID 604 wrote to memory of 1812	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	Rundll32.exe
PID 1812 wrote to memory of 1752	1812	Rundll32.exe	runonce.exe
PID 1812 wrote to memory of 1752	1812	Rundll32.exe	runonce.exe
PID 1812 wrote to memory of 1752	1812	Rundll32.exe	runonce.exe
PID 1752 wrote to memory of 1132	1752	runonce.exe	grpconv.exe
PID 1752 wrote to memory of 1132	1752	runonce.exe	grpconv.exe
PID 1752 wrote to memory of 1132	1752	runonce.exe	grpconv.exe
PID 1124 wrote to memory of 908	1124	liyorxa.exe	cmd.exe
PID 1124 wrote to memory of 908	1124	liyorxa.exe	cmd.exe
PID 1124 wrote to memory of 908	1124	liyorxa.exe	cmd.exe
PID 1124 wrote to memory of 908	1124	liyorxa.exe	cmd.exe
PID 908 wrote to memory of 1448	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1448	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1448	908	cmd.exe	PING.EXE
PID 604 wrote to memory of 1908	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1908	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1908	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1908	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1916	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1916	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1916	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 604 wrote to memory of 1916	604	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	cmd.exe
PID 1908 wrote to memory of 1400	1908	cmd.exe	PING.EXE
PID 1908 wrote to memory of 1400	1908	cmd.exe	PING.EXE
PID 1908 wrote to memory of 1400	1908	cmd.exe	PING.EXE
PID 1916 wrote to memory of 580	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 580	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 580	1916	cmd.exe	PING.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
"C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:604

C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe /nstart
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe
C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe /nys
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\YKvOuK8.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1448

C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe
C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\AppData\Local\Temp\afaexrj.exe
C:\Users\Admin\AppData\Local\Temp\afaexrj.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~umawrpw.inf
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:1132

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\X6GcCKz.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:1400

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sdfA8kO.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X6GcCKz.bat
Filesize
465B

MD5
36dd016c663e4839dfbfe419e8d6066b

SHA1
cb7758ca13228128082b762d9047ac22e809a453

SHA256
c376f510bd28bfeda849f205c5eca1ba661ab68d57cb11c74fbb74945be4045a

SHA512
379a483bb22cdffbdccbbb6817c48f8def6d8c03b113190a1f6bdd729a7fef8b53181508438ea42127a0e8c110abdd74a399ca41caaec7325902225a89b0c9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKvOuK8.bat
Filesize
493B

MD5
c83565f955e1e2ff041ae87bcae3e05b

SHA1
db97181281d8d6a0249aa74d221d33f42ac99106

SHA256
0c2860d89a5fb8b816836fc60f3f8894bface082ba66379f76d41eedef22177c

SHA512
e845c1ecf0a7199203cd66574b9fd8a055867fc793203d0301d52b6c3957421397adc8a96a523d35a3791de96a17ac331e0a4b6ce4083973dd8a7280e9c2867a

Download Submit
C:\Users\Admin\AppData\Local\Temp\afaexrj.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\afaexrj.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdfA8kO.bat
Filesize
689B

MD5
41579c6307742e0d0600cb09375132fa

SHA1
00fe988754b83090f2dbeccf8310c26189bddcdc

SHA256
48755e3900dcf4179ad544940b580a0fc17bd2c881490d384dddee5f78f2e922

SHA512
da520ce0ae77f0170f42cbeba79087a2433938aa4ea8188fecd0dc7c886bcaf3948ea8dd82891e4963fdbe5651ec26a840b64ca6b9cd7847981ecf93fd7e9aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbfxaft.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~umawrpw.inf
Filesize
32B

MD5
8f5f4837dd4a1680d79bbdca9cc1e08f

SHA1
688b5d5ef993733b97b303ed4c8409a14b230de5

SHA256
2bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2

SHA512
bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\afaexrj.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\afaexrj.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\gpgcshg\liyorxa.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\xbfxaft.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\xbfxaft.exe
Filesize
6.2MB

MD5
95e661012d34b52fb7e8373a40c7ca68

SHA1
10626926b31d603ee17931de6abff60c8b827b1e

SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~hmuzpzm.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
memory/240-70-0x0000000000000000-mapping.dmp

Download
memory/580-102-0x0000000000000000-mapping.dmp

Download
memory/604-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/756-74-0x0000000000000000-mapping.dmp

Download
memory/908-93-0x0000000000000000-mapping.dmp

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1132-91-0x0000000000000000-mapping.dmp

Download
memory/1400-101-0x0000000000000000-mapping.dmp

Download
memory/1412-84-0x0000000000000000-mapping.dmp

Download
memory/1448-96-0x0000000000000000-mapping.dmp

Download
memory/1576-55-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1752-89-0x0000000000000000-mapping.dmp

Download
memory/1812-87-0x0000000000000000-mapping.dmp

Download
memory/1848-79-0x0000000000000000-mapping.dmp

Download
memory/1908-97-0x0000000000000000-mapping.dmp

Download
memory/1916-98-0x0000000000000000-mapping.dmp

Download
memory/2028-65-0x0000000000000000-mapping.dmp

Download