dbb2156595b6e9b78cef1ff4c304424ba2058d4ca1b4dcac918e59462ca13e2f

Analysis

max time kernel
205s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Puzzle Quest.exe
Size

880KB
MD5

9c7571fc9a6ba4d05805af66365f5a83
SHA1

8c48936dbfffe75c3a222bc3f0ce27e9da382f46
SHA256

2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75
SHA512

82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0
SSDEEP

6144:Aj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion2bAO:y6onxOp8FySpE5zvIdtU+YmefglQM7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

uxaauvpiehk.exeltscgp.exeltscgp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ltscgp.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ltscgp.exeltscgp.exeuxaauvpiehk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uxaauvpiehk.exe

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ltscgp.exeltscgp.exeuxaauvpiehk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe"	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "lhuskhbwthfrdmpzcehd.exe"	uxaauvpiehk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "xpysgzpgzjdltyxd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "ytfctpicylitemoxzac.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhsxho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjmaivfqdh = "lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

uxaauvpiehk.exeltscgp.exeltscgp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe

Executes dropped EXE 3 IoCs

Processes:

uxaauvpiehk.exeltscgp.exeltscgp.exe

pid process

3720 uxaauvpiehk.exe
4512 ltscgp.exe
3408 ltscgp.exe

pid	process
3720	uxaauvpiehk.exe
4512	ltscgp.exe
3408	ltscgp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Puzzle Quest.exeuxaauvpiehk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	Puzzle Quest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	uxaauvpiehk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ltscgp.exeuxaauvpiehk.exeltscgp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "axlkdbwsqfereosdhkolz.exe ."	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "axlkdbwsqfereosdhkolz.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "ytfctpicylitemoxzac.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axlkdbwsqfereosdhkolz.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "xpysgzpgzjdltyxd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe"	uxaauvpiehk.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "lhuskhbwthfrdmpzcehd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "ytfctpicylitemoxzac.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "exhcrlcuozudmsszz.exe ."	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axlkdbwsqfereosdhkolz.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "ytfctpicylitemoxzac.exe ."	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpysgzpgzjdltyxd.exe ."	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "xpysgzpgzjdltyxd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "exhcrlcuozudmsszz.exe ."	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "xpysgzpgzjdltyxd.exe ."	ltscgp.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytfctpicylitemoxzac.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "lhuskhbwthfrdmpzcehd.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "axlkdbwsqfereosdhkolz.exe ."	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhuskhbwthfrdmpzcehd.exe ."	uxaauvpiehk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "exhcrlcuozudmsszz.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "axlkdbwsqfereosdhkolz.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe ."	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "lhuskhbwthfrdmpzcehd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "xpysgzpgzjdltyxd.exe ."	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "lhuskhbwthfrdmpzcehd.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "xpysgzpgzjdltyxd.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eprelxgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhsoezrkfrnxhopxyy.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfjyhvgsgla = "exhcrlcuozudmsszz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdiyixjwlrhl = "nhsoezrkfrnxhopxyy.exe ."	ltscgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmeqhvkbjbhnq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axlkdbwsqfereosdhkolz.exe"	ltscgp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxykqbjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe"	uxaauvpiehk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odjalbocszqva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exhcrlcuozudmsszz.exe ."	ltscgp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ltscgp.exeltscgp.exeuxaauvpiehk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uxaauvpiehk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uxaauvpiehk.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

107 whatismyip.everdot.org
113 whatismyip.everdot.org
58 www.showmyipaddress.com
93 whatismyip.everdot.org
95 whatismyipaddress.com

flow	ioc
107	whatismyip.everdot.org
113	whatismyip.everdot.org
58	www.showmyipaddress.com
93	whatismyip.everdot.org
95	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

Processes:

ltscgp.exeltscgp.exeuxaauvpiehk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\exhcrlcuozudmsszz.exe	ltscgp.exe
File created	C:\Windows\SysWOW64\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\exhcrlcuozudmsszz.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\rpeeyxtqpffthsxjosxvkk.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\exhcrlcuozudmsszz.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\lhuskhbwthfrdmpzcehd.exe	ltscgp.exe
File created	C:\Windows\SysWOW64\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\ytfctpicylitemoxzac.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\lhuskhbwthfrdmpzcehd.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\rpeeyxtqpffthsxjosxvkk.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\nhsoezrkfrnxhopxyy.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\ytfctpicylitemoxzac.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\axlkdbwsqfereosdhkolz.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\rpeeyxtqpffthsxjosxvkk.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\nhsoezrkfrnxhopxyy.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\ytfctpicylitemoxzac.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\xpysgzpgzjdltyxd.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\nhsoezrkfrnxhopxyy.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\lhuskhbwthfrdmpzcehd.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\axlkdbwsqfereosdhkolz.exe	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe
File opened for modification	C:\Windows\SysWOW64\xpysgzpgzjdltyxd.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\axlkdbwsqfereosdhkolz.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\SysWOW64\xpysgzpgzjdltyxd.exe	ltscgp.exe

Drops file in Program Files directory 4 IoCs

Processes:

ltscgp.exe

description	ioc	process
File created	C:\Program Files (x86)\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe
File opened for modification	C:\Program Files (x86)\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File created	C:\Program Files (x86)\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File opened for modification	C:\Program Files (x86)\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe

Drops file in Windows directory 25 IoCs

Processes:

uxaauvpiehk.exeltscgp.exeltscgp.exe

description	ioc	process
File opened for modification	C:\Windows\axlkdbwsqfereosdhkolz.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\rpeeyxtqpffthsxjosxvkk.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\xpysgzpgzjdltyxd.exe	ltscgp.exe
File opened for modification	C:\Windows\lhuskhbwthfrdmpzcehd.exe	ltscgp.exe
File opened for modification	C:\Windows\rpeeyxtqpffthsxjosxvkk.exe	ltscgp.exe
File opened for modification	C:\Windows\xpysgzpgzjdltyxd.exe	ltscgp.exe
File opened for modification	C:\Windows\nhsoezrkfrnxhopxyy.exe	ltscgp.exe
File opened for modification	C:\Windows\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe
File opened for modification	C:\Windows\exhcrlcuozudmsszz.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\lhuskhbwthfrdmpzcehd.exe	uxaauvpiehk.exe
File created	C:\Windows\kplstzcgmjqlgykdpamrnuvbe.ols	ltscgp.exe
File opened for modification	C:\Windows\xpysgzpgzjdltyxd.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\nhsoezrkfrnxhopxyy.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\ytfctpicylitemoxzac.exe	uxaauvpiehk.exe
File opened for modification	C:\Windows\nhsoezrkfrnxhopxyy.exe	ltscgp.exe
File opened for modification	C:\Windows\ytfctpicylitemoxzac.exe	ltscgp.exe
File opened for modification	C:\Windows\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File created	C:\Windows\pfmeqhvkbjbhnqnrokhxewiznctbtzfifjgc.pwo	ltscgp.exe
File opened for modification	C:\Windows\exhcrlcuozudmsszz.exe	ltscgp.exe
File opened for modification	C:\Windows\axlkdbwsqfereosdhkolz.exe	ltscgp.exe
File opened for modification	C:\Windows\exhcrlcuozudmsszz.exe	ltscgp.exe
File opened for modification	C:\Windows\ytfctpicylitemoxzac.exe	ltscgp.exe
File opened for modification	C:\Windows\lhuskhbwthfrdmpzcehd.exe	ltscgp.exe
File opened for modification	C:\Windows\axlkdbwsqfereosdhkolz.exe	ltscgp.exe
File opened for modification	C:\Windows\rpeeyxtqpffthsxjosxvkk.exe	ltscgp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Puzzle Quest.exeltscgp.exe

pid	process
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
4512	ltscgp.exe
4512	ltscgp.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe
2372	Puzzle Quest.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ltscgp.exe

description pid process

Token: SeDebugPrivilege 4512 ltscgp.exe

description	pid	process
Token: SeDebugPrivilege	4512	ltscgp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Puzzle Quest.exeuxaauvpiehk.exe

description	pid	process	target process
PID 2372 wrote to memory of 3720	2372	Puzzle Quest.exe	uxaauvpiehk.exe
PID 2372 wrote to memory of 3720	2372	Puzzle Quest.exe	uxaauvpiehk.exe
PID 2372 wrote to memory of 3720	2372	Puzzle Quest.exe	uxaauvpiehk.exe
PID 3720 wrote to memory of 4512	3720	uxaauvpiehk.exe	ltscgp.exe
PID 3720 wrote to memory of 4512	3720	uxaauvpiehk.exe	ltscgp.exe
PID 3720 wrote to memory of 4512	3720	uxaauvpiehk.exe	ltscgp.exe
PID 3720 wrote to memory of 3408	3720	uxaauvpiehk.exe	ltscgp.exe
PID 3720 wrote to memory of 3408	3720	uxaauvpiehk.exe	ltscgp.exe
PID 3720 wrote to memory of 3408	3720	uxaauvpiehk.exe	ltscgp.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

ltscgp.exeltscgp.exeuxaauvpiehk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uxaauvpiehk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltscgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uxaauvpiehk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uxaauvpiehk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uxaauvpiehk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ltscgp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ltscgp.exe

C:\Users\Admin\AppData\Local\Temp\Puzzle Quest.exe
"C:\Users\Admin\AppData\Local\Temp\Puzzle Quest.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\uxaauvpiehk.exe
"C:\Users\Admin\AppData\Local\Temp\uxaauvpiehk.exe" "c:\users\admin\appdata\local\temp\puzzle quest.exe*"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3720

C:\Users\Admin\AppData\Local\Temp\ltscgp.exe
"C:\Users\Admin\AppData\Local\Temp\ltscgp.exe" "-C:\Users\Admin\AppData\Local\Temp\xpysgzpgzjdltyxd.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4512

C:\Users\Admin\AppData\Local\Temp\ltscgp.exe
"C:\Users\Admin\AppData\Local\Temp\ltscgp.exe" "-C:\Users\Admin\AppData\Local\Temp\xpysgzpgzjdltyxd.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axlkdbwsqfereosdhkolz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\exhcrlcuozudmsszz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhuskhbwthfrdmpzcehd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltscgp.exe

Filesize
704KB

MD5
b09af9d1cd5ae1a19c09b6e32454600d

SHA1
c6b0feca9eb93254cf832e776f85d2813bedff7c

SHA256
3837a17f4607b51f5b567b72822b195fbfed5f7e2a3b7d89f8b61dd073624bfe

SHA512
c0898c102dae960e6267043bb48a332e9b17c455176266d83adc60ed4efcc074276a493ee0ed33fa93b83b7365714b59d52c747d7318c3ee1677415cf8bdffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltscgp.exe

Filesize
704KB

MD5
b09af9d1cd5ae1a19c09b6e32454600d

SHA1
c6b0feca9eb93254cf832e776f85d2813bedff7c

SHA256
3837a17f4607b51f5b567b72822b195fbfed5f7e2a3b7d89f8b61dd073624bfe

SHA512
c0898c102dae960e6267043bb48a332e9b17c455176266d83adc60ed4efcc074276a493ee0ed33fa93b83b7365714b59d52c747d7318c3ee1677415cf8bdffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltscgp.exe

Filesize
704KB

MD5
b09af9d1cd5ae1a19c09b6e32454600d

SHA1
c6b0feca9eb93254cf832e776f85d2813bedff7c

SHA256
3837a17f4607b51f5b567b72822b195fbfed5f7e2a3b7d89f8b61dd073624bfe

SHA512
c0898c102dae960e6267043bb48a332e9b17c455176266d83adc60ed4efcc074276a493ee0ed33fa93b83b7365714b59d52c747d7318c3ee1677415cf8bdffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhsoezrkfrnxhopxyy.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpeeyxtqpffthsxjosxvkk.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxaauvpiehk.exe

Filesize
320KB

MD5
5203b6ea0901877fbf2d8d6f6d8d338e

SHA1
c803e92561921b38abe13239c1fd85605b570936

SHA256
0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

SHA512
d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxaauvpiehk.exe

Filesize
320KB

MD5
5203b6ea0901877fbf2d8d6f6d8d338e

SHA1
c803e92561921b38abe13239c1fd85605b570936

SHA256
0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

SHA512
d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpysgzpgzjdltyxd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytfctpicylitemoxzac.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\axlkdbwsqfereosdhkolz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\exhcrlcuozudmsszz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\lhuskhbwthfrdmpzcehd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\nhsoezrkfrnxhopxyy.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\rpeeyxtqpffthsxjosxvkk.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\xpysgzpgzjdltyxd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\SysWOW64\ytfctpicylitemoxzac.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\axlkdbwsqfereosdhkolz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\axlkdbwsqfereosdhkolz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\exhcrlcuozudmsszz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\exhcrlcuozudmsszz.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\lhuskhbwthfrdmpzcehd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\lhuskhbwthfrdmpzcehd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\nhsoezrkfrnxhopxyy.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\nhsoezrkfrnxhopxyy.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\rpeeyxtqpffthsxjosxvkk.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\rpeeyxtqpffthsxjosxvkk.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\xpysgzpgzjdltyxd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\xpysgzpgzjdltyxd.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\ytfctpicylitemoxzac.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
C:\Windows\ytfctpicylitemoxzac.exe

Filesize
880KB

MD5
9c7571fc9a6ba4d05805af66365f5a83

SHA1
8c48936dbfffe75c3a222bc3f0ce27e9da382f46

SHA256
2ba0434154844e0210a0a95cc01cc298b4feb7d646217900aae1dcc429740f75

SHA512
82e4462e6945c5f571f2ddab486426e27ac43d41706c9427171b364b3c68edb109bab381ca702e2a1fdad13c2b4b7218642a25d20d92641db6c6e4064c53b1c0

Download Submit
memory/3408-138-0x0000000000000000-mapping.dmp

Download
memory/3720-132-0x0000000000000000-mapping.dmp

Download
memory/4512-135-0x0000000000000000-mapping.dmp

Download