Analysis Overview
SHA256
119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ce
Threat Level: Known bad
The file 119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:57
Reported
2024-11-09 04:59
Platform
win7-20241010-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\xeuxeez.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\xeuxeez.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /i" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /c" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /G" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /J" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /d" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /s" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /L" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /Z" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /p" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /h" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /d" | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /e" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /T" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /E" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /n" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /F" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /V" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /H" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /u" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /j" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /S" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /X" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /R" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /K" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /C" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /U" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /P" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /w" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /b" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /Q" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /z" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /Y" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /N" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /r" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /k" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /g" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /a" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /f" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /y" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /M" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /x" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /o" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /D" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /A" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /t" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /B" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /l" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /m" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /W" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /q" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /v" | C:\Users\Admin\xeuxeez.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeuxeez = "C:\\Users\\Admin\\xeuxeez.exe /O" | C:\Users\Admin\xeuxeez.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\xeuxeez.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| N/A | N/A | C:\Users\Admin\xeuxeez.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\xeuxeez.exe |
| PID 2932 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\xeuxeez.exe |
| PID 2932 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\xeuxeez.exe |
| PID 2932 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\xeuxeez.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe
"C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe"
C:\Users\Admin\xeuxeez.exe
"C:\Users\Admin\xeuxeez.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 104.155.138.21:8000 | ns1.player1532.com | tcp |
Files
C:\Users\Admin\xeuxeez.exe
| MD5 | d25a0ccceea24005ccc01bc0e3225050 |
| SHA1 | 4e144253e9498896df5a721dd83e1c43a3b98799 |
| SHA256 | 10940243feef5e2f46768a734f47b18534e12e35ad2ed2d9d3a6a32cc5d5dccb |
| SHA512 | cb70adc6c2cdd2e43bffbc5b62c94d03a554cf69a5dda793d3e00968865d99e4a256db78d357e7e73ea9c6d336bd6d815c2faa77c459b1b7fcdd805f491a2743 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 04:57
Reported
2024-11-09 04:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\cijis.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\cijis.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /Y" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /d" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /i" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /m" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /y" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /s" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /Z" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /p" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /G" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /h" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /j" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /a" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /U" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /v" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /V" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /A" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /N" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /F" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /W" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /r" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /W" | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /Q" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /w" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /T" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /q" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /u" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /o" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /c" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /k" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /t" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /R" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /L" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /b" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /J" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /D" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /O" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /l" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /X" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /K" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /E" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /B" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /e" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /z" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /P" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /n" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /g" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /I" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /f" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /M" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /x" | C:\Users\Admin\cijis.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cijis = "C:\\Users\\Admin\\cijis.exe /S" | C:\Users\Admin\cijis.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\cijis.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | N/A |
| N/A | N/A | C:\Users\Admin\cijis.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4052 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\cijis.exe |
| PID 4052 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\cijis.exe |
| PID 4052 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe | C:\Users\Admin\cijis.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe
"C:\Users\Admin\AppData\Local\Temp\119a065f07370bc3292e01561af3157287eb9262ed3e1c1936843255082ed0ceN.exe"
C:\Users\Admin\cijis.exe
"C:\Users\Admin\cijis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\cijis.exe
| MD5 | 036a66f8606300665eec82bd344d0cb6 |
| SHA1 | 3c6e19e714b6e97d51008555b6efeda9f8b8114f |
| SHA256 | 514bb06c39acf420ce0a91f62069935be178511dd08dfc41f7153ab124f7016c |
| SHA512 | 41dc8578416bdc059727b4c8fc9404c32048a55ecc247a3c5d82314d451a6e12b84110fa84c095dae25931f293f73bacae07346d353160efd5255ca001840e29 |