Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe
-
Size
512KB
-
MD5
e4f2b20c2d84e8ef419ab9ba32fb83f1
-
SHA1
618b1abec54f8caf96a6f0f42ab573503bc53d34
-
SHA256
54a6787cd14f35878b8f641433b6afc2f36fe44ce03682c589dc524fbf422748
-
SHA512
90e6eed0f99f0e72da4b3de251fe53e382820f687ab511ee799384fcac5643e97446de93b8d1795426a0ac49fc4824bb66cf63ddc1de96fdd46a5b6ddbc45e6d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zrwfsugrvu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zrwfsugrvu.exe -
Windows security bypass 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zrwfsugrvu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zrwfsugrvu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe -
Executes dropped EXE 5 IoCs
pid Process 4216 zrwfsugrvu.exe 5240 advbjfyjjgedrdx.exe 2644 pxypyxpv.exe 3580 wypvdpnasyjze.exe 4796 pxypyxpv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zrwfsugrvu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zykolegr = "advbjfyjjgedrdx.exe" advbjfyjjgedrdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wypvdpnasyjze.exe" advbjfyjjgedrdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jkfsgorx = "zrwfsugrvu.exe" advbjfyjjgedrdx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: pxypyxpv.exe File opened (read-only) \??\s: pxypyxpv.exe File opened (read-only) \??\r: zrwfsugrvu.exe File opened (read-only) \??\z: zrwfsugrvu.exe File opened (read-only) \??\v: pxypyxpv.exe File opened (read-only) \??\a: pxypyxpv.exe File opened (read-only) \??\o: pxypyxpv.exe File opened (read-only) \??\p: pxypyxpv.exe File opened (read-only) \??\p: zrwfsugrvu.exe File opened (read-only) \??\l: pxypyxpv.exe File opened (read-only) \??\n: zrwfsugrvu.exe File opened (read-only) \??\q: pxypyxpv.exe File opened (read-only) \??\q: pxypyxpv.exe File opened (read-only) \??\y: pxypyxpv.exe File opened (read-only) \??\r: pxypyxpv.exe File opened (read-only) \??\u: pxypyxpv.exe File opened (read-only) \??\x: pxypyxpv.exe File opened (read-only) \??\e: zrwfsugrvu.exe File opened (read-only) \??\q: zrwfsugrvu.exe File opened (read-only) \??\x: zrwfsugrvu.exe File opened (read-only) \??\m: pxypyxpv.exe File opened (read-only) \??\t: pxypyxpv.exe File opened (read-only) \??\b: pxypyxpv.exe File opened (read-only) \??\r: pxypyxpv.exe File opened (read-only) \??\g: zrwfsugrvu.exe File opened (read-only) \??\i: zrwfsugrvu.exe File opened (read-only) \??\m: zrwfsugrvu.exe File opened (read-only) \??\u: zrwfsugrvu.exe File opened (read-only) \??\y: zrwfsugrvu.exe File opened (read-only) \??\j: pxypyxpv.exe File opened (read-only) \??\e: pxypyxpv.exe File opened (read-only) \??\z: pxypyxpv.exe File opened (read-only) \??\o: zrwfsugrvu.exe File opened (read-only) \??\w: zrwfsugrvu.exe File opened (read-only) \??\g: pxypyxpv.exe File opened (read-only) \??\i: pxypyxpv.exe File opened (read-only) \??\l: pxypyxpv.exe File opened (read-only) \??\n: pxypyxpv.exe File opened (read-only) \??\h: pxypyxpv.exe File opened (read-only) \??\x: pxypyxpv.exe File opened (read-only) \??\z: pxypyxpv.exe File opened (read-only) \??\j: pxypyxpv.exe File opened (read-only) \??\u: pxypyxpv.exe File opened (read-only) \??\w: pxypyxpv.exe File opened (read-only) \??\s: zrwfsugrvu.exe File opened (read-only) \??\o: pxypyxpv.exe File opened (read-only) \??\p: pxypyxpv.exe File opened (read-only) \??\y: pxypyxpv.exe File opened (read-only) \??\b: zrwfsugrvu.exe File opened (read-only) \??\a: pxypyxpv.exe File opened (read-only) \??\e: pxypyxpv.exe File opened (read-only) \??\w: pxypyxpv.exe File opened (read-only) \??\n: pxypyxpv.exe File opened (read-only) \??\v: pxypyxpv.exe File opened (read-only) \??\v: zrwfsugrvu.exe File opened (read-only) \??\k: pxypyxpv.exe File opened (read-only) \??\k: zrwfsugrvu.exe File opened (read-only) \??\t: zrwfsugrvu.exe File opened (read-only) \??\h: zrwfsugrvu.exe File opened (read-only) \??\h: pxypyxpv.exe File opened (read-only) \??\m: pxypyxpv.exe File opened (read-only) \??\a: zrwfsugrvu.exe File opened (read-only) \??\i: pxypyxpv.exe File opened (read-only) \??\t: pxypyxpv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zrwfsugrvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zrwfsugrvu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3596-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0007000000024017-9.dat autoit_exe behavioral1/files/0x0008000000024010-18.dat autoit_exe behavioral1/files/0x0008000000024016-23.dat autoit_exe behavioral1/files/0x0007000000024018-30.dat autoit_exe behavioral1/files/0x0008000000024037-80.dat autoit_exe behavioral1/files/0x0008000000024038-85.dat autoit_exe behavioral1/files/0x0004000000021f41-98.dat autoit_exe behavioral1/files/0x000700000002405e-118.dat autoit_exe behavioral1/files/0x000700000002405e-588.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxypyxpv.exe File created C:\Windows\SysWOW64\zrwfsugrvu.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File created C:\Windows\SysWOW64\advbjfyjjgedrdx.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\advbjfyjjgedrdx.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File created C:\Windows\SysWOW64\pxypyxpv.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\pxypyxpv.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\wypvdpnasyjze.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification C:\Windows\SysWOW64\zrwfsugrvu.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File created C:\Windows\SysWOW64\wypvdpnasyjze.exe 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zrwfsugrvu.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxypyxpv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pxypyxpv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pxypyxpv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxypyxpv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pxypyxpv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxypyxpv.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification C:\Windows\mydoc.rtf 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxypyxpv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxypyxpv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxypyxpv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrwfsugrvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language advbjfyjjgedrdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxypyxpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wypvdpnasyjze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxypyxpv.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FAB0FE6BF1E0837A3B4781EB39E2B0FC02884314033DE2CC429D09A2" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zrwfsugrvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zrwfsugrvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BC5FE1D22DBD20ED0A18B7B9062" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000_Classes\Local Settings 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7A9D5583596D3F77D570212DDC7CF165DC" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB05B44E738E252BEB9A133EED4B9" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFC8E4F5B8268913CD65C7DE2BD97E631583767366234D791" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zrwfsugrvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zrwfsugrvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zrwfsugrvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zrwfsugrvu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC7781596DAB4B8C87CE1EDE037CB" 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zrwfsugrvu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3584 WINWORD.EXE 3584 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 4216 zrwfsugrvu.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 2644 pxypyxpv.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 5240 advbjfyjjgedrdx.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 3580 wypvdpnasyjze.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe 4796 pxypyxpv.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3596 wrote to memory of 4216 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 86 PID 3596 wrote to memory of 4216 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 86 PID 3596 wrote to memory of 4216 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 86 PID 3596 wrote to memory of 5240 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 87 PID 3596 wrote to memory of 5240 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 87 PID 3596 wrote to memory of 5240 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 87 PID 3596 wrote to memory of 2644 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 88 PID 3596 wrote to memory of 2644 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 88 PID 3596 wrote to memory of 2644 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 88 PID 3596 wrote to memory of 3580 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 89 PID 3596 wrote to memory of 3580 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 89 PID 3596 wrote to memory of 3580 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 89 PID 3596 wrote to memory of 3584 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 90 PID 3596 wrote to memory of 3584 3596 2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe 90 PID 4216 wrote to memory of 4796 4216 zrwfsugrvu.exe 92 PID 4216 wrote to memory of 4796 4216 zrwfsugrvu.exe 92 PID 4216 wrote to memory of 4796 4216 zrwfsugrvu.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e4f2b20c2d84e8ef419ab9ba32fb83f1_elex_stop_yuner.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\zrwfsugrvu.exezrwfsugrvu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\pxypyxpv.exeC:\Windows\system32\pxypyxpv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4796
-
-
-
C:\Windows\SysWOW64\advbjfyjjgedrdx.exeadvbjfyjjgedrdx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5240
-
-
C:\Windows\SysWOW64\pxypyxpv.exepxypyxpv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644
-
-
C:\Windows\SysWOW64\wypvdpnasyjze.exewypvdpnasyjze.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c advbjfyjjgedrdx.exe1⤵PID:1132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrwfsugrvu.exe1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wypvdpnasyjze.exe1⤵PID:3496
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD587a9c39c2cad3ab22f0b90f621ba117f
SHA1960bf6861950ae3d84a46f5adb35ffd44ecee47f
SHA256f49fcf3c2f247c45e934604792f156d96bbd40fdfeaad0ad5ca62b26fc06e19d
SHA512a62461d1ccd48f55ac34d747ef7d4f38524f98b9710484c27888a6f112f41f663764f47fb190df0f08ee9e5ea80a3c817b5512c507e48197491b486201cd998c
-
Filesize
512KB
MD5bf3eef4d7de105407b87c7a7ecb4f9ee
SHA173a67d5d7631b61b3a828c565dddf81b18e1ccd6
SHA256ebff9c09ce4d18fb3aa013f3183d73092600c98a4bce842e4e3e36abc2356e19
SHA5127b88bcca01f70fafecac2a4ab6215e78371d433d16115b151684c877913ab506c0bfcdc975a5850da774c96d995dea90bd3d64d66ae4f42bba0971bf7952e92f
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
48B
MD5dea103b4fc24ce3df9ea6f828dfba54d
SHA1d86716a534165c234af6f265b9bea0f41008535a
SHA25667a453d4eb3a30cbdd441f09685f645c7ed2389ab81a3306dd8592bb5b8a9ef3
SHA512a8f64f454eba7fa6c4e60de61a39c8ac73423c453c6009323abc331cc17a53b0a67f61fb50d3663d9eacfa7b69e73d4fedb0dee83dbee8fcc06d6afd7e193c42
-
Filesize
18KB
MD5e98b5a0702f1b4beabdf19bb2a03ad58
SHA1fb0088c1c4883b29031f66e6036b42bf7f08bdf7
SHA25613ecaf099001e1eb9d7661db200fe75fa282fca8085e1c88ca84e1e232d911b0
SHA51259e88c17f704c44d41df50f05ab52ef1a24ca1c2abef1d96541e2690e4a3eedbca8bca895c7d76768c76399dcb7f9aa2bc01b4f12a36ecd9a3878121ff6bb74a
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize679B
MD59f25e5a5e5f7aed915916464012e259b
SHA1a82a7816a7548140eebfc2a3969643be1fbd303b
SHA2566b251cb2ca19d6ef7e31f9080228cdeb2fe1e3c597da36108ae7b4a74dfc528a
SHA512c695001e72a2fbe4a83a8fa04efaa7a7af672829af4e6aaec5f527a9362cdefe170a465ec9c3465074858873ed9bb72c272e7c449e5703b0f8beef62b617c145
-
Filesize
512KB
MD560ebd55d0ebb38713d9212ca01544b23
SHA12ab5d99029fa52d78117a6cf2a95afcc85ed431a
SHA25636be67bbd74ac3cf148cc6d776c1bbe3dfdfc584e40104b3a09b575d3f3a8a8d
SHA5127d1cf4275909c4491137706936a0320c4b8039a78d64b82d3ec96b13b7e65f6f7e8280daae2d23eeec3bb6ec0b1481ea191ac0e304b761d0a4baf24c0c65f054
-
Filesize
512KB
MD525166a3fb4cdc1e4f9826f60438b52ef
SHA133b73eca3d08d00661e47c2d9367a4a222757a74
SHA2567a243e8fdb2aed13629eb9b6cbf9e123584a83dde92e828050dcc621a7e9dfe5
SHA5126ba7bdd1861d4cbdfff4d2bd6db9149208731ee7cceb4a015ad428e7e55dcc5097ab2dc566df489aa83d3a30b1d1aa9b313f19d78956d6b5bc4f01239fe89bc0
-
Filesize
512KB
MD5c13bac1b087fab658456b1ff7dd5540f
SHA152cf0af389aa6845d5f615e0cb0c80d4729c5095
SHA256d477fe329b7f96238b9df8e101ab493bcebc2a31197303e22cf9f1099d577829
SHA5126d7a0829c906a0b46371cb254fdc74d1ce898d2e06bb0b18e1561eb0f45bd9949534f343c50ef162690c94eec1f25424cc03b22a37737426a5dfa78c2ff579d8
-
Filesize
512KB
MD595bbf8240179fe090a4502665e226b2a
SHA17884d54342c22b0fd6bb82053d4f5741ab79b103
SHA256c00f67f83167b1be6e872db7aa19d26f93ac1eda58e79b7cfa1007bbe02c550f
SHA512b5e58f49c2c6e397ebe6d0cbd7b82135a4805e34bb77f1d5540bc3445f9e88e4021b84f3ed28bc133263477d99a0fe39ec69e44a79d23160b1ba797458d1b5a9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e00232dd9685fcd0685e63f2f30b56b9
SHA1c8dedc8ef41294ab68217a79815d5fd2fb9bc83d
SHA256b35f40a7d6e395bb84f8fa3e487ec7c833badcdc78a3f080255afd9554d5ff12
SHA51294ddc2647f335f6e210a3f3ed5b9f5dfc87550ddc3852fb85b6271cde75b13a9b24e5ccdee143321312721450269238e50b6e501f8fc3a128a4f6ba87056b1c5
-
Filesize
512KB
MD5a49b971123c7d7e5fb3a81a676b99954
SHA104bfeca353a6f13b4fe4cd80fdee72fa104d4d96
SHA256f28cbead27d2ed3c1190d1137e12a22a48894bfbad13275f26bce0f6b11fe350
SHA512c39c257728d440ac9416fafd172be19617d1a4216b9b539b52cc3cfaf11966602ca76ab1df10ee1bbec6e4ed8ae843318ad71cdb01e977d7e2308547c061834e
-
Filesize
512KB
MD5f0365909ca425d2cf1f21868a55f06af
SHA10107bf117703172e5a955d5930b56bd66c7e0544
SHA25645c90907a5a3db230bf007c1dbb6259176f806697a50ba19b9902c612c58cb83
SHA512a5369828f87ab4355631df08fcad105dc76fe79f45c02c076c6c4a2fa3144249d2777f3f4f5ed0c5c669b6f9cdca3473bce742fd9bb9f04ed43b3c6b7a9c36c0