Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'Windowspiizsj' = '%APPDATA%\.mnngpyrb\iue8emxxn5.exe'
- [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe,%APPDATA%\.mnngpyrb\iue8emxxn5.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\windowspiizsj_logon
- <SYSTEM32>\tasks\windowspiizsj_check
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowspiizsj.lnk
- <SYSTEM32>\tasks\microsoftedgeupdatetaskmachineua156.4.1762.3{85556f56_0580_4900_ddb7_8b02c3a5b51e}
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\Windowspiizsj] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\Windowspiizsj] 'ImagePath' = '%APPDATA%\.mnngpyrb\iue8emxxn5.exe'
Creates the following services
- 'Windowspiizsj' %APPDATA%\.mnngpyrb\iue8emxxn5.exe
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\tracerpt.exe
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\093sax7wbrnt\output_86_2026.04.10_18.04.08_setup.exe
- %APPDATA%\.mnngpyrb\iue8emxxn5.exe
- nul
- %WINDIR%\temp\is-j3oifetp59.tmp\iue8emxxn5.tmp
- %TEMP%\is-aixs5bdg38.tmp\iue8emxxn5.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\_isetup\_setup64.tmp
- %TEMP%\is-g9bjlx316x.tmp\_isetup\_setup64.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_idx.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_16.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_32.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_48.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_96.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_256.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_768.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_1280.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_1920.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_2560.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_sr.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_wide.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_exif.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_wide_alternate.db
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\explorer\iconcache_custom_stream.db
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-591ugd3k6k.tmp
- %APPDATA%\greencobalt\is-1f9dyee447.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-kpegng3wqq.tmp
- %APPDATA%\greencobalt\is-xp1mfx8jcy.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-21jsrivyb4.tmp
- %APPDATA%\greencobalt\is-l4izj61tli.tmp
- %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-avbri7lr3s.tmp
- %APPDATA%\greencobalt\is-54ymr8e7vd.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-y72xqfku00.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-7ti8d5bk2n.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-656yi21qx5.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-kfi3o7urci.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-uv8nzzdhes.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-nzb7cl8jka.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-zkbbutq2ox.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-3ljxlbts15.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-5h7sl898tg.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-2au8zvqqiy.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-g70b6obfok.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-4ofyl5jdtb.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-4qru3rp60m.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-emoanrwn7e.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-06z5229xly.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-yo9pl7vi8g.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-tjgfer1bls.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-n009akr3vz.tmp
- %WINDIR%\temp\is-kv7gogxa85.tmp\is-pv4v4f0ktk.tmp
- %TEMP%\is-g9bjlx316x.tmp\is-h6d3d9y41l.tmp
- %TEMP%\dk0zwg5v.vbs
- %HOMEPATH%\7c9f2e84.dat
- %TEMP%\093sax7wbrnt\6套公寓.pptx
- %TEMP%\is-ap9m1r0gjx.tmp\output_86_2026.04.10_18.04.08_setup.tmp
- %TEMP%\is-5bd29w0wme.tmp\_isetup\_setup64.tmp
- %ALLUSERSPROFILE%\displaysessioncontainers.log
- %TEMP%\093sax7wbrnt\~$6套公寓.pptx
- %TEMP%\is-5z0x7oe0w6.tmp\iue8emxxn5.tmp
- %TEMP%\is-8wgfz0cilf.tmp\_isetup\_setup64.tmp
Sets the 'hidden' attribute to the following files
- %APPDATA%\.mnngpyrb\iue8emxxn5.exe
Deletes following files that it created itself
- %WINDIR%\temp\is-kv7gogxa85.tmp\ycylm2uw6p.lgi
- %WINDIR%\temp\is-kv7gogxa85.tmp\8aibbloy18.byv
- %WINDIR%\temp\is-kv7gogxa85.tmp\bbvdntgo3z.cri
- %WINDIR%\temp\is-kv7gogxa85.tmp\6ssserra67.xcd
- %WINDIR%\temp\is-kv7gogxa85.tmp\i0b0ubenyc.pfc
- %WINDIR%\temp\is-kv7gogxa85.tmp\3zrmqrb44s.mbd
- %WINDIR%\temp\is-kv7gogxa85.tmp\jswxlsv756.aek
- %WINDIR%\temp\is-kv7gogxa85.tmp\n5qkqf5os6.fey
- %WINDIR%\temp\is-kv7gogxa85.tmp\360base64.dll
- %WINDIR%\temp\is-kv7gogxa85.tmp\360base.dll
- %WINDIR%\temp\is-kv7gogxa85.tmp\_isetup\_setup64.tmp
- %TEMP%\is-g9bjlx316x.tmp\ycylm2uw6p.lgi
- %TEMP%\is-g9bjlx316x.tmp\8aibbloy18.byv
- %TEMP%\is-g9bjlx316x.tmp\bbvdntgo3z.cri
- %TEMP%\is-g9bjlx316x.tmp\6ssserra67.xcd
- %TEMP%\is-g9bjlx316x.tmp\i0b0ubenyc.pfc
- %TEMP%\is-g9bjlx316x.tmp\3zrmqrb44s.mbd
- %TEMP%\is-g9bjlx316x.tmp\jswxlsv756.aek
- %TEMP%\is-g9bjlx316x.tmp\n5qkqf5os6.fey
- %TEMP%\is-g9bjlx316x.tmp\360base64.dll
- %TEMP%\is-g9bjlx316x.tmp\360base.dll
- %TEMP%\is-g9bjlx316x.tmp\_isetup\_setup64.tmp
- %WINDIR%\temp\is-j3oifetp59.tmp\iue8emxxn5.tmp
- %TEMP%\is-aixs5bdg38.tmp\iue8emxxn5.tmp
- %TEMP%\dk0zwg5v.vbs
Moves the following files
- from %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-591ugd3k6k.tmp to %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\appwiz.cpl
- from %APPDATA%\greencobalt\is-1f9dyee447.tmp to %APPDATA%\greencobalt\appwiz.cpl
- from %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-kpegng3wqq.tmp to %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\fondue.exe
- from %APPDATA%\greencobalt\is-xp1mfx8jcy.tmp to %APPDATA%\greencobalt\fondue.exe
- from %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-21jsrivyb4.tmp to %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\jdvndqvoydutq.nxptqq
- from %APPDATA%\greencobalt\is-l4izj61tli.tmp to %APPDATA%\greencobalt\jdvndqvoydutq.nxptqq
- from %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\is-avbri7lr3s.tmp to %WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\vulkan-1.dll
- from %APPDATA%\greencobalt\is-54ymr8e7vd.tmp to %APPDATA%\greencobalt\vulkan-1.dll
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-y72xqfku00.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\ycylm2uw6p.lgi
- from %TEMP%\is-g9bjlx316x.tmp\is-7ti8d5bk2n.tmp to %TEMP%\is-g9bjlx316x.tmp\ycylm2uw6p.lgi
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-656yi21qx5.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\8aibbloy18.byv
- from %TEMP%\is-g9bjlx316x.tmp\is-kfi3o7urci.tmp to %TEMP%\is-g9bjlx316x.tmp\8aibbloy18.byv
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-uv8nzzdhes.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\bbvdntgo3z.cri
- from %TEMP%\is-g9bjlx316x.tmp\is-nzb7cl8jka.tmp to %TEMP%\is-g9bjlx316x.tmp\bbvdntgo3z.cri
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-zkbbutq2ox.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\6ssserra67.xcd
- from %TEMP%\is-g9bjlx316x.tmp\is-3ljxlbts15.tmp to %TEMP%\is-g9bjlx316x.tmp\6ssserra67.xcd
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-5h7sl898tg.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\i0b0ubenyc.pfc
- from %TEMP%\is-g9bjlx316x.tmp\is-2au8zvqqiy.tmp to %TEMP%\is-g9bjlx316x.tmp\i0b0ubenyc.pfc
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-g70b6obfok.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\3zrmqrb44s.mbd
- from %TEMP%\is-g9bjlx316x.tmp\is-4ofyl5jdtb.tmp to %TEMP%\is-g9bjlx316x.tmp\3zrmqrb44s.mbd
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-4qru3rp60m.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\jswxlsv756.aek
- from %TEMP%\is-g9bjlx316x.tmp\is-emoanrwn7e.tmp to %TEMP%\is-g9bjlx316x.tmp\jswxlsv756.aek
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-06z5229xly.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\n5qkqf5os6.fey
- from %TEMP%\is-g9bjlx316x.tmp\is-yo9pl7vi8g.tmp to %TEMP%\is-g9bjlx316x.tmp\n5qkqf5os6.fey
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-tjgfer1bls.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\360base64.dll
- from %TEMP%\is-g9bjlx316x.tmp\is-n009akr3vz.tmp to %TEMP%\is-g9bjlx316x.tmp\360base64.dll
- from %WINDIR%\temp\is-kv7gogxa85.tmp\is-pv4v4f0ktk.tmp to %WINDIR%\temp\is-kv7gogxa85.tmp\360base.dll
- from %TEMP%\is-g9bjlx316x.tmp\is-h6d3d9y41l.tmp to %TEMP%\is-g9bjlx316x.tmp\360base.dll
Network activity
Connects to
- '19#.#29.116.233':443
- 'localhost':80
TCP
Other
- '19#.#29.116.233':443
Miscellaneous
Creates and executes the following
- '%APPDATA%\.mnngpyrb\iue8emxxn5.exe'
- '%WINDIR%\temp\is-j3oifetp59.tmp\iue8emxxn5.tmp' /SL5="$90038,8107679,836096,%APPDATA%\.mnngpyrb\iue8emxxn5.exe"
- '%TEMP%\is-aixs5bdg38.tmp\iue8emxxn5.tmp' /SL5="$90028,8107679,836096,%APPDATA%\.mnngpyrb\iue8emxxn5.exe"
- '%WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\fondue.exe' /DoScan
- '%APPDATA%\greencobalt\fondue.exe' /DoScan
- '<SYSTEM32>\cscript.exe' //nologo %TEMP%\dk0zwg5v.vbs
- '%TEMP%\093sax7wbrnt\output_86_2026.04.10_18.04.08_setup.exe'
- '%TEMP%\is-ap9m1r0gjx.tmp\output_86_2026.04.10_18.04.08_setup.tmp' /SL5="$E01D0,8107679,836096,%TEMP%\093sax7wbrnt\output_86_2026.04.10_18.04.08_SETUP.exe"
- '%TEMP%\is-5z0x7oe0w6.tmp\iue8emxxn5.tmp' /SL5="$30344,8107679,836096,%APPDATA%\.mnngpyrb\iue8emxxn5.exe"
Executes the following
- '<SYSTEM32>\schtasks.exe' /create /tn Windowspiizsj_Logon /tr %APPDATA%\.mnngpyrb\iue8emxxn5.exe /sc ONLOGON /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn Windowspiizsj_Check /tr %APPDATA%\.mnngpyrb\iue8emxxn5.exe /sc MINUTE /mo 1 /f
- '<SYSTEM32>\sc.exe' create Windowspiizsj binPath= %APPDATA%\.mnngpyrb\iue8emxxn5.exe start= auto
- '<SYSTEM32>\sc.exe' start Windowspiizsj
- '%WINDIR%\syswow64\regsvr32.exe' /u %APPDATA%\GreenCobalt\APPWIZ.CPL /safeinit
- '<SYSTEM32>\cmd.exe' /c start "" %TEMP%\093sax7wbrnt\6套公寓.pptx
- '%ProgramFiles(x86)%\microsoft office\office16\powerpnt.exe' "%TEMP%\093sax7wbrnt\6套公寓.pptx" /ou ""
- '%WINDIR%\syswow64\tracerpt.exe'
- '%WINDIR%\syswow64\svchost.exe'
- '<SYSTEM32>\schtasks.exe' /create /tn Windowspiizsj_Logon /tr %APPDATA%\.mnngpyrb\iue8emxxn5.exe /sc ONLOGON /rl HIGHEST /f' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn Windowspiizsj_Check /tr %APPDATA%\.mnngpyrb\iue8emxxn5.exe /sc MINUTE /mo 1 /f' (with hidden window)
- '<SYSTEM32>\sc.exe' create Windowspiizsj binPath= %APPDATA%\.mnngpyrb\iue8emxxn5.exe start= auto' (with hidden window)
- '<SYSTEM32>\sc.exe' start Windowspiizsj' (with hidden window)
- '%WINDIR%\syswow64\config\systemprofile\appdata\roaming\greencobalt\fondue.exe' /DoScan' (with hidden window)
- '%APPDATA%\greencobalt\fondue.exe' /DoScan' (with hidden window)
- '<SYSTEM32>\cscript.exe' //nologo %TEMP%\dk0zwg5v.vbs' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c start "" %TEMP%\093sax7wbrnt\6套公寓.pptx' (with hidden window)
- '%WINDIR%\syswow64\tracerpt.exe' ' (with hidden window)
- '%WINDIR%\syswow64\svchost.exe' ' (with hidden window)