hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
276s
max time network
277s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133306899410693794"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3440	NOTEPAD.EXE
524	NOTEPAD.EXE
2704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
2580	chrome.exe
2580	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
3440	NOTEPAD.EXE
2704	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4004	4188	chrome.exe	66
PID 4188 wrote to memory of 4004	4188	chrome.exe	66
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4968	4188	chrome.exe	69
PID 4188 wrote to memory of 4404	4188	chrome.exe	68
PID 4188 wrote to memory of 4404	4188	chrome.exe	68
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70
PID 4188 wrote to memory of 3704	4188	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc89b09758,0x7ffc89b09768,0x7ffc89b09778
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4356 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5068 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5436 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6080 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 --field-trial-handle=1820,i,8318425675120614808,7973205450547688038,131072 /prefetch:8
  2⤵
  PID:3344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SplitWait.ini
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\zalupa.bat"
1⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.bat" "
1⤵
PID:1520

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\zalupa.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.bat" "
1⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.bat" "
1⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.cmd" "
1⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.cmd" "
1⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.cmd" "
1⤵
PID:3352

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\zalupa.cmd
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\zalupa.cmd" "
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
150dbd11928843ca451b5a05e5913e68

SHA1
90ab35c8e12508300116ed1b6d038506dd54ae61

SHA256
ed771a7a4a705ca1dc2b2cac4313c517e67d27b3bb7902026ed66adb16d0c5d8

SHA512
9f6edb837c104effd88cee42dd39fb311f9ed0e3302209575b27bca9808920322b3531fb242644420af38904d6eedb61859cd6d988a97cac96f6c14bf453c3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
298cca149e2a1880187818e88a7341f4

SHA1
4ab513548591cae9bda7cf205e6ac1ae34826e53

SHA256
06e349469cd1d8617b094eabd160abbedf98360e4ce0cd75a81c0dabf01b7ae5

SHA512
5ed4730e6161e0e4e4831872ca457bceb3b6fa65ed9983277c4da9699a6c771bff9dc2f1294924b43e83ddf6db84ac42e8c8dd9dbf5555d7ca5533a2282a63a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
366f3a6a857645161995164703c54d62

SHA1
69f2c9033174bddabe8d9152898237b0f1d56ba8

SHA256
5cc3c01aab4b87481d9d91ba4a4ec81132ca556c145c98dae2da144940a8a708

SHA512
3077b063483e46d03179af0f591438e40305a66ae0c70d2ef36e6d101c5920df995696a43160af178bdaadf6f143d8a10f428f09b7592deae9b970e0146d9832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2f87a9fccf91994613c4a30843129e46

SHA1
144730f3219f3e67dd8c870c53f0dd56e775c91e

SHA256
2c9a8d285cb03af3e28402b2c50d13dbc7960a9929eb4e89c8cdd560d98f92b4

SHA512
bcb7ba67ce0e4c95287ee07119c04111de814dd091851d85c7c3b90ac76e4f70700b4e8e6dd1a6bf58ae4048b2b63fe4ea96a37e14295aead419edef79d638b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
afb01201c847bd208c8b91305b1dde19

SHA1
bb1dafb6b472c3faa28723d0f3cba35600f77a1c

SHA256
d3534640d77790d3de712864ead814bef36900041cd0aa7220fe17fd5c717e95

SHA512
da02041579a1dfc269821a4bcd2c7dd05b585be8f2cbaa62e1cc71f71e4da847f4a3c7a5d423eeae94d66de43d9cf9cd9b577d3630065fcc6c3bbe2bd155a53a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4e46b8e4efa785f14187f3dd4ed6f600

SHA1
997d7e84a93b555398e96996ed8cd7dcb8eb8370

SHA256
28c83ed09716c28618c7267e67482ef19cc977ab457a2e3d80a1d20dcf947745

SHA512
1f47aeeb128285afd7f1fc6cbd4965fcdbb3c16df8b4e7556ad1e9d771c2ee9e1bd6828a9e7ab5f8cd692480cef2d3377e4340a411fde4c00d046161b710a4ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
54586a45868bc997923f934a85f0c6ad

SHA1
10b81e92a06c9bfdfa96b64e642b99dd223b0760

SHA256
643c5b48bc3c03afbb68ff3df65388041704431c89bf37dabb40693fd5a7aaa1

SHA512
e4ae999eaa1ecf047df3e0b0a46d7f22cd6898dc31d399ca938c9ea58571af7024676317ae360455f048b8c41ed37def81aa71b1af88cb8979cf98ac2809ee31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6a6c76680483f11bf94df3ea8beda44d

SHA1
ae21f8146f33340883d5883f72b44eb69dc065be

SHA256
529eb9004a2cf08f4e68609e353b8e872fe6e5f806b7ea396ad79ce48df4d79b

SHA512
3f00dd579a56e59a9b49782c8c85a3e83a20296d7076c2511a84906a625d8d108de5520cfc19f6531981e74ae865d1c06a63c18255f50ecf0f559735f0f5f3f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aff6561309bb9d25f8f57d55ba53c54e

SHA1
b93103d27e13a729d4d887b943d65d6e480728d1

SHA256
c98214a5e5e3d4f6aae947e43678acd77b87b7777976ae78d9f954e96e3a87a3

SHA512
6e55cde9d1454c92d6f8d59075e047e7565da9c4764fbc1fc4d6290f29cae274e55e9ac3c5e045c77314728dcc90bb621e9c92f9a0b88ab0de8d341f2da788b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2cfffed763a616258869e953f18d0710

SHA1
c87f10474a505717aba8e22db852cb7783b76af3

SHA256
7ec45b5b4fec4ca439790719104b97fdd24552cce698975b1a46edfc05f83ad6

SHA512
1de70c8c5319afdad837d08d7bb8e82551422283b8503838ce4d3c2cb5e165941c17d50a2dfa811b3222f3679a144fca89c4260a9c4466f5a08d1d00a594b643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
88ae6067c4e00801d2c475280d3d03f6

SHA1
b41c0cbfffb1b4cd835f04befc1ab5f2da1ec959

SHA256
3d144dd1fd6897aa6c9fb20d502ca22f408a8f45ab50735c4617f908af6dd816

SHA512
cc4780176d867b5f998f39ffa30084f889b6b1fcceea9014f0bf375782acd4e02cd663c903f3deae993e2f573fbe032dd16111d5a724b670d609decaef50cb7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
16d80743a9f7fc4f53566b82d5d05b86

SHA1
9796891ead9481f3363c71714dc15165c42e185b

SHA256
3ae5e9b52dcb08dc6955772d09053d3f1b9405fd40c27d783a1a7a3413c314ac

SHA512
b7e33b5f4d567fcf26005678def812c7cbcbdf75748c36648255c05236617098903aa8867258db7d820039ec637ddb3d21b57681bec7196afb8a5790d00ac02a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ed1175d9ba7db203a8bcb2e8b263152d

SHA1
b6f101d94728d3146ca71558047c60e2c4590f0d

SHA256
e3bfde1f4a9fc9cd03a0b9fb8262c1d70a59a1d3f32ca56fc1eba03b242c3fcc

SHA512
e4aabd28ae0351be76bb09068eae0cbd8394299dbe4107e336567bdf73da8ef2c8073df80f18f65275a7cb8514baadcc509c9c3aa28e37969d8eac0204c64aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
91e90e2cb205be0f564803b820e91b15

SHA1
bdd61f9c3e33eb372528429c7390619bef7e67bf

SHA256
4521e817012f92b7c27a496ebedded458ade2b4f6d3e46abb561cc73eb36666b

SHA512
bcf7121060a283e29693822f214f8b21b5e60a93e1f4182658fcfb0d01efd6f9b1cc537085acd4d070bd72115cfad724e0d96087dd3cd20d18bc533c754d148d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
5f93e5f08dfe27419ac00c79629f82b1

SHA1
5a77c9ad30a50717f4c37a09e46ca5f282941fa9

SHA256
0941aa118bae4fdbfe3d1b04c5b6e414052f686b026775485a92bf4a5339fbd7

SHA512
fee5c9726e263f2382c0c7a0e0ffdc9bf2f7f1764435d141725aa69f685d2b89a477dd7b8d538905837151046ab79bf7da003f11ae880a31f697cbcb45c578dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
cb38926120484fdc95f3d99aca309db2

SHA1
7e6c1ed0aef12239e545802cac4d793725dc3897

SHA256
d0ecb6dec1870177bed787ac8e7e9d693879015a3dd4d5bfc875437cc99a309d

SHA512
8fa081b0ea18bd656fe8440ed8cefe13448c8707450268d386d13ca0a152663cac270fa515bf03de5db8bae75a52c479cdaf44b25d137f2449fa102e400ab704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
bce885f610eefcd44bdd8a7fb1b53d03

SHA1
84b3ded4d6748fbc168307484b10e31d06afd912

SHA256
9b6c5bd82b7ce2a10e5417432eead5b6a1dce67ed2d51aa44a90366c04b9749c

SHA512
4e5f69632aeb17c525a23103cb32f8976a26ada4f1291f0fadbe9916746fe7929a06a060ff236e5a15ca7f0c2981d6cb0d9c94a745a13e02e24e03be27cfe4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
ae63efb6659d4b6cc49abd9f0485d31a

SHA1
d1ba8c53869bbba6044ced4c6c39b64b73c27bc0

SHA256
d93cb812254212102d15df827bff9376431858c7f5cf258782fa973ba98c15ae

SHA512
58d6ac75ef8116344271a66bf4e8f744c214a1b5df9ff6ed33b8000cc107a29cc83ac056f73b0f94f97bb01fe758674d15242930dd6ba946a50a20f6152569fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\zalupa.bat

Filesize
302B

MD5
b97ace216a221211d8e65253712a6e67

SHA1
d5f2db44a2ceed1e322703defaa2d4c3651c804a

SHA256
d70bb42f6178df3ecc121a1098f7bc177572b79d51be59a56faceb9298c51ce9

SHA512
d3b7a89a72e7426b879b490ec6ce75c3fbe405ab81eac8109efb412c309a1777147a4b55b86e1b9cf5487f28a2ae96c79a0d69e03525fc41cb2c0098fa2191ab

Download Submit
C:\Users\Admin\Desktop\zalupa.bat

Filesize
162B

MD5
ad1389de3032a30b655126d137de8eb0

SHA1
7373ed163cd3212d18dee7156335662f1a561f90

SHA256
eb05bf18e98c896759b1177e5b4fc2be765f0fadfb81d50fb0615a976ad0861f

SHA512
2e584e09337bf8b0df6102a8948c548780e63ef6d53d330b57cb6910055b03738ab41668cb028e064db838e2ea46abdecda90fa57544e41d5161bd2009239bb4

Download Submit
C:\Users\Admin\Desktop\zalupa.cmd

Filesize
184B

MD5
611ff283faa9527f28bfaac48ef9db20

SHA1
46660aba343c41d31ad8c5f957bddee913b93e9a

SHA256
4e13646477c8097b0928c5db1322117541ba175523eb849abb87ff413d5606df

SHA512
e4076b09d64cdbb2fe0c7ebe1ce30c38627ffc6ddf4b8335193ca354a266719363a26e36f721ef2f639c3ecfb259a58ffdde960f8fa0ca95e0d69997c06024de

Download Submit
C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip.crdownload

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit