bc704212e1f9c40781d39d0a9e2ebc5a261ae228d3b3d8705e170d65b69daba2

Analysis

max time kernel
106s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d3f622b8952892016c0b582c33687d8_JC.exe
Size

704KB
MD5

8d3f622b8952892016c0b582c33687d8
SHA1

9d1e76efcb39695a5ee663e69e567848a719176d
SHA256

bc704212e1f9c40781d39d0a9e2ebc5a261ae228d3b3d8705e170d65b69daba2
SHA512

53c7c8b96a3756f0c94558cbf6dc0cf80438f20275a31db349a2bddab660f453c80b767f8d24ef2128bfedc68401c2963dbbade6c45c5bf945bdfa92647d0873
SSDEEP

12288:VXgvmzFHi0mo5aH0qMzd5807FyPJQPDHvd:VXgvOHi0mGaH0qSdPFM4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pnzdjq.exe

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "irodumzvgiwfptqiq.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txpzlygxdajn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdylaqbveeqxfhc = "pbbtniyxlqhtgnnitrdd.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8d3f622b8952892016c0b582c33687d8_JC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	8d3f622b8952892016c0b582c33687d8_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	pnzdjq.exe
3424	pnzdjq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "cnmdwqfdqukvhnmgqny.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "irodumzvgiwfptqiq.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnmdwqfdqukvhnmgqny.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe ."	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe ."	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "bjftjamhrsfnwzvm.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "cnmdwqfdqukvhnmgqny.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjftjamhrsfnwzvm.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnmdwqfdqukvhnmgqny.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "erslgcttiogthpqmyxkle.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjftjamhrsfnwzvm.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "cnmdwqfdqukvhnmgqny.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "cnmdwqfdqukvhnmgqny.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "rbzphaolxapzkpngpl.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "irodumzvgiwfptqiq.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "erslgcttiogthpqmyxkle.exe ."	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe ."	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbzphaolxapzkpngpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "bjftjamhrsfnwzvm.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "rbzphaolxapzkpngpl.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "rbzphaolxapzkpngpl.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "pbbtniyxlqhtgnnitrdd.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnmdwqfdqukvhnmgqny.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjftjamhrsfnwzvm.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "bjftjamhrsfnwzvm.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "erslgcttiogthpqmyxkle.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "irodumzvgiwfptqiq.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\irodumzvgiwfptqiq = "irodumzvgiwfptqiq.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjftjamhrsfnwzvm.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnmdwqfdqukvhnmgqny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "pbbtniyxlqhtgnnitrdd.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "bjftjamhrsfnwzvm.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxqbocldkisxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erslgcttiogthpqmyxkle.exe"	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbzphaolxapzkpngpl.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbbtniyxlqhtgnnitrdd.exe ."	pnzdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tztftisltsdjqr = "erslgcttiogthpqmyxkle.exe ."	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjftjamhrsfnwzvm = "irodumzvgiwfptqiq.exe"	8d3f622b8952892016c0b582c33687d8_JC.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pnzdjq.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	whatismyip.everdot.org
65	whatismyip.everdot.org
70	whatismyip.everdot.org
44	www.showmyipaddress.com
47	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe
File opened for modification	C:\Windows\SysWOW64\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File created	C:\Windows\SysWOW64\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File opened for modification	C:\Windows\SysWOW64\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File created	C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File opened for modification	C:\Program Files (x86)\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe
File created	C:\Program Files (x86)\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe
File opened for modification	C:\Windows\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File created	C:\Windows\vrbdhmmvtijfctdidlhrtxcclj.zvs	pnzdjq.exe
File opened for modification	C:\Windows\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr	pnzdjq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	8d3f622b8952892016c0b582c33687d8_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	pnzdjq.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	pnzdjq.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe
3424	pnzdjq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	pnzdjq.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4628	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	88
PID 2236 wrote to memory of 4628	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	88
PID 2236 wrote to memory of 4628	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	88
PID 2236 wrote to memory of 3424	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	89
PID 2236 wrote to memory of 3424	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	89
PID 2236 wrote to memory of 3424	2236	8d3f622b8952892016c0b582c33687d8_JC.exe	89

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pnzdjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnzdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	8d3f622b8952892016c0b582c33687d8_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pnzdjq.exe

C:\Users\Admin\AppData\Local\Temp\8d3f622b8952892016c0b582c33687d8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8d3f622b8952892016c0b582c33687d8_JC.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236
- C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe
  "C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe
  "C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs

Filesize
280B

MD5
5cd55e3bbbcaaf1f7321904348b19d9d

SHA1
c02679dcb48cde86ed3b6e5d183371f845e690bf

SHA256
7e10b17b9cb59cb581bce264b9f97d9cb3ed61d46b05298bf2a3605ab82e91cb

SHA512
97fa13c2f6325836f88ffdc648e9ca07317e29e104ebf0b0a3158ddd385a4287166196dc41610fa60c8ef65b31466f2fa7449108bd0c4c80e86dcf5965251d70

Download Submit
C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs

Filesize
280B

MD5
2da65535afc1db291cc12a27484f1f45

SHA1
611a9c6a32f2ebf1a923b6e6ce1aac0df70d4c48

SHA256
371ac592f2ccb5d3ec6972ad5c660ef8d21ec06f3bfb787532c25a48fbc744ca

SHA512
b1e80ff96d1f306ca8065cd1e42aeea4952b2e90f707a1dfa265eb6f09b088575fe91d52f7be111cd8a1f189d3dc1ac057e17c3685e43d235c5efa1998cbc6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

Filesize
1.3MB

MD5
bbcf4f0c4be88fdcb469ee572015dc3e

SHA1
f79c15e62030eee614e13c1a4d37739d0bc5d9df

SHA256
bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

SHA512
b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

Filesize
1.3MB

MD5
bbcf4f0c4be88fdcb469ee572015dc3e

SHA1
f79c15e62030eee614e13c1a4d37739d0bc5d9df

SHA256
bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

SHA512
b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

Filesize
1.3MB

MD5
bbcf4f0c4be88fdcb469ee572015dc3e

SHA1
f79c15e62030eee614e13c1a4d37739d0bc5d9df

SHA256
bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

SHA512
b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

Filesize
1.3MB

MD5
bbcf4f0c4be88fdcb469ee572015dc3e

SHA1
f79c15e62030eee614e13c1a4d37739d0bc5d9df

SHA256
bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

SHA512
b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

Download Submit
C:\Users\Admin\AppData\Local\vrbdhmmvtijfctdidlhrtxcclj.zvs

Filesize
280B

MD5
81e128e19c3afc26bc43baf9e5b89e7b

SHA1
d9ab0c53d8f93ac595937d5e8e6f8c23c7c0ead3

SHA256
0ef7e74323074a51510278b24c78e4b2c3175591e0ba7b0266f59cbe31fee57d

SHA512
04c2f8c83ff240afb858974143a2a14df03f5508625035f75363bcebf48734fc6791aba5956dc63409fef81247f9dd3a136fbada4009218f799651b8bfd03461

Download Submit
C:\Users\Admin\AppData\Local\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr

Filesize
4KB

MD5
7437112f20b3a25322ee0b5ded8cb853

SHA1
06396afb82df8319f2c6fcebfedbec476a3cde00

SHA256
8fa70e4bf4d4be3c031073790a9f39e93503faa178893e11176a1d3952f805a3

SHA512
8e57466809b34abf5d5355480302705e6eb27db82e7af6dc39d24e5af49c098c8c4604dba26cc3fa441a53e35144f8444ecb29d31f1fe7af8e83d35aec0725c8

Download Submit