21c5b96d93c19d6d1717f1ff1080a09cf7f42d9615796fc4270ebc0ea436c4df

Analysis

max time kernel
202s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02a4f14d6664a7dcca9e7917d7c0fb72.exe
Size

484KB
MD5

02a4f14d6664a7dcca9e7917d7c0fb72
SHA1

2ca2c9ce27844e032c23d0199dd3cd19af56620e
SHA256

21c5b96d93c19d6d1717f1ff1080a09cf7f42d9615796fc4270ebc0ea436c4df
SHA512

5bf95fd34d565690916d996688c876bb3d7f9243c582686ab8b2aed0d9b67ec60a379dfaee0b65f4cb60be8d8272590241936d4580cfe4423ca0e170fa56bdcc
SSDEEP

6144:u1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvh:OQMiG+2gef5x/xQTB2OfDKC7WgcOc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zcftx.exe

UAC bypass 3 TTPs 16 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	flvoztxypvf.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdsfgwfovf = "jbaxiibulfqfyauxkufx.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdsfgwfovf = "crnhpmcsgxfrhgxxh.exe"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "kcuxqjarsfqfyauxkugy.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdsfgwfovf = "wnlhrqiaqjthzatvhqa.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "dshhxnbpnxfrhgxxh.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbnxvio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbaxiibulfqfyauxkufx.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "xofhzrhxxjthzatvhqb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbnxvio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnhpmcsgxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "zslpjdvnpdpfzcxbpangz.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "wkyxmbobyhozomcb.exe"	flvoztxypvf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wemfoxelcf = "wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xchxdjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbnxvio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnlhrqiaqjthzatvhqa.exe"	zcftx.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	flvoztxypvf.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	02a4f14d6664a7dcca9e7917d7c0fb72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	flvoztxypvf.exe

Executes dropped EXE 15 IoCs

pid	Process
636	flvoztxypvf.exe
576	zcftx.exe
2804	zcftx.exe
4544	zcftx.exe
3276	zcftx.exe
3016	zcftx.exe
3848	zcftx.exe
2220	zcftx.exe
4612	zcftx.exe
3564	zcftx.exe
2064	zcftx.exe
4236	zcftx.exe
3772	zcftx.exe
3920	zcftx.exe
2784	zcftx.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyidozirkpsz = "mcstkbqfepylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjxjjygou = "crnhpmcsgxfrhgxxh.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyidozirkpsz = "zslpjdvnpdpfzcxbpangz.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zslpjdvnpdpfzcxbpangz.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zslpjdvnpdpfzcxbpangz.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajdnxfnfjl = "zslpjdvnpdpfzcxbpangz.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "xofhzrhxxjthzatvhqb.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "xofhzrhxxjthzatvhqb.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjxjjygou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbytcarixpylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrepocjq = "lbytcarixpylccuvgo.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "dshhxnbpnxfrhgxxh.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjxjjygou = "lbytcarixpylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzsjoivithmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnhpmcsgxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxodgyjudpsz = "jbaxiibulfqfyauxkufx.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxpfjcoakxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnlhrqiaqjthzatvhqa.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyidozirkpsz = "zslpjdvnpdpfzcxbpangz.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "zslpjdvnpdpfzcxbpangz.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "wkyxmbobyhozomcb.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjxjjygou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnlhrqiaqjthzatvhqa.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajdnxfnfjl = "xofhzrhxxjthzatvhqb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dshhxnbpnxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msypwdin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajdnxfnfjl = "kcuxqjarsfqfyauxkugy.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrepocjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnhpmcsgxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rajdnxfnfjl = "mcstkbqfepylccuvgo.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxpfjcoakxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrrpbcwqidpfzcxbpamff.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrepocjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjexeaperhozomcb.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzpdfwgqyjl = "wnlhrqiaqjthzatvhqa.exe"	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyidozirkpsz = "mcstkbqfepylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxodgyjudpsz = "lbytcarixpylccuvgo.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxodgyjudpsz = "yrrpbcwqidpfzcxbpamff.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "dshhxnbpnxfrhgxxh.exe"	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msypwdin = "mcstkbqfepylccuvgo.exe"	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyjfrdnxrxbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcuxqjarsfqfyauxkugy.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcstkbqfepylccuvgo.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nxodgyjudpsz = "wnlhrqiaqjthzatvhqa.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "dshhxnbpnxfrhgxxh.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cjxjjygou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnhpmcsgxfrhgxxh.exe ."	zcftx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dkrjrzflb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wkyxmbobyhozomcb.exe ."	flvoztxypvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oyidozirkpsz = "dshhxnbpnxfrhgxxh.exe ."	zcftx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oamjwjufahmvie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xofhzrhxxjthzatvhqb.exe"	zcftx.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	flvoztxypvf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zcftx.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
119	whatismyip.everdot.org
105	whatismyip.everdot.org
106	whatismyipaddress.com
109	www.showmyipaddress.com

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File created	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	zcftx.exe
File created	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	zcftx.exe
File created	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	zcftx.exe
File created	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File created	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	zcftx.exe
File created	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	zcftx.exe
File created	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	zcftx.exe
File created	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File created	C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe
File created	C:\Windows\SysWOW64\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe
File created	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File created	C:\Windows\SysWOW64\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe	flvoztxypvf.exe
File created	C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File created	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\zslpjdvnpdpfzcxbpangz.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File created	C:\Windows\SysWOW64\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File opened for modification	C:\Windows\SysWOW64\kcuxqjarsfqfyauxkugy.exe	zcftx.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe
File opened for modification	C:\Program Files (x86)\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File created	C:\Program Files (x86)\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File opened for modification	C:\Program Files (x86)\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File opened for modification	C:\Windows\dshhxnbpnxfrhgxxh.exe	zcftx.exe
File opened for modification	C:\Windows\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File opened for modification	C:\Windows\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe
File opened for modification	C:\Windows\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File opened for modification	C:\Windows\mcstkbqfepylccuvgo.exe	flvoztxypvf.exe
File created	C:\Windows\xofhzrhxxjthzatvhqb.exe	flvoztxypvf.exe
File created	C:\Windows\zslpjdvnpdpfzcxbpangz.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\wkyxmbobyhozomcb.exe	zcftx.exe
File opened for modification	C:\Windows\mcstkbqfepylccuvgo.exe	zcftx.exe
File opened for modification	C:\Windows\xofhzrhxxjthzatvhqb.exe	zcftx.exe
File opened for modification	C:\Windows\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File opened for modification	C:\Windows\kcuxqjarsfqfyauxkugy.exe	zcftx.exe
File opened for modification	C:\Windows\kcuxqjarsfqfyauxkugy.exe	zcftx.exe
File created	C:\Windows\mcstkbqfepylccuvgo.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File opened for modification	C:\Windows\qkejezslodqhcgchwiwqkp.exe	zcftx.exe
File created	C:\Windows\eeepqrqpytmjkuwhcuooozab.zid	zcftx.exe
File created	C:\Windows\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj	zcftx.exe
File opened for modification	C:\Windows\kcuxqjarsfqfyauxkugy.exe	flvoztxypvf.exe
File created	C:\Windows\kcuxqjarsfqfyauxkugy.exe	flvoztxypvf.exe
File created	C:\Windows\qkejezslodqhcgchwiwqkp.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\wkyxmbobyhozomcb.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\dshhxnbpnxfrhgxxh.exe	flvoztxypvf.exe
File created	C:\Windows\dshhxnbpnxfrhgxxh.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\zslpjdvnpdpfzcxbpangz.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\zslpjdvnpdpfzcxbpangz.exe	zcftx.exe
File opened for modification	C:\Windows\mcstkbqfepylccuvgo.exe	zcftx.exe
File created	C:\Windows\wkyxmbobyhozomcb.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\xofhzrhxxjthzatvhqb.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\qkejezslodqhcgchwiwqkp.exe	flvoztxypvf.exe
File opened for modification	C:\Windows\wkyxmbobyhozomcb.exe	zcftx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe
552	02a4f14d6664a7dcca9e7917d7c0fb72.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	zcftx.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 636	552	02a4f14d6664a7dcca9e7917d7c0fb72.exe	92
PID 552 wrote to memory of 636	552	02a4f14d6664a7dcca9e7917d7c0fb72.exe	92
PID 552 wrote to memory of 636	552	02a4f14d6664a7dcca9e7917d7c0fb72.exe	92
PID 636 wrote to memory of 576	636	flvoztxypvf.exe	94
PID 636 wrote to memory of 576	636	flvoztxypvf.exe	94
PID 636 wrote to memory of 576	636	flvoztxypvf.exe	94
PID 636 wrote to memory of 2804	636	flvoztxypvf.exe	95
PID 636 wrote to memory of 2804	636	flvoztxypvf.exe	95
PID 636 wrote to memory of 2804	636	flvoztxypvf.exe	95
PID 636 wrote to memory of 4544	636	flvoztxypvf.exe	96
PID 636 wrote to memory of 4544	636	flvoztxypvf.exe	96
PID 636 wrote to memory of 4544	636	flvoztxypvf.exe	96
PID 636 wrote to memory of 3276	636	flvoztxypvf.exe	97
PID 636 wrote to memory of 3276	636	flvoztxypvf.exe	97
PID 636 wrote to memory of 3276	636	flvoztxypvf.exe	97
PID 636 wrote to memory of 3016	636	flvoztxypvf.exe	98
PID 636 wrote to memory of 3016	636	flvoztxypvf.exe	98
PID 636 wrote to memory of 3016	636	flvoztxypvf.exe	98
PID 636 wrote to memory of 3848	636	flvoztxypvf.exe	99
PID 636 wrote to memory of 3848	636	flvoztxypvf.exe	99
PID 636 wrote to memory of 3848	636	flvoztxypvf.exe	99
PID 636 wrote to memory of 2220	636	flvoztxypvf.exe	100
PID 636 wrote to memory of 2220	636	flvoztxypvf.exe	100
PID 636 wrote to memory of 2220	636	flvoztxypvf.exe	100
PID 636 wrote to memory of 4612	636	flvoztxypvf.exe	101
PID 636 wrote to memory of 4612	636	flvoztxypvf.exe	101
PID 636 wrote to memory of 4612	636	flvoztxypvf.exe	101
PID 636 wrote to memory of 3564	636	flvoztxypvf.exe	102
PID 636 wrote to memory of 3564	636	flvoztxypvf.exe	102
PID 636 wrote to memory of 3564	636	flvoztxypvf.exe	102
PID 636 wrote to memory of 2064	636	flvoztxypvf.exe	103
PID 636 wrote to memory of 2064	636	flvoztxypvf.exe	103
PID 636 wrote to memory of 2064	636	flvoztxypvf.exe	103
PID 636 wrote to memory of 4236	636	flvoztxypvf.exe	104
PID 636 wrote to memory of 4236	636	flvoztxypvf.exe	104
PID 636 wrote to memory of 4236	636	flvoztxypvf.exe	104
PID 636 wrote to memory of 3772	636	flvoztxypvf.exe	105
PID 636 wrote to memory of 3772	636	flvoztxypvf.exe	105
PID 636 wrote to memory of 3772	636	flvoztxypvf.exe	105
PID 636 wrote to memory of 3920	636	flvoztxypvf.exe	106
PID 636 wrote to memory of 3920	636	flvoztxypvf.exe	106
PID 636 wrote to memory of 3920	636	flvoztxypvf.exe	106
PID 636 wrote to memory of 2784	636	flvoztxypvf.exe	107
PID 636 wrote to memory of 2784	636	flvoztxypvf.exe	107
PID 636 wrote to memory of 2784	636	flvoztxypvf.exe	107

System policy modification 1 TTPs 52 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	flvoztxypvf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	flvoztxypvf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	flvoztxypvf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zcftx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	flvoztxypvf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zcftx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zcftx.exe

C:\Users\Admin\AppData\Local\Temp\02a4f14d6664a7dcca9e7917d7c0fb72.exe
"C:\Users\Admin\AppData\Local\Temp\02a4f14d6664a7dcca9e7917d7c0fb72.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe
  "C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe" "c:\users\admin\appdata\local\temp\02a4f14d6664a7dcca9e7917d7c0fb72.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - System policy modification
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:3564
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:4236
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Executes dropped EXE
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\zcftx.exe
    "C:\Users\Admin\AppData\Local\Temp\zcftx.exe" "-C:\Users\Admin\AppData\Local\Temp\wkyxmbobyhozomcb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcftx.exe

Filesize
270KB

MD5
bc1ce06cd0c96a8e3ed21bb10757952b

SHA1
0c4f1d094258512d8db50136b73899c1d8166548

SHA256
cc3be7361e88df32c39259d687323ae0de366ec7c9e353ee8c2ab594515f1954

SHA512
9436512d3dd3a801b0ce44dcdd74ffa8b7db2be2257df5835c28a299d678ad426040dc6dd4998513bd575153bd57acdc3f635f3300699b3b1493b6b322d0f52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcftx.exe

Filesize
704KB

MD5
69c23a7201a4020614539cde1eaafdb7

SHA1
4467710ff5954047593a36f690020aebbbb4d185

SHA256
2f1635375bfe188c9f0edd2040e2b17f96d86a2272c872a61481c602f39b8a73

SHA512
c32b67ac71535d9a898aa8700d7ffaedc89fcd1dd4ace38850ccaa357d796ffbcebf018debca881e53d3d86070b31b0ed8f4fd2d02d4e69e4e9f7b63ef2cd3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcftx.exe

Filesize
408KB

MD5
bbfe07f5627e354349db4349fb4b9744

SHA1
8e4ba6aaacc5cecade1e13d8293df59251cbe36f

SHA256
69a3d62f4b473f23245ac6c5163f350a60599e31d80405b728e74304d872c94c

SHA512
56aad8974543016c2a713794eb28cd0ee7056f47562c0edbab0ffbc09829fb32bb4ebe909a7ad7bfd08b74ecf6a361cd409852c6b207967f2ff9ecb70ac1a14b

Download Submit
C:\Users\Admin\AppData\Local\eeepqrqpytmjkuwhcuooozab.zid

Filesize
260B

MD5
32f52b7dfec149ea5e34088915f1ca5e

SHA1
7f619b5a88d0087486a5609d9c95ba60665da2ab

SHA256
a297a64e8f49b310683f4ca50abd178a6ffb4024196a62681f7fcebb52c5a24b

SHA512
7ab074257b8220236ea513484e37db64560d4c454d018a15d97e7bf193d15089e51b7435bfbe2843cb80e76aece1c2ef1b89c31a03df23487246989cbefc775d

Download Submit
C:\Users\Admin\AppData\Local\nyjfrdnxrxbjvqdzfinyjfrdnxrxbjvqdzf.nyj

Filesize
3KB

MD5
3c5046f7e66c0a36e7a29ae6f5ffa5b4

SHA1
8452e8cb1ec02bf5165e8190cae58b369adfd69a

SHA256
550089ffea62c628e3d6be5c97f441570ae2f37dd97c191fc3bd4297aad1ba9a

SHA512
ab720e692dc803e62162afe92b4c1847a32a4a6c06840e13728ad7d24f627902f805a3bd130679554fc13eb367600cdacaa3ca346194551ec76acfd424c75b7a

Download Submit
C:\Windows\SysWOW64\mcstkbqfepylccuvgo.exe

Filesize
177KB

MD5
cc1fbd183cf380ad8ccffe09dbd19f50

SHA1
6bcedacf607e06ff82c6364051b21e8f9d079068

SHA256
886daa801e5613ac336733bd5ee24c550adee489da1f9de06dbce888dd68a4d4

SHA512
89301f2529bcf67ce610ce7a523f4914575d5ba891f90743a74a5bb923d17c4a24a5acd342140dbbaef621066bb4b273d633443f493ef2795c5bdad4dba49d8d

Download Submit
C:\Windows\SysWOW64\qkejezslodqhcgchwiwqkp.exe

Filesize
448KB

MD5
ceb79efe01066b47a88bec6b910d8bd0

SHA1
58598ea5eeb5342a75cf57767859086033668a73

SHA256
3fa92bd916971ff49d03784ddda19e232ceec30e529386af16e9baf0e8e6b65a

SHA512
dccdb988eb011bd78d7900540f963cb161f05e645f20e44747083c5ccb0630f5682bc484eb3f0b61068d4af9914ff82c6ec2e8f16b950d017237b6dd51d87f24

Download Submit
C:\Windows\SysWOW64\wkyxmbobyhozomcb.exe

Filesize
484KB

MD5
02a4f14d6664a7dcca9e7917d7c0fb72

SHA1
2ca2c9ce27844e032c23d0199dd3cd19af56620e

SHA256
21c5b96d93c19d6d1717f1ff1080a09cf7f42d9615796fc4270ebc0ea436c4df

SHA512
5bf95fd34d565690916d996688c876bb3d7f9243c582686ab8b2aed0d9b67ec60a379dfaee0b65f4cb60be8d8272590241936d4580cfe4423ca0e170fa56bdcc

Download Submit