ctblocker | 4a0b83817f7e10ccaf4f73a8317c132fef767f646b5669e28d509c935910ef79

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura 00384788-0849838.pdf.exe
Size

867KB
MD5

921023d253b6dfac1eaabe38f3b36a45
SHA1

82ae601f2eb5202a5314feffb2a9bd07c5f33327
SHA256

a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1
SHA512

86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115
SSDEEP

24576:+XH+j3CgxpmJI+QhQ3r+HVqQUEHpGzOUPZ:Jj3CgxpNhN16EHpCx

Score

10^/10

ctblocker ransomware

Malware Config

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ppxpdxm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	ppxpdxm.exe

Executes dropped EXE 4 IoCs

Processes:

ppxpdxm.exeppxpdxm.exeppxpdxm.exeppxpdxm.exe

pid process

2596 ppxpdxm.exe
2208 ppxpdxm.exe
1004 ppxpdxm.exe
2184 ppxpdxm.exe
Loads dropped DLL 6 IoCs

Processes:

Fattura 00384788-0849838.pdf.exeppxpdxm.exeppxpdxm.exe

pid process

2020 Fattura 00384788-0849838.pdf.exe
2020 Fattura 00384788-0849838.pdf.exe
2596 ppxpdxm.exe
2596 ppxpdxm.exe
1004 ppxpdxm.exe
1004 ppxpdxm.exe

pid	process
2596	ppxpdxm.exe
2208	ppxpdxm.exe
1004	ppxpdxm.exe
2184	ppxpdxm.exe

pid	process
2020	Fattura 00384788-0849838.pdf.exe
2020	Fattura 00384788-0849838.pdf.exe
2596	ppxpdxm.exe
2596	ppxpdxm.exe
1004	ppxpdxm.exe
1004	ppxpdxm.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\F: svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 64 IoCs

Processes:

ppxpdxm.exeppxpdxm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\variablelist.max.termlength.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdrsound.p5m	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README_kn_IN.txt	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.id.as.filename.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\P_AutoAlign_Interactive_87x38.png	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.separator.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BMY brown 2.ADO	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\root.properties.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pass.png	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f20.png	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 3405 bl 4.ADO	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25.svg	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.generate.name.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LoadLayers.exv	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README-en	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PSNormalMap.hlsl	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f20.png	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\manifest.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Bosun.mNa	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.role.as.xrefstyle.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PSNormalMap.hlsl	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\setup.iss	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_3.png	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\brzphon.env	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\variablelist.max.termlength.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level3.properties.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\slvphon.env	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ExampleXML2PDF.java	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ExampleXML2PDF.java	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\49-sansserif.conf	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\default_hash.js	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\page.width.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README-en	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\setup.iss	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\South_Georgia	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\cations	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Ext-RKSJ-V	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SequenceFrequency.mm	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warm Gray 11 bl 3.ADO	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsResize.dll	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.enabled.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Sydney	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level2.properties.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.separator.xml	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\multiframe.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.generate.name.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\16ps.png	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\cations	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Sydney	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.role.as.xrefstyle.xml	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Windows.act	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Windows.act	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Kiev	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_3.png	ppxpdxm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\DuelOmmatidium.Jsg	ppxpdxm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 349 bl 1.ADO	ppxpdxm.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-qxlongg.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

Fattura 00384788-0849838.pdf.exeppxpdxm.exeppxpdxm.exe

description	pid	process	target process
PID 2020 set thread context of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2596 set thread context of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 1004 set thread context of 2184	1004	ppxpdxm.exe	ppxpdxm.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qxlongg.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qxlongg.bmp	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

Fattura 00384788-0849838.pdf.exeppxpdxm.exeppxpdxm.exe

description	ioc	process
File opened for modification	C:\Windows\	Fattura 00384788-0849838.pdf.exe
File opened for modification	C:\Windows\	ppxpdxm.exe
File opened for modification	C:\Windows\	ppxpdxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1688 vssadmin.exe

pid	process
1688	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

ppxpdxm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ppxpdxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ppxpdxm.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	ppxpdxm.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1ace37e-d0c4-11ee-a9c1-5a791e92bc44}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f88b09c4-d104-11ee-9a53-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f88b09c4-d104-11ee-9a53-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1ace37e-d0c4-11ee-a9c1-5a791e92bc44}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f88b09c4-d104-11ee-9a53-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1ace37e-d0c4-11ee-a9c1-5a791e92bc44}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00660038003800620030003900630034002d0064003100300034002d0031003100650065002d0039006100350033002d003800300036006500360066003600650036003900360033007d00000030002c007b00640031006100630065003300370065002d0064003000630034002d0031003100650065002d0061003900630031002d003500610037003900310065003900320062006300340034007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Fattura 00384788-0849838.pdf.exeppxpdxm.exe

pid process

2412 Fattura 00384788-0849838.pdf.exe
2208 ppxpdxm.exe
2208 ppxpdxm.exe
2208 ppxpdxm.exe
2208 ppxpdxm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ppxpdxm.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 2208 ppxpdxm.exe
Token: SeDebugPrivilege 2208 ppxpdxm.exe
Token: SeShutdownPrivilege 1176 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ppxpdxm.exe

pid process

2184 ppxpdxm.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ppxpdxm.exe

pid process

2184 ppxpdxm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ppxpdxm.exe

pid process

2184 ppxpdxm.exe
2184 ppxpdxm.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1176 Explorer.EXE

pid	process
2412	Fattura 00384788-0849838.pdf.exe
2208	ppxpdxm.exe
2208	ppxpdxm.exe
2208	ppxpdxm.exe
2208	ppxpdxm.exe

description	pid	process
Token: SeDebugPrivilege	2208	ppxpdxm.exe
Token: SeDebugPrivilege	2208	ppxpdxm.exe
Token: SeShutdownPrivilege	1176	Explorer.EXE

pid	process
2184	ppxpdxm.exe

pid	process
2184	ppxpdxm.exe

pid	process
2184	ppxpdxm.exe
2184	ppxpdxm.exe

pid	process
1176	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Fattura 00384788-0849838.pdf.exetaskeng.exeppxpdxm.exeppxpdxm.exesvchost.exeppxpdxm.exe

description	pid	process	target process
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 2020 wrote to memory of 2412	2020	Fattura 00384788-0849838.pdf.exe	Fattura 00384788-0849838.pdf.exe
PID 1784 wrote to memory of 2596	1784	taskeng.exe	ppxpdxm.exe
PID 1784 wrote to memory of 2596	1784	taskeng.exe	ppxpdxm.exe
PID 1784 wrote to memory of 2596	1784	taskeng.exe	ppxpdxm.exe
PID 1784 wrote to memory of 2596	1784	taskeng.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2596 wrote to memory of 2208	2596	ppxpdxm.exe	ppxpdxm.exe
PID 2208 wrote to memory of 608	2208	ppxpdxm.exe	svchost.exe
PID 608 wrote to memory of 2972	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2972	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2972	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 472	608	svchost.exe	wmiprvse.exe
PID 608 wrote to memory of 472	608	svchost.exe	wmiprvse.exe
PID 608 wrote to memory of 472	608	svchost.exe	wmiprvse.exe
PID 2208 wrote to memory of 1176	2208	ppxpdxm.exe	Explorer.EXE
PID 2208 wrote to memory of 1688	2208	ppxpdxm.exe	vssadmin.exe
PID 2208 wrote to memory of 1688	2208	ppxpdxm.exe	vssadmin.exe
PID 2208 wrote to memory of 1688	2208	ppxpdxm.exe	vssadmin.exe
PID 2208 wrote to memory of 1688	2208	ppxpdxm.exe	vssadmin.exe
PID 2208 wrote to memory of 1004	2208	ppxpdxm.exe	ppxpdxm.exe
PID 2208 wrote to memory of 1004	2208	ppxpdxm.exe	ppxpdxm.exe
PID 2208 wrote to memory of 1004	2208	ppxpdxm.exe	ppxpdxm.exe
PID 2208 wrote to memory of 1004	2208	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 1004 wrote to memory of 2184	1004	ppxpdxm.exe	ppxpdxm.exe
PID 608 wrote to memory of 2900	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2900	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2900	608	svchost.exe	DllHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:2972

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:2900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1176

C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\system32\taskeng.exe
taskeng.exe {776AD8FF-DEAB-4B13-958F-817EB82DEDAE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1688

C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
"C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe" -u
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
"C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe" -u
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2184

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\pefdnyl
Filesize
654B

MD5
31dc0ff3e3f7909cfcf25afcf20ce787

SHA1
2f8e669e74577dd45e5028e51189619bd4975a2a

SHA256
9cd3ac21515593daf155040e2303bfb5890e7bd78b539ea477831ff5c0f6a007

SHA512
74b4cc20ed522f76b8e376e6b27549939b9b27d991873ced26dfbfb777dc916898fccdfcf69c40472894941c3081532d9037897202f4ec2dd4919765c4e21759

Download Submit
C:\ProgramData\Package Cache\pefdnyl
Filesize
654B

MD5
3109d651d57f2515f494ef25f2eef6db

SHA1
42c0ae2733bbad426e8349da5df66641c602719e

SHA256
dc49554b635f445a70e03c976b9366191e4cf74c68bbed5aaf5f32bf5ccdfc96

SHA512
4305b732cb40852edd06dd2ad1d0bf6c566a934f8a3f3994e783590895c19a5548623ee8fdf91e8a02e7f87f8e265ff4feb8ad5756f10fbbff7cee8a81846047

Download Submit
C:\ProgramData\Package Cache\pefdnyl
Filesize
654B

MD5
0315182698ceacd43da360e26bbb0b2c

SHA1
162512d08613ea1496d405455d7595c1f92dec10

SHA256
e9d8e03050661c7c700c3b85f0ff25226666eb6558aefefbad43e123a7a42034

SHA512
badbc514645ed9687f1bf0e534e62612e0024cabad31f85201daf2cc6cf2eb3e6b1d21429c20ad9c37e00833c37e24d15b41f9752c1f54c5cfc6b23e9f9e8a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
Filesize
867KB

MD5
921023d253b6dfac1eaabe38f3b36a45

SHA1
82ae601f2eb5202a5314feffb2a9bd07c5f33327

SHA256
a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1

SHA512
86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115

Download Submit
C:\Users\Admin\AppData\Roaming\LICENSE_en_US.TXT
Filesize
2KB

MD5
00d7ffb88aeb3f3fa5ae3178591139ef

SHA1
b5edc99a205912d98207c1314d696dfe48192118

SHA256
f8dfac00ca2636f16dbb824c1626a607308bb582356fb736d1ee3f5f2656d861

SHA512
03e9df7a1cd6b214b03830b184bf0e7c0abb48da36a184402f2bb3590991bb027cff95cc8751d83cb5c7f7fcddc6969e746056a307d30cfc9fe937010f9a4fa7

Download Submit
C:\Users\Admin\AppData\Roaming\README_kn_IN.TXT
Filesize
409B

MD5
ade6c65fd0eeb73a60e279fdc7da023b

SHA1
4af90b3176b51d1e70e5561e27a2a2fd2277edcb

SHA256
56c2ecc106829db1020d48fe49a4802a4ee24875a8a873fff86ff0c413a3e226

SHA512
6bce13814640b256b83fa54b9d8df0e34076734baaa090b9aa433eefff87324b6782dd36567ea1c231480714c15df30dafb0cc665ea8194c1ada2f956ec0b83e

Download Submit
C:\Users\Admin\AppData\Roaming\default_hash.JS
Filesize
136B

MD5
06a09bda9d5dd7dba611b2dd460d545e

SHA1
73946d0150e298464b8a55a107bb22be6368029c

SHA256
c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e

SHA512
b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459

Download Submit
C:\Users\Admin\AppData\Roaming\setup.ISS
Filesize
241B

MD5
698f513c0c9d50ac789cfbe4bde1b467

SHA1
122acd3c51b72fc2bf4dc556cac09f9e6c6445fa

SHA256
f19b204261a5524ed3f5204fbd01d91f06fe1b2181b2fa2c2c7629ccb4e54b16

SHA512
c2b5ef941d332d2faa780d044ee5fee6f59d7852e5b0a5974fa47c9b9f03c2b3d867423004eae788ac765f30dbe65bc3b71cd9b679b1ff5dee78eb8fc82f41fc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\16ps.png
Filesize
1KB

MD5
a1cbc0cf66e527e6f190fba76eb62c9c

SHA1
e58ae1da042d694e54c73c06e2c638cb80b08c35

SHA256
1db3153d2c1b66a5aa3c5c8ee0a2f0d8adf71990ffd2da63ce9c7c2908458927

SHA512
526a17742a1bea14e3da20ad077af8c47df9b6c05e081068b86a834b30d990fc904daf9fbad34ffc6804caee544c141ff39fa01efe5fb0c26d8ca586439405c9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25.svg
Filesize
1KB

MD5
81608b503510aaff28c4fc9af1a34aef

SHA1
ccaa75d99467f04f48a7ccb3e4a228039782ff1b

SHA256
c5bec41cf09f196558dd562dc223fade4c6de35cb01846dc7decb7a9db4e13df

SHA512
4ea78e56e017ec2a0be2e10e5401c54a27813c55c17eb888e9283e7b95160d45a82562aa1353dba3058a751febcb4f5e1fe6132cd50b2609d25c53cf236b831d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\49-sansserif.conf
Filesize
545B

MD5
22278b0b48e5864d9c7fcbc178da0db3

SHA1
fe066f8153c5e679ef711500bb213f691fe4b373

SHA256
ac32c6de350ff1c7945c31bf55eb89aa00c2198f65c92f89479f552dbce82090

SHA512
137d5fa18c5dc87701d35c53979a7e8c9993bfa0a50a2e6fdec3138d9e17f66255317191ceb918be1fb64354fd101a01c6864b8507d0291c6bd2508c752f69e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BMY brown 2.ADO
Filesize
524B

MD5
8d63f0f3af0cd205c4051221f3fbbe3e

SHA1
e214a245412a2db759ce11457de927a81252463c

SHA256
3b5723d413242c064941312f3e94c1910d1f7bacd8ebf9fe79350312b26869db

SHA512
1deda57d4cb87a8893bd7604847b4cf9be2f17facab5e906f29d1764afa0b51469d5859bd11c1ec498fd578c8a6b8104721bf07d148f12b80cf709581e24d3a4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Bosun.mNa
Filesize
654KB

MD5
baa090e806e9638e901fdcfbcbe80578

SHA1
4fa41a30bb7afc2a2426a462d6c5949e9d7c6d84

SHA256
28143daded82e3ff63a4817c41673edd0b238df525f318522d3fcff17a11c556

SHA512
e0555c92f8be5aaee2aba54d48d0a07f90921206c80b523a48afc701d7f72eba3a171b0b445e4f45d6a25ad3166100f8845904c75e927a20b30d1f01df74c078

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\DuelOmmatidium.Jsg
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ExampleXML2PDF.java
Filesize
3KB

MD5
1797b7c85905a97136e81974112b69bd

SHA1
16697c2197f56a56039b0cdb6be541e6f8862193

SHA256
89e2920f8db4cca778fdfb791679dc41384d23ca1f259864a7e44c6344111f11

SHA512
b69bf8a847d6db98c4b9e9eea31729b02b48f846523e55e712104dc83663d523b2ca4be0975487e7c1e9075721d3c41f5677eb3ec1285a95271a2135be67c52e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\GMT+8
Filesize
27B

MD5
f49040ffcebf951b752c194a42ed775e

SHA1
4632642740c1db115843409f0bc32b9ca8d834d7

SHA256
7422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934

SHA512
f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LoadLayers.exv
Filesize
2KB

MD5
d90c5a1ad9ce483d781210199d7a7f88

SHA1
950f223cc9240a0a5b4957bb04b485165bd5b524

SHA256
8bdc2217774cd4020407a6aef6133418d60eae8c6d490ba5be7b7de408f38b01

SHA512
9783099e6f854584d8f36456f5221eead8a878b40fc116f09a470deb6034402807b12e91de9e84bcdd59ed89b3b91602095746d8ba3463b2657160f214a5c1cb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PSNormalMap.hlsl
Filesize
2KB

MD5
e62e9a173e8f4a91f5633201152b0f80

SHA1
2adea4522e411a71a2fd279d4ac96cb79e509fbf

SHA256
10e37b82c1d586bec4904f08bf0cb4da91cbb11dc32b0f3db2cb37a82bcde228

SHA512
6e3f6373e1e6c6245909daedb43e204be4226624e9a621a816b6c2f49f35c25eea5d3caf24c54deaf0e527911be2ea8cc8650eb01a4d0d2103f885bf92fe15f9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\P_AutoAlign_Interactive_87x38.png
Filesize
3KB

MD5
295fcfb5c30022f388804aeed50a3c41

SHA1
96c2f1b925aa12224c97edc4c9ffdd9f9759d8ed

SHA256
4cfc1dcf51bc4604d352adc3ee0aa9fde3525ef3ad70ca98f0d0afead72a7ed3

SHA512
4a14fdd9fa9e6444e88bdf4475ecffc13691fed5c60594c2c4d2a9d4f9b241d27e4cda05395a80943b10bd9007953316ca7cd0a47f4ccda0cef83a7b7ecd46ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SequenceFrequency.mm
Filesize
2KB

MD5
1e585d1f86a617d79a06e55e047e992f

SHA1
6b72de0a0bd112e9d38812b7b66f9c34a446038e

SHA256
c64eece461357e0478ddb1e600b6ffbd9cb298d041324c6a2b090663785ac461

SHA512
0da54ee1980c2b09ebfa6e097e334d7cd8eeaf2668e0c7cb9db361c0d934ae89a3757f96a2fb1082be17b36ef8928cf0fdaf677e7809b2725ee4abd519262669

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\South_Georgia
Filesize
27B

MD5
e256eccde666f27e69199b07497437b2

SHA1
b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7

SHA256
9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5

SHA512
460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Sydney
Filesize
1KB

MD5
59ed5f6750d92fa1622ff114c38e7bd6

SHA1
cf0e688d677fed17411f24dc26069e087dac8722

SHA256
2240e44b8c1b3518ee8e6df2cc3a8b358c5f49fdbc361bfb47ded8dbcc689c98

SHA512
60b667cf14478f0fe091f72533d9537e2d06ece221130048c3631b1af17db6d691c31ebbde8ae0769685cfbb46b9cc8c6c7e0467ce5b0996ef6d0520f0fba442

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warm Gray 11 bl 3.ADO
Filesize
524B

MD5
3cfe31d5eaedf4bd40092fc02106d6a4

SHA1
cb60aab5f4e05ad35e2e26d963b84f5bfb0bfe9a

SHA256
ddfc65799a5e931f389bd3bf730d9ffe83dd16c30dd361e80731601ede0a7124

SHA512
8ddec8cf122a55313beaf421c93cea287b1556760944a348b4dad799a5a400e095c54c59e13ea0f603fb5f524f74a0382b462327b4bdc8f73d000ddd1ebbed88

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Windows.act
Filesize
768B

MD5
bdf11c39dd33b0f1ae86357ceae6843a

SHA1
6cc6e8a3ccd4eb8e204caff9fe66f7515b315b51

SHA256
a15e9392b2f59d20b29227282ab7c50ccd4623d5492a832b888ee23003de75cc

SHA512
e2d51666e13f76a44d630531b838724f758d426f0d102a2ef193760b8e4bbd0869e1cebd4f09171011754418f20047bfa10d30fac38cb454abd10fcee33f1655

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\brzphon.env
Filesize
3KB

MD5
383a7041d62a079cabc6804322663f6d

SHA1
3706a41e90691c138cac3a67e4d47af3757e89cf

SHA256
e88f27a4940ed4a45f1ad1482329537e352abbce2b7451ac41952d39ca3ef1c9

SHA512
21c73ba72f4102598be883ccf7a064c2057e4953e075d8b9007ad59a934ff8692a2efe915963458231a33657614432494cefd3b9e6026bbf14880ad737b277da

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f20.png
Filesize
1KB

MD5
72f5b12d2ab2a90bdde706421d348a2b

SHA1
29047ae77e8311fd9f248e314eedfed463af68a4

SHA256
2c6380476304086e7fe8ef898df2895056970b178cb29d50ebfa8e1039f4eb5b

SHA512
07f286c7c238f1468eef39810d6b4fe435240845f94f57a8008d0d1c041dfa3b688c810208e0cdf6e80a28c227abdbe09b8d5f4df10d4f3afbad3e903f63957c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g1_1366 x 768 px 72 ppi.IMZ
Filesize
46B

MD5
e04a78e9692c944ac6b5b9435ac2d4b4

SHA1
666cad58284692a169d436eb7b639f2cb4cfa881

SHA256
52c130792c694a3ceacc73a1e3ab9ee5cfd41bdb06823823a94be762ef802ac1

SHA512
3093d25f6956c1acdaa55be7c8b2d53e056b4c73cb80c399d6287a896dcdb7cfe0056d79c93a710f1092cf4209c963cfb721b04825de1326ab135b834ea37bd1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ
Filesize
46B

MD5
633d34ead61d11ef8028e7ae3f22f062

SHA1
964f641288254491cf203ad9966e145ae04750af

SHA256
2798675ce2702d03c99a831e3794f40d08271ccf74856383c41601aa0dd6f502

SHA512
65dfbd479b5eb7294899d503440997172e0fc00754e12caf56a26cbd58fa5502351abd8a1970ac132ad3ca55982dec3a231acfd0031232246386dc484c8e5956

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 3405 bl 4.ADO
Filesize
524B

MD5
8c4915fd9ae4038a89aae7907e27b841

SHA1
632b6276161799556d88b863768ed6b68a9b6237

SHA256
ac62d53f68d8bd4ad1d69af7b1a642d3ea73533d6200ad1d0cb8df40f6f77bd3

SHA512
7f350656e0fb91a7b02a33a67771778e48ad973c3911b1a0454f538adfbff8db80feaec5c5a16ed32bc49ce4c55ae58bba0381741c686795942efe0f1e0bef41

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 349 bl 1.ADO
Filesize
524B

MD5
1289782651c9af159c54bd25c344a26e

SHA1
5ff702833f8e0b9b2bc066d7de9e9d3885984135

SHA256
82020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39

SHA512
afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.title.xml
Filesize
937B

MD5
eb3cf4a16f7d5ba110213a4fc8eaec2c

SHA1
e5561a60f4aa14a92730d10245cd625063320814

SHA256
56f0bd0419454ac218d7dfee67ebd9abf96495d95785ea1dd0d925a847c6134f

SHA512
e151c83bcd4dbbd5b122974d34cc004e74812d5590047da1bea15f0960b4695839e25196ace36d4b3bb86b8b53250c76858c025b78bc54f03601e7638873d682

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.use.hhk.xml
Filesize
1KB

MD5
212c601ec04c872a7ad691a619057e59

SHA1
9ca49b45817d6aec0ae19497dc926411ca478b36

SHA256
8f38b404a14d0d0c4420f8af95cc70466495c0ce867da0408261fc266bc7e0d0

SHA512
f94887811478f3d04f16d94b5cb319eee4ec483059d1c9f4859feab59846b6e61a5c9c49514517985825b48b321a75390af2b81946ac87b5638998ceb3fcc056

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_3.png
Filesize
1KB

MD5
fc85c26ecd9249354441417f6da6f14f

SHA1
68e1f48294fa1502ee8c41577f1b845cf73497f8

SHA256
4a2755378a7f529311806b2fec26ab149f01221dcc3ae61460b43825323e8587

SHA512
ec344fb2cb47b0a178d5541b0c9bf429cec197624a101275496415f6a1e780b3af0993134829bd0b9929bc9dbf8f17b169078aac071f9d73235f7ea4fc2f6b33

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\manifest.xml
Filesize
988B

MD5
c3ad825146db97ed0361f03bfdc013b6

SHA1
586ace1f37272a909445e845c0199125da64e63c

SHA256
20f49e604c474b22df60237e9ca35ff4841f3da254df1c8063b1608a890d7dc5

SHA512
e793e583fddc448c228634524f3fe64808a3cc1e9f7dd9343f20a0a16ed96bb82aadaf22d81ec30aa55c744487e89208231123607d590d6157e741fa44e272f0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\page.width.xml
Filesize
1KB

MD5
3e9c5adb1a6888e7aaafa813ff3f7f6c

SHA1
7a7e3ef15f9318513d8b61d8a8d7d2951b4b326f

SHA256
a5d7e99658f9ee81da1a1c6386c1a9df1a2b5a73fa0eac3490e4b2d07a38857f

SHA512
8c9cf78b9e44cc2bb26c498c648c7b0c679b5ccffa9a53d28b8b45782a47dd44a8832c72d984e29b6380808fbb70b4b7a796f43e30cb4881cfdf4669ff0d8ec1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pass.png
Filesize
4KB

MD5
e98c394bbb167dadfaf5730434311db8

SHA1
da8700c14557e046efc3ccb1149d097b8328719e

SHA256
987e1548b25af83905ba12a5b8ccf4be56d667c00c3847b9f44706007841da7d

SHA512
53ce8f76e96351c9388d6dc11acb9717ca80d243068026c03d0b09b7998d897d26594a3d537f55881189dc2838ba04da5cbb0c9132d9ad7992652ace77c71370

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level2.properties.xml
Filesize
1KB

MD5
85a98e83294c06904bdc35807eb37683

SHA1
c4718cf1ad269584a7a763454d16df99747c11c5

SHA256
8f79032a7554d1042b03749dc6cf949b1a5d5ee6794bb9131e0bd345faf42e2f

SHA512
9a7f961576767fa352a29e77fc6ded87b6c7590827359f6832c4924340cbf50ba47e0bcbb73cbdee5d4f68e62c82d6ba86adeada3fec7a3687f27283eb3f77ab

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level3.properties.xml
Filesize
1KB

MD5
bd1bc2932a54fb5d0af6ed6ed5ada5f8

SHA1
015a657ccdb4d729a09ed13030119e31d8ef6bd3

SHA256
eae13222d4ec9dee48885b2d5f317fcb035eb1b7bc4657e8accd1b6c311f7287

SHA512
d37c5f1ac80e5aa34100ad3c0f497562eecee7c1edadf683f847d060a8e7bde10fbd59d5eea639a71fe30d316a378777882b3d0520d45f705badc0f4acf50c2c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.separator.xml
Filesize
942B

MD5
fc55c7ac5eeff5aac35ecc99076da2b5

SHA1
1da605bdc22ab617f30ccd94f10edef3dddb2167

SHA256
efd53017d472ec0550417fbba9f2b714d1a8e8c53da0e842d5b0f9ce000d2f45

SHA512
39495fcec1e1c5b35b2f1c9bd040fa14202257192c148bd6042def426c7e3468536d02b21df5d1fe3c96cae1c6da2844e24198afd1d1e38a61cb04da2bcdbb6e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\root.properties.xml
Filesize
1KB

MD5
214e467af3f5fcbd989673843b9839ec

SHA1
1c508212bdaa4afcbdf8eced6c94e79043505263

SHA256
8f630944991fa6f5ef473fb922bf8478f454da639a339aca464aec744953ec2f

SHA512
dcf7369f9be7bd58bfd2bf71796dc3609d7f58a7507e5f6c7a1b14b2ddba1478eba0b6da4307ffdf9f8b72e72bf20ca40c1cf5a591a9946a3b002ee7090af57c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\slvphon.env
Filesize
4KB

MD5
41558725fcbbc23f7cd079e3b4bc0a0e

SHA1
555d832850d1f1133b8591131ac360ce684d07fc

SHA256
1440cdcb9bf73c19e4187b049a8bba9f6c399babe029215e373b0c96fcab2ee2

SHA512
ff638f21b614a8769aead543b5e48c965f4b6bd00326968d0afa30d7316c609faf19bcfa6fa97619e4bf0ac0b5cec61e2f0f715b32f6f628278297cccad9204c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p
Filesize
963B

MD5
53a00965d8a59418bc5ec45a6019fc12

SHA1
b172477f9b3b6dc9c65608f772ffc3c4686191f0

SHA256
15c3586e2ab722251f06d00574e168f44c39f72b061e61a3e0185bc7663739d6

SHA512
c1aa559cb25c35f0f33ae0cf4575bf0b2d83c2b3d217be81a5ba5ea4f8df587e109abef0c6ff596a9a6741d2f7fe076a2e36e68c8ab1f8aed13f37e85ed6c461

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.id.as.filename.xml
Filesize
992B

MD5
e7fdc5c71842ad912db2da98240ce82e

SHA1
5e603c31454c65c6652baf31dcb0a1cc2f8aba30

SHA256
d47d6b8a47a45b84474c4fa42448d16bf3eae5a212795aedc56e69e0d48ce09d

SHA512
ed281a69b7a8e77c97f101f3788cf0bc209d31e1390b8657f72bd72308df8fdf831204646f525381d57d2f2ce2b2bf3426c9b8af633215f59600b708961e498a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.role.as.xrefstyle.xml
Filesize
3KB

MD5
61336616978042341efe07fef41cc82d

SHA1
14fb4628037d8aee65aaf4d2d4be5366bc1afdc5

SHA256
b8b1a7636310b25663d2aa408f39135e4de44be018c80b9261152c6319afd262

SHA512
df0109613d1ddbe0497d60298c9465638ccdcc2eb64bfe89b701d1e36106b5d674796fa52e925d1bb37700c7f0cb5e0b44598d1b50e5fc9a2fc0046b0daf623b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml
Filesize
1KB

MD5
c64c7a25b6c62422f6b4653f4f6174c2

SHA1
787cb46096be939b0c913564590ad9da38c502d4

SHA256
2839673abc0eac4ebd829d6db25ca91f7d86244abced98f72acc2e1e7618a354

SHA512
f7bff4b9aab4c282f59168081d8d64bb5d08773190229deb316994b1a76939d05cbce893c8ea7fc6fb7c7863271d38f1b529e9e958038d796e77262acbea6c7d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm
Filesize
684B

MD5
7d3be2ec810fa01a9ea7d2a26551cff7

SHA1
7962465ce36a83666fe7a3edcb31e125ed597e93

SHA256
1a5660f3f8bb9d18fd6a710d70af26cf1e167fe040d7daf3ce41e527236e1fec

SHA512
cd4ba616364f37aa8294c9a2a6b64ed3cf0b011cfcffa9056295b5fc23348c2b3cfa96a25954c6dc472053daa1f9f4b08176a515c95abab6ffd7077deb8d7959

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1F83.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\NsResize.dll
Filesize
60KB

MD5
9c655b0c142db0494026c1ebb1b3923f

SHA1
2dbebe42968e78200688e40ab5b8d25bf8e0b4df

SHA256
ef2d114896f07fc20aed5c3045754de0103813aa31bedb188262cec6fb3263dd

SHA512
51d7efab18f6909daf61534befa2e20eec437c24114f7c21b383004806d4b8869dc12395a972965c89dbeb66fe0282833207b5aa93ec7f085ca7054d0a0d9f1d

Download Submit
memory/608-162-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-176-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-170-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-161-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-172-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-165-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-168-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-1406-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/608-164-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/1004-1541-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2020-62-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2184-1553-0x0000000000950000-0x0000000000B9B000-memory.dmp

Filesize
2.3MB

Download
memory/2184-1554-0x0000000000950000-0x0000000000B9B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-1418-0x00000000008C0000-0x0000000000B0B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-1429-0x00000000008C0000-0x0000000000B0B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-158-0x00000000008C0000-0x0000000000B0B000-memory.dmp

Filesize
2.3MB

Download
memory/2412-75-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/2412-65-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2412-71-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2412-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2412-67-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2412-74-0x00000000006F0000-0x000000000090A000-memory.dmp

Filesize
2.1MB

Download
memory/2412-73-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2412-76-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/2596-142-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads