floxif | 4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Size

124KB
MD5

06ceb19dea361d4012aa159f6374436c
SHA1

3e35ad7f8af396838bb3612b4f2dda01565c4cad
SHA256

4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc
SHA512

4f48555d9c55a34ff97779bf9602f6b655e5799eb22234e99921b2d2043defcd8c6f9ea1bfe9e541fecd5908ae7961a3eed31c7a7c19dfa4f3a766d0798e447b
SSDEEP

1536:gdd/uHw79MOQ3Ss7TN2s+zheW6BVrqzCJ3bdDY+W14N4NmzWlIA7hKRQw:yugQ33l2lQBV+UdE+rECWp7hKP

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ppsap.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ppsap.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000700000001211a-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001211a-1.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\????.lnk	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\????.lnk	ppsap.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	ppsap.exe
3056	ppsap.exe
2672	ppsap.exe
2332	ppsap.exe
2724	ppsap.exe
2800	ppsap.exe
2644	ppsap.exe
2476	ppsap.exe
2556	ppsap.exe
3020	ppsap.exe
2960	ppsap.exe
1192	ppsap.exe
276	ppsap.exe
392	ppsap.exe
1576	ppsap.exe
264	ppsap.exe
836	ppsap.exe
1252	ppsap.exe
2696	ppsap.exe
2776	ppsap.exe
2932	ppsap.exe
2968	ppsap.exe
1492	ppsap.exe
444	ppsap.exe
2132	ppsap.exe
2516	ppsap.exe
940	ppsap.exe
1924	ppsap.exe
544	ppsap.exe
2992	ppsap.exe
1868	ppsap.exe
2040	ppsap.exe
1324	ppsap.exe
840	ppsap.exe
2820	ppsap.exe
1652	ppsap.exe
2204	ppsap.exe
1976	ppsap.exe
856	ppsap.exe
948	ppsap.exe
2352	ppsap.exe
2864	ppsap.exe
864	ppsap.exe
1720	ppsap.exe
1584	ppsap.exe
1592	ppsap.exe
2560	ppsap.exe
2840	ppsap.exe
2196	ppsap.exe
2328	ppsap.exe
1616	ppsap.exe
796	ppsap.exe
1784	ppsap.exe
1356	ppsap.exe
264	ppsap.exe
2548	ppsap.exe
620	ppsap.exe
980	ppsap.exe
2804	ppsap.exe
2540	ppsap.exe
2972	ppsap.exe
2796	ppsap.exe
2924	ppsap.exe
1784	ppsap.exe

Loads dropped DLL 64 IoCs

pid	Process
2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe
2088	ppsap.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PPS Accelerator = "C:\\Windows\\system32\\ppsap.exe"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PPS Accelerator = "C:\\Windows\\system32\\ppsap.exe"	ppsap.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ppsap.exe	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
File opened for modification	C:\Windows\SysWOW64\ppsap.exe	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001211a-1.dat	upx
behavioral1/memory/2912-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2912-23-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701a9de5a858db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F66C5AF1-C49B-11EF-923A-F2DF7204BD4F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004fd55b5da64cc444bda650c5fe5dccad00000000020000000000106600000001000020000000840af89ba47770c237f262de1ed11e7bf241ccdf8b00c52bdded77bc3d10cbcd000000000e8000000002000020000000da3285c8a5eb2c420e0f1507e76a30bf40198509669fb12e79ebffafdf6ed130200000003c812c0e7c531eb5a343578d3c021f3b4f2fb048d5e8189438f880195750fc11400000007e1b877df00519eebc44a75f4af962cff06cbebf6fbb65e344c48c7130d9c3e012f4d40cc4566a3d2d9de0287c6ea70076da74f1d0ef06b02035adadbb7dfa0e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441497827"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004fd55b5da64cc444bda650c5fe5dccad00000000020000000000106600000001000020000000c9f6662b228e381d4a466f980e32a668d4904a64b1fb6e631221528cb81ccdfd000000000e80000000020000200000001863498a60eb28b32d0ae4461ad43429ce947152198d30480ae651c3989d06a590000000b32a6e5cbfe4a60f30724a01a21e704679e39bb5647624c077e76318e483fe7a5489a0c72cb465768d2c2edbdd116e45f3769627d7410dc33d1fe2d5d1ef9c00f9a2ceec70bbbfa84842004ce7cb143c178d4098ac08164e29b818624735ef1fc3b3e29f2447b8bf42115ef070f1229a6a6dd2375646c11eca49c51fd6e60c04b0fdeed28013e8ed0615f4803f0373b840000000b48a053a92a022dd34594d09426c520bd78554a8ac2e99a0208d86cd9220e1e7fca9e722353ea248ca016a1128a7f66c9e90b9d42643099266b1617bcbe5ff6c	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2276	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
2088	ppsap.exe
2276	IEXPLORE.EXE
2276	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
3056	ppsap.exe
2672	ppsap.exe
2332	ppsap.exe
2724	ppsap.exe
2800	ppsap.exe
2644	ppsap.exe
2476	ppsap.exe
2556	ppsap.exe
3020	ppsap.exe
2960	ppsap.exe
1192	ppsap.exe
276	ppsap.exe
392	ppsap.exe
1576	ppsap.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
264	ppsap.exe
836	ppsap.exe
1252	ppsap.exe
2696	ppsap.exe
2776	ppsap.exe
2932	ppsap.exe
2968	ppsap.exe
1492	ppsap.exe
444	ppsap.exe
2132	ppsap.exe
2516	ppsap.exe
940	ppsap.exe
1924	ppsap.exe
544	ppsap.exe
2992	ppsap.exe
1868	ppsap.exe
2040	ppsap.exe
1324	ppsap.exe
840	ppsap.exe
2820	ppsap.exe
1652	ppsap.exe
2204	ppsap.exe
1976	ppsap.exe
856	ppsap.exe
948	ppsap.exe
2352	ppsap.exe
2864	ppsap.exe
864	ppsap.exe
1720	ppsap.exe
1584	ppsap.exe
1592	ppsap.exe
2560	ppsap.exe
2840	ppsap.exe
2196	ppsap.exe
2328	ppsap.exe
1616	ppsap.exe
796	ppsap.exe
1784	ppsap.exe
1356	ppsap.exe
264	ppsap.exe
2548	ppsap.exe
620	ppsap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2088	2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	28
PID 2912 wrote to memory of 2088	2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	28
PID 2912 wrote to memory of 2088	2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	28
PID 2912 wrote to memory of 2088	2912	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	28
PID 2088 wrote to memory of 2276	2088	ppsap.exe	29
PID 2088 wrote to memory of 2276	2088	ppsap.exe	29
PID 2088 wrote to memory of 2276	2088	ppsap.exe	29
PID 2088 wrote to memory of 2276	2088	ppsap.exe	29
PID 2276 wrote to memory of 2192	2276	IEXPLORE.EXE	30
PID 2276 wrote to memory of 2192	2276	IEXPLORE.EXE	30
PID 2276 wrote to memory of 2192	2276	IEXPLORE.EXE	30
PID 2276 wrote to memory of 2192	2276	IEXPLORE.EXE	30
PID 2088 wrote to memory of 3056	2088	ppsap.exe	31
PID 2088 wrote to memory of 3056	2088	ppsap.exe	31
PID 2088 wrote to memory of 3056	2088	ppsap.exe	31
PID 2088 wrote to memory of 3056	2088	ppsap.exe	31
PID 2088 wrote to memory of 2672	2088	ppsap.exe	32
PID 2088 wrote to memory of 2672	2088	ppsap.exe	32
PID 2088 wrote to memory of 2672	2088	ppsap.exe	32
PID 2088 wrote to memory of 2672	2088	ppsap.exe	32
PID 2088 wrote to memory of 2332	2088	ppsap.exe	34
PID 2088 wrote to memory of 2332	2088	ppsap.exe	34
PID 2088 wrote to memory of 2332	2088	ppsap.exe	34
PID 2088 wrote to memory of 2332	2088	ppsap.exe	34
PID 2088 wrote to memory of 2724	2088	ppsap.exe	35
PID 2088 wrote to memory of 2724	2088	ppsap.exe	35
PID 2088 wrote to memory of 2724	2088	ppsap.exe	35
PID 2088 wrote to memory of 2724	2088	ppsap.exe	35
PID 2088 wrote to memory of 2800	2088	ppsap.exe	36
PID 2088 wrote to memory of 2800	2088	ppsap.exe	36
PID 2088 wrote to memory of 2800	2088	ppsap.exe	36
PID 2088 wrote to memory of 2800	2088	ppsap.exe	36
PID 2088 wrote to memory of 2644	2088	ppsap.exe	37
PID 2088 wrote to memory of 2644	2088	ppsap.exe	37
PID 2088 wrote to memory of 2644	2088	ppsap.exe	37
PID 2088 wrote to memory of 2644	2088	ppsap.exe	37
PID 2088 wrote to memory of 2476	2088	ppsap.exe	38
PID 2088 wrote to memory of 2476	2088	ppsap.exe	38
PID 2088 wrote to memory of 2476	2088	ppsap.exe	38
PID 2088 wrote to memory of 2476	2088	ppsap.exe	38
PID 2088 wrote to memory of 2556	2088	ppsap.exe	39
PID 2088 wrote to memory of 2556	2088	ppsap.exe	39
PID 2088 wrote to memory of 2556	2088	ppsap.exe	39
PID 2088 wrote to memory of 2556	2088	ppsap.exe	39
PID 2088 wrote to memory of 3020	2088	ppsap.exe	40
PID 2088 wrote to memory of 3020	2088	ppsap.exe	40
PID 2088 wrote to memory of 3020	2088	ppsap.exe	40
PID 2088 wrote to memory of 3020	2088	ppsap.exe	40
PID 2088 wrote to memory of 2960	2088	ppsap.exe	41
PID 2088 wrote to memory of 2960	2088	ppsap.exe	41
PID 2088 wrote to memory of 2960	2088	ppsap.exe	41
PID 2088 wrote to memory of 2960	2088	ppsap.exe	41
PID 2088 wrote to memory of 1192	2088	ppsap.exe	44
PID 2088 wrote to memory of 1192	2088	ppsap.exe	44
PID 2088 wrote to memory of 1192	2088	ppsap.exe	44
PID 2088 wrote to memory of 1192	2088	ppsap.exe	44
PID 2088 wrote to memory of 276	2088	ppsap.exe	45
PID 2088 wrote to memory of 276	2088	ppsap.exe	45
PID 2088 wrote to memory of 276	2088	ppsap.exe	45
PID 2088 wrote to memory of 276	2088	ppsap.exe	45
PID 2088 wrote to memory of 392	2088	ppsap.exe	46
PID 2088 wrote to memory of 392	2088	ppsap.exe	46
PID 2088 wrote to memory of 392	2088	ppsap.exe	46
PID 2088 wrote to memory of 392	2088	ppsap.exe	46

C:\Users\Admin\AppData\Local\Temp\4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
"C:\Users\Admin\AppData\Local\Temp\4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\ppsap.exe
  C:\Windows\system32\ppsap.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://shop58477515.taobao.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2192
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2332
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2476
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2960
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1192
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:276
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:392
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1252
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1492
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:444
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:940
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1924
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:544
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2992
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:840
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:856
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:864
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1592
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1784
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:264
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:620
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:980
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:264
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:444
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:684
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:780
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b680002ac73cd57ead260b4d637dc96

SHA1
820a212a00c4382db70163904a3dc600ce7edfb8

SHA256
075389b5a26829b5d14c55625b3eec82a99c1c0bba238f8615e5e6536629e0d9

SHA512
a151cafdf43a4b961a8fc38624c0a2f840f0bbd81a747e234ff534132c5c4593e1bac6e8d2cd355eb0497c81dfa7a5052deba0489d109a7de821611f322d63d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ea8d226d8f0808dc8f505cf27f8a641

SHA1
7fc49b4bb5585c80ccc857d3e64855f90b7cdfb9

SHA256
33d836334154a76336850bae3c2c6a217379e7fbaf12be9d31669bdf80b57397

SHA512
194950d09cb1460a6ab798e02680f7fdbbea8686f1092858f294ac3f82da95209751308d27a5625ff35d4d3eea1c2b17ac74675761dc680d99dacfff07259945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5606ebc3ab3be947a9956d1912ec1482

SHA1
d78420810fd8d643a7c686a32fa006673c055554

SHA256
f68dd8644e10d84968b377d56c08414fef4642d329b3560323a9908731ac9349

SHA512
6686aea4559c39c671c01b30176d37d3800173b41ecfef78f3e76f7af12a6d1cafc681b697889ca1b4a8a541b30757f83a54a44e46ecbe946fed0b1076ad41ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03c4f5c8a193c30847c1d77d734968f2

SHA1
fbc50b2303c5ca80638cdcac3d4a04dbd28b11c4

SHA256
fa7117b849d5cf6c543bda0cb8703a2416ee810e060db372463d0a3edc5ba414

SHA512
c304cf0d0f79af5b0cc4bae64fb9c650185c2bd2587766d6b50fb712b7876e8b3a2023f280fd3a805f5c58d6436df0370d59e7b35b963cdc9dd4af3db845d960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe3c7dedffdb3e8e57672a6ffecfdbb

SHA1
1eb92de2da8c389f496b6c75b3f9f7d748c1645b

SHA256
2f67f6624000378c27f8314f8cb35189d401f3d51adcaace0b70db869015a67a

SHA512
d98fe337b5912685e123be3920a2c83c27205bc10c0c29cfd55170edaa7a0dbe0a39d37a5dbaf29ab750599b95ca03028922f8d7b3a6104f3bebdd76b24d8938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0091fdc1cebe58e8e69ffa7e05146e74

SHA1
bc07ff79812a54ed2eda187ae30879f0cd4b7907

SHA256
f1e95c81b2676cef4a209a5c0a86b4ab04fa9e6dbe0a751161209846d00034e4

SHA512
fdef89e780480c50ed5627fa529976a7921ad5c5dc8d548bd9f69b117564e6a2608d0144fc6ba1e19a98ee695cbef775df766fc40a28b05f19c72af66c590c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0dc069d9bbc723561e54795f94ae8f

SHA1
62474b675ee07e230869da50b3bdec88e1eac50f

SHA256
58bdf9e8b57611ece1aece083f74d6586f751def3bcfe540b016a78f67113a4c

SHA512
f102d2a381c3e59d88953521d697d69dab1b1984b09b373377acd3c7fc5c5845ab36711c1cf9bd9e07b9e689a5f512803a891cc661c10fc022ef97468ad1e415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f15b1db11ed55d2305f69463f10089b0

SHA1
0dabcb445bfa5cad7b39557ff4fadb4a528cf96f

SHA256
7b15d42848960d76cbb3a6b85bfb65d825312f8ec608bd24967ad09b22ffcb57

SHA512
28e78ab25c0d9196fe5a885a4add7aabe671670ba654938c52fc9bb927a5ee3b52d60b1cfec4276db2d2efc974d4c4acf6833d8a47d694c23c45104077177de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cbb8debaf88bd793d2915f96832d78d

SHA1
f4b98c1829959acd9c4009571ee686ccd19fee0c

SHA256
306b1b162ef1c0ad8c634394be53dc7e817f0aa932d6bb80be9f68a66425bbec

SHA512
757a35f460322a563598e8ff77375aae2e0f3e94571a464f6b329528c576ba46d70462e6212619ccb1bd8c572a12adab238ad74ae7f5fbfd7cbffa24ced82082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87393d1f76dd152eab9bb870947e8e61

SHA1
75ddaef2bc9962adfd8da89cc2072d4e2a79a7ab

SHA256
b57a1475010a80a5ce08cf052c02f78780237126702eb416862de02e1cea70e0

SHA512
457eb7ac05544ff3e56c305723912506bb2f9d4a4b79c16debdaadd15291d2eda8e9211a86df7c7f504aca26dd7ed3e684b1d1f51d85f354d4930a074e9171c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
555dbf5fbc8e5830852b6245732a4419

SHA1
0b6d7747a4203c9f689a1c8be7836b64d0d797e7

SHA256
8da356632a0372340c07d832a14deae1994aa9e5c425ee7c315279108a4f9dba

SHA512
ea3e3245b8d0b0c69b0744bd45e8ad605028c93e551e0ee68543e5888ec2e8fde23890610ae55db9f786ead358e2926bc4a4b256cc2724adc75bfc99d90fef17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04b4656cef70b14a11273a8c3b8d8f4f

SHA1
94729460f85fddfd849ccc47640988ed89a5c906

SHA256
40441dce7a412e8c500b10bc9fe21b492edaa37812bce5d441220655a7c34123

SHA512
4a04f26e44caf617db17eddc452840c51d3d951de8f2b6cecb02df650c5b73ab10b4c73e6d4db5f8d3d68ad62523a6210eb34ffa56cf70e0d2555099c09d9a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3618884d9a74c54be7b361da10411b3d

SHA1
79723868622f5ce281ed34049a512efaa6921492

SHA256
670d96e9ad49b76503658e1cb5e094cb49146cb22a55ae985e02f2978f4bb699

SHA512
bf00af807879e64c6f87c38d6e2b6c934dc06badaa316f915eec2c1d9083ace63d85f3bb36ac46ee210fc429f0db9f830362b9c647d1427f4704e809e4c8af3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61ccadfa26c4f063fb50e11f9d76d75c

SHA1
d395fde5aff5a3748ebd35fe2a6b9b7e20b4f93a

SHA256
d7d5ffe087613b04da456b995a8dde466b2dbc39b0789e631129f63365c00f83

SHA512
61fa917ec7f9631ce7c01fc68cb11152072fe83d172d2aa64b564a88f58e417b242c0d374f7e2375b9572261c2a800407e03a515a659552712c5eee491643b0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
516b76e01047467b35373c2fba3d945f

SHA1
e696a5255308ad88c6d091858aa4ffffd39a34b7

SHA256
0fb40e7e278a9a99fd082e9d84e9e2592d1ebe54ea0e6605a612a4f0bb2e7fb8

SHA512
d5a6ed912499363ed186c5579565eb1e3a504fcb9199c8d75b3d83b36d338cf6bd7f542c9638fc700902b8cbb2231ca46bef2a599e94edf455a4090e0003437a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c1cb9c6fe2b046784fae1f713e77e9

SHA1
8e3c7397b077c7bf76dda119aada082276d83787

SHA256
01f8e6b2916601414b517d2c8a43d34c2f9aed553dcb22f2403f02239bcf0eb0

SHA512
0b7f41ffea236fcfbce018d9ba5cc288ea37c87f850bb0fd67550e11238b1d1d66b8ae799df4b22bd3d65ee10a6884d4a86ec8e6465033eddedd7315d9b7bb3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547a537e33da7a78ac8f7920cfe91189

SHA1
17c01b240194f1471cfb7c78ea9997789cdf124e

SHA256
7894ea348dd345bcf2d2490295e890eaccd4fcb69412e27b0f017296abf0c9a7

SHA512
2f7166f242c76e87602cc46c6761601d7a37af723f940b0ecf54f90f8c84391229035f132b1b61a02bd61be4fdbebc2671c7b2b403ca6beddf7a4163c575acaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a2403b77378756f52db2f135ded71a0

SHA1
598ad0f566e2ec6a4b6f98b7afb96cea316532d1

SHA256
3cb0aa32c6b6d1d929174030e981b94f9c26dbefc9fb5309e818d3f5893d64c6

SHA512
14b16eddc1ecfabb380296d41715c966ab87ac2c9f0d711066eb9c09c7e2fbd9cea3a7254f85abcea9ff476b546c238f7893c10765ad991ed712c596b069cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
666321ff752eb263650aa485c321907d

SHA1
d3625309379da63f005d091f62f3755a4aeab0f5

SHA256
85dc9ff9b7b8af610ed10c57a5b251c5d7c23bd2d9259820cc43f9ed2bfcd657

SHA512
09f9f1572eeee434e40411ba0b98f181b7f1d1d08f49cc6b8ba08de9cc1ecdf11c4b952348eec95451e4b3173d2142f8d828f1fe123228409ca5929306ba0c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c92716765135c16830fa2834848eb1b

SHA1
842afef4e70187c4d8aae2dfbca426d4ee2fb4fb

SHA256
7a1276ea3fc506eb009c7fded049727a34b35be5f1d151e1926097dfd4135a96

SHA512
8cdd83ef23f035430904de05f1009c2d382c52b548b34791429c1441ba8dd5ebf02d36bd3e93686efb0fee4af8d249a61244a58d5d3172f5f4d114e7100137c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a2e7ed8634413d6902f2733d4769935

SHA1
9c68db9f4e50c0bf2f023db5c03fe2ecce93fe6c

SHA256
4f64e105d902577edabc0b65874549696ca4ae68c73d22c45f47cdf677b58283

SHA512
5dbb84321f4f00737b2ca8edfdc03d4c70f4d3a54e13c25c3c52334e7146ce07ec24f9bae24d2d942eae25860a134da343ef087c7d945d4411d19a7b6b9021b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab648E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6500.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\ppsap.exe

Filesize
48KB

MD5
3737ba529e30d839994b9c5ed8d12f74

SHA1
74aeb4d74ef1c4470cbdf2737d796e7dd4a5ba2f

SHA256
c2bbe83bd4544f9bdec1180ab56f9e0280d5e07ff24bc7aac7990f1053c1cf46

SHA512
8bb4e15f0e0512a964f3c71e1373a30ee8d0fffed58161d4cfe8d1c757eae2fcd51e6d697018d88e0829ed205ad28417aafa9585594fa58e92246139f5a8dcd1

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2912-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2912-7-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2912-23-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads