netsupport | hxxps://bazaar[.]abuse[.]ch/download/b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0/

Analysis

max time kernel
257s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0/

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 5 IoCs

pid	Process
3648	client32.exe
4072	putty.exe
6024	remcmdstub.exe
5036	client32.exe
3348	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3348	client32.exe
3348	client32.exe
3348	client32.exe
3348	client32.exe
3348	client32.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zE4D5E850B\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\7zE4D5E850B\desktop.ini	7zFM.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5588	7zFM.exe
4220	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeRestorePrivilege	948	7zG.exe
Token: 35	948	7zG.exe
Token: SeSecurityPrivilege	948	7zG.exe
Token: SeSecurityPrivilege	948	7zG.exe
Token: SeRestorePrivilege	5588	7zFM.exe
Token: 35	5588	7zFM.exe
Token: SeSecurityPrivilege	5588	7zFM.exe
Token: SeSecurityPrivilege	5588	7zFM.exe
Token: SeSecurityPrivilege	5588	7zFM.exe
Token: SeSecurityPrivilege	5588	7zFM.exe
Token: SeSecurityPrivilege	5588	7zFM.exe
Token: SeSecurityPrivilege	3348	client32.exe
Token: SeDebugPrivilege	4220	taskmgr.exe
Token: SeSystemProfilePrivilege	4220	taskmgr.exe
Token: SeCreateGlobalPrivilege	4220	taskmgr.exe
Token: 33	4220	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4220	taskmgr.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
948	7zG.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
5588	7zFM.exe
3348	client32.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe
4220	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4368 wrote to memory of 4340	4368	firefox.exe	87
PID 4340 wrote to memory of 4060	4340	firefox.exe	88
PID 4340 wrote to memory of 4060	4340	firefox.exe	88
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 4716	4340	firefox.exe	89
PID 4340 wrote to memory of 3976	4340	firefox.exe	90
PID 4340 wrote to memory of 3976	4340	firefox.exe	90
PID 4340 wrote to memory of 3976	4340	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0/"
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.0.1714117110\1612672245" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ce5aee4-eef5-46ef-8149-d2bb60b745cf} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 1948 1f1dc0d8858 gpu
    3⤵
    PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.1.825566345\462777936" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {177edf20-7d61-4948-9801-59ea8f451a13} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 2368 1f1dc00c658 socket
    3⤵
    - Checks processor information in registry
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.2.1768097090\2043252934" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3048 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24eb17f0-ceda-46ca-94aa-fbed1b997f2d} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 3020 1f1e01f3a58 tab
    3⤵
    PID:3976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.3.1091952124\453341608" -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3940 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ce0c4c8-9bae-47c3-b47d-726a9c3250d1} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 4000 1f1cf833e58 tab
    3⤵
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.6.2088404579\486505814" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e78dfac-eae7-42c9-8cc4-fe00766b5ce3} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5088 1f1e255e158 tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.5.1707095381\1363477305" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4920 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5406144-b7a2-4824-b992-4f9ed0b41530} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 4908 1f1e255f658 tab
    3⤵
    PID:2756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.4.552061175\369371114" -childID 3 -isForBrowser -prefsHandle 4856 -prefMapHandle 4860 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdcd3065-dc3f-4ce2-843f-ef66fca6ffce} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 4704 1f1e255de58 tab
    3⤵
    PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.7.850933626\1251983949" -childID 6 -isForBrowser -prefsHandle 5580 -prefMapHandle 5636 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84981a89-7120-4bab-83ad-03c28368e238} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5648 1f1e2ae2058 tab
    3⤵
    PID:4928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0\" -spe -an -ai#7zMap23012:190:7zEvent29602
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:948

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0.zip"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5588
- C:\Users\Admin\AppData\Local\Temp\7zO4D511BE9\client32.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D511BE9\client32.exe"
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\7zO4D542F89\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D542F89\putty.exe"
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\7zO4D5F04A9\remcmdstub.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D5F04A9\remcmdstub.exe"
  2⤵
  - Executes dropped EXE
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\7zO4D56235A\client32.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D56235A\client32.exe"
  2⤵
  - Executes dropped EXE
  PID:5036

C:\Users\Admin\Desktop\mnbkjh\client32.exe
"C:\Users\Admin\Desktop\mnbkjh\client32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
ac8609b499814c241b784d3401c54d01

SHA1
1ac9bcc532211835e466dfa34633ce58562c4e98

SHA256
43d93d376ceab8281821ef7ceb82771eeb2053f0076ffe1ca11c84e149fc9dac

SHA512
e1fc7c2014de548c4e06ae739c08177240998431cafb25265a581cb26e35b6bdff939c03629598c225e470f39455f5ac2a6ceda84dbf356e6c41dcf3947d43a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D511BE9\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D511BE9\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D511BE9\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D542F89\putty.exe

Filesize
1.6MB

MD5
f838fdafd0881cf1e6040a07d78e840d

SHA1
2a35456b2f67bd12905378beb6eaf373f6a0d0d1

SHA256
fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c

SHA512
5c0389eb79e5c2638c0d770cde1a5c56a237aa596503966d4f226a99f94531af501f8bf4efa00722e12998f73271e50d8c187f8e984125affe40b1ab231503b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D542F89\putty.exe

Filesize
1.6MB

MD5
f838fdafd0881cf1e6040a07d78e840d

SHA1
2a35456b2f67bd12905378beb6eaf373f6a0d0d1

SHA256
fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c

SHA512
5c0389eb79e5c2638c0d770cde1a5c56a237aa596503966d4f226a99f94531af501f8bf4efa00722e12998f73271e50d8c187f8e984125affe40b1ab231503b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D542F89\putty.exe

Filesize
1.6MB

MD5
f838fdafd0881cf1e6040a07d78e840d

SHA1
2a35456b2f67bd12905378beb6eaf373f6a0d0d1

SHA256
fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c

SHA512
5c0389eb79e5c2638c0d770cde1a5c56a237aa596503966d4f226a99f94531af501f8bf4efa00722e12998f73271e50d8c187f8e984125affe40b1ab231503b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D56235A\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D56235A\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D5F04A9\remcmdstub.exe

Filesize
62KB

MD5
6fca49b85aa38ee016e39e14b9f9d6d9

SHA1
b0d689c70e91d5600ccc2a4e533ff89bf4ca388b

SHA256
fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814

SHA512
f9c90029ff3dea84df853db63dace97d1c835a8cf7b6a6227a5b6db4abe25e9912dfed6967a88a128d11ab584663e099bf80c50dd879242432312961c0cfe622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D5F04A9\remcmdstub.exe

Filesize
62KB

MD5
6fca49b85aa38ee016e39e14b9f9d6d9

SHA1
b0d689c70e91d5600ccc2a4e533ff89bf4ca388b

SHA256
fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814

SHA512
f9c90029ff3dea84df853db63dace97d1c835a8cf7b6a6227a5b6db4abe25e9912dfed6967a88a128d11ab584663e099bf80c50dd879242432312961c0cfe622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D5F04A9\remcmdstub.exe

Filesize
62KB

MD5
6fca49b85aa38ee016e39e14b9f9d6d9

SHA1
b0d689c70e91d5600ccc2a4e533ff89bf4ca388b

SHA256
fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814

SHA512
f9c90029ff3dea84df853db63dace97d1c835a8cf7b6a6227a5b6db4abe25e9912dfed6967a88a128d11ab584663e099bf80c50dd879242432312961c0cfe622

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\prefs-1.js

Filesize
7KB

MD5
29014a329a3c93bde69945f9fbdf17e7

SHA1
81a40b60c23c25fdfa150c0185b1430ee11f6266

SHA256
3deca851956348bc3752def71896fbabfb0e1261dc9463f5699727171a2fe43f

SHA512
051d4b9cada20a460bfc5f85af35a6f0c66b78137d133d4f6dcd885f158066a4c3aea6eb914b4b7458bb1baf68cd52a8a66cf9f1ad8309c2e5b855c899cd079b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\prefs-1.js

Filesize
6KB

MD5
d1e7f3e4d4482e9a95b8dcd1b8b99bb8

SHA1
2bb0424bac9bd2156493a6053aafee44de9ca581

SHA256
d9582be713e5003a80ed86d26c8e760424413990ebd1bc65f591f3175018c835

SHA512
2c1556a9ca7d8492e589589564c953652b033ad612eec2f69fc7a2d83681731df8058b7ee6eb0533918ad89492503127ab6c192d351990b7308019f11cdffff5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ccd647fbfbeb486b12d4c1236623584e

SHA1
6688eef75fa48590c48c4b104bbc80cdbbe67e27

SHA256
15e973562fcb5a0f7f6a7461b58cb24ef717a471c13eec5394203a8a9083249b

SHA512
7cf1434c47e6a1e5027397c9ed9db09b6479fbf10996efdafbb1682a79cc623a90d635b30284ceb50be75ddfff00f4c69d2b5a1d4bff69d3207462a17b0c6b78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
3e0df8e1d130f4d40aec9d1ef133e954

SHA1
53f62d81c6038c305b9ddb6d6fd0aeb1e1feffc5

SHA256
28c89a1e437c25198875acdaa00fb4dea5b0b9a57d70592e18d7a4be11bfbdde

SHA512
6b0c7a081908d6961692775225a6fc3759928dd72acc1640f686eca534335552cf726433629495d103e1b7011bb8866bd34cf279b2da574a3c88b64b8908c0f1

Download Submit
C:\Users\Admin\Desktop\mnbkjh\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\Desktop\mnbkjh\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\Desktop\mnbkjh\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\mnbkjh\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\Desktop\mnbkjh\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\Desktop\mnbkjh\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\Desktop\mnbkjh\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\Desktop\mnbkjh\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\Desktop\mnbkjh\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\Desktop\mnbkjh\client32.ini

Filesize
700B

MD5
fcc3490a584b5971e791fb4bef6840f7

SHA1
f1c733f894d2fb83766353667cf988051663bada

SHA256
13690a8e5683889c42b4dd66537d3d56af16c5cc25da3bff3b9b68046c6be8be

SHA512
4472dd4d49a84474b35e297e82ad1cf6686a22d387a571733a92a58ff05492b04e73d0a6f361ad5e679b4fecb07a603514e9e26f788999073ef20539ed343c9c

Download Submit
C:\Users\Admin\Desktop\mnbkjh\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\mnbkjh\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\Desktop\mnbkjh\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\Desktop\mnbkjh\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0.yLl4Fcn3.zip.part

Filesize
1.5MB

MD5
6a6f93ee62268ad5c65d534d183a1e9f

SHA1
160fc501ead7c6698876a91dc8880efd4cef5de3

SHA256
1d8740624b70039aa2ab8d24f48334e05e71925407b65942a75bf8fb5e076003

SHA512
9b625b78dd0f69d3ddb252d8e0b9f725980c9303bd8811ebc1e9cd0d5dd3bd0ad9e8ca89861047d76e8be1968943c2073ba26d19a8f3314fe22e3552a3e901e0

Download Submit
C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0.zip

Filesize
3.3MB

MD5
2d805fe85f740a8bfebd26f589dcdce1

SHA1
fae2e5f7474894b3bc4a6730bddda6ef398900d3

SHA256
34568b35b7fbbfad03eb84e0ae65a47e73a472214642b83923e5affbf0ecc6dc

SHA512
487e0e8ae497d9ee7068c02902fed431968a1a3e2fe36f1d5330c9002d8c77289acadfbda58169a1f260050d4d2ce1045dba77565124d041a230df3f2f006131

Download Submit
C:\Users\Admin\Downloads\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0\b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0.zip

Filesize
3.3MB

MD5
fdf446153144c6759df52fd96fc08f4d

SHA1
19d02f38e5905aaaae39bdcc987ef27196c8f2fe

SHA256
b2cc5cd7b2821ccfa288acd115b555298c1db1f166035be82a2b6f912ce6cfd0

SHA512
eaae16933af8b9540d2b1841ede554b30b066b6aeff78275b5ce96a702fc677a63d5a372ed6dc693edd65e2e7306e8b6d753df316b1cc4023e0b3b4d200c9e9f

Download Submit
memory/4220-369-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-368-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-370-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-374-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-376-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-375-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-377-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-378-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-380-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download
memory/4220-379-0x000001D03F560000-0x000001D03F561000-memory.dmp

Filesize
4KB

Download