netsupport | f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2023, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe
Size

2.2MB
MD5

e0513cff99bb7b3acd1412295e499bc2
SHA1

96bb297d825579606cd690ad6ffc39b7e4c8a73a
SHA256

f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9
SHA512

36eb32c855b77853fa71d49df643e85b967af0e596a9b2c30bb09e57e36452f9c3f0ddc221f70c04440f5e46e03b8cdf6468d74a72b3aff52efddcdd2287be61
SSDEEP

49152:pveOOVj3gu9SdZ/ufvr7TE22qqpE+OVbbk+LUqxNoWeJbxBEmVXH:pto3bEd9ufD+B0Y+IrzbLPZH

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leadchapter.lnk	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe

Executes dropped EXE 1 IoCs

pid	Process
4312	dwemr.exe

Loads dropped DLL 6 IoCs

pid	Process
4312	dwemr.exe
4312	dwemr.exe
4312	dwemr.exe
4312	dwemr.exe
4312	dwemr.exe
4312	dwemr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4312	dwemr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4312	dwemr.exe
1196	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe
1196	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1196	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	88
PID 920 wrote to memory of 1196	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	88
PID 920 wrote to memory of 1196	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	88
PID 920 wrote to memory of 4312	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	91
PID 920 wrote to memory of 4312	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	91
PID 920 wrote to memory of 4312	920	f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe	91
PID 1196 wrote to memory of 3628	1196	AcroRd32.exe	99
PID 1196 wrote to memory of 3628	1196	AcroRd32.exe	99
PID 1196 wrote to memory of 3628	1196	AcroRd32.exe	99
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 2876	3628	RdrCEF.exe	101
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102
PID 3628 wrote to memory of 4300	3628	RdrCEF.exe	102

C:\Users\Admin\AppData\Local\Temp\f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe
"C:\Users\Admin\AppData\Local\Temp\f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\leadchapter\Rescind.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7D0A085C065EF0D82FC7566062A48E1 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2876
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FB86E113BEF10C3EFD5D9E2EC2C40B3F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FB86E113BEF10C3EFD5D9E2EC2C40B3F --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4300
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59CAE098970FA1E9D5A2B8369A6A8D83 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59CAE098970FA1E9D5A2B8369A6A8D83 --renderer-client-id=4 --mojo-platform-channel-handle=2056 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2512
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD5C18ABBAA0EF939BB28F6E66751B0A --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4452
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E6E8D8D7B17CCFE17A57C8D748B5F82 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4304
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D0FC1FBA0A7AD9EF327FBB66F276E489 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4160
- C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe
  "C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
34c7dbd92195fcd04fcff4fa7d6213ed

SHA1
a501910b7f2abfc1240ea12c5a60b19b7a5eb1e3

SHA256
096e160a406d90b94beb07f2d4e579e21b8c7897944fcea2795acdd00e093bcf

SHA512
eaf4503f22518286c11de2570055cf5af746159b79c3ef28328d74cce5ac217eea92453a573341a7fb0af48da3b06e809ba592d94fe6182e52079bf9e5efc8d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\NSM.LIC

Filesize
257B

MD5
7067af414215ee4c50bfcd3ea43c84f0

SHA1
c331d410672477844a4ca87f43a14e643c863af9

SHA256
2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

SHA512
17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\PCICL32.dll

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\Rescind.pdf

Filesize
93KB

MD5
da6fc66a193755e2cd0771174070b8b5

SHA1
b9908eecd22588c453c4c7ca549c4f73ce28c30a

SHA256
85ddead45cc88880287fec39bde87106b91a1339d3635b0f20e72eec29d70573

SHA512
978d0201049909b727b722bf20585756c14c411bfba29c4da2789bda53b276b67bb80d2d75d624d2e2c28ce58c90bc109fa86b30710ee8c6f53790f1301f4e29

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\client32.ini

Filesize
664B

MD5
10ce8cdbd256efe0f7da6b3e843066b7

SHA1
4f25814cd655a7aeeb8f28414cf2fd918b2cd5b7

SHA256
4897c9d486367c98f54f93ebf1e38d871fdeab84f7935450da91f10837142a9a

SHA512
f734059b69c7592be86a3d1a87d2f1c6c8efc8037020bf66abb3a0161a2316d28f3f7380b6f95bbd17842b700a2d37184032fb17cf18dc00ff9585dbd14e994d

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe

Filesize
103KB

MD5
8d9709ff7d9c83bd376e01912c734f0a

SHA1
e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

SHA256
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

SHA512
042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit