netsupport | f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2023, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14122023_0029_deb00a386b6e38.exe
Size

2.2MB
MD5

e0513cff99bb7b3acd1412295e499bc2
SHA1

96bb297d825579606cd690ad6ffc39b7e4c8a73a
SHA256

f59c840544616b64fec28c914cb8e8132ad54980e80070f649a38b6bd387d6b9
SHA512

36eb32c855b77853fa71d49df643e85b967af0e596a9b2c30bb09e57e36452f9c3f0ddc221f70c04440f5e46e03b8cdf6468d74a72b3aff52efddcdd2287be61
SSDEEP

49152:pveOOVj3gu9SdZ/ufvr7TE22qqpE+OVbbk+LUqxNoWeJbxBEmVXH:pto3bEd9ufD+B0Y+IrzbLPZH

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	14122023_0029_deb00a386b6e38.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leadchapter.lnk	14122023_0029_deb00a386b6e38.exe

Executes dropped EXE 1 IoCs

pid	Process
3596	dwemr.exe

Loads dropped DLL 6 IoCs

pid	Process
3596	dwemr.exe
3596	dwemr.exe
3596	dwemr.exe
3596	dwemr.exe
3596	dwemr.exe
3596	dwemr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings	14122023_0029_deb00a386b6e38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3596	dwemr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3596	dwemr.exe
1776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1776	4900	14122023_0029_deb00a386b6e38.exe	89
PID 4900 wrote to memory of 1776	4900	14122023_0029_deb00a386b6e38.exe	89
PID 4900 wrote to memory of 1776	4900	14122023_0029_deb00a386b6e38.exe	89
PID 4900 wrote to memory of 3596	4900	14122023_0029_deb00a386b6e38.exe	91
PID 4900 wrote to memory of 3596	4900	14122023_0029_deb00a386b6e38.exe	91
PID 4900 wrote to memory of 3596	4900	14122023_0029_deb00a386b6e38.exe	91
PID 1776 wrote to memory of 1440	1776	AcroRd32.exe	101
PID 1776 wrote to memory of 1440	1776	AcroRd32.exe	101
PID 1776 wrote to memory of 1440	1776	AcroRd32.exe	101
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 860	1440	RdrCEF.exe	103
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104
PID 1440 wrote to memory of 916	1440	RdrCEF.exe	104

C:\Users\Admin\AppData\Local\Temp\14122023_0029_deb00a386b6e38.exe
"C:\Users\Admin\AppData\Local\Temp\14122023_0029_deb00a386b6e38.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\leadchapter\Rescind.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=333AA4F0F85C77F01DF7133448170A6F --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:860
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3982EE028E57AD9FC42C35AA378DEAA0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3982EE028E57AD9FC42C35AA378DEAA0 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:916
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A308FD47DE07A3E61287D9566B50DBBF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A308FD47DE07A3E61287D9566B50DBBF --renderer-client-id=4 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=951594AACAF60FF66C4F57789B58CDCA --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:548
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=97BFE529C947A1DC3F1305A7C2D01BA6 --mojo-platform-channel-handle=2844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2280
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB6C2A62E3FD898E467A5403515EBA74 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1668
- C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe
  "C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ea0db8ca0a7cf93435b75fc241493f91

SHA1
f488651c92d4283f5b8098d45dbd5ed08150cf60

SHA256
da6c18960e33590e952ba85ddb68b5311da55bf6409e838f077160fb98c3663d

SHA512
c6cbdf6583635eb3cf13444a015e31458bd3aeab8f06ad9fbbd5b78faa8dd15fdc1be9c656d6b4db6a6447038655378df3759a3756bc340e598a772e8411df84

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4d76047f467f3ee4d5e53ac941636a95

SHA1
0426b9a9918274a7bc3e2240dd5d371e1eca5e42

SHA256
b957c97d4ba57a337c5d1bd64a1927504d3b4b259e6d7f5821fa3a4872aea86e

SHA512
692433ddc764daad794f1124aca33e866865d9cbf62c5afea50a5f2227f93f13ae3744807f840f81ee0ba093d443407d72631a28c797499118970f8cbbfe14e5

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\NSM.LIC

Filesize
257B

MD5
7067af414215ee4c50bfcd3ea43c84f0

SHA1
c331d410672477844a4ca87f43a14e643c863af9

SHA256
2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

SHA512
17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\PCICL32.dll

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\Rescind.pdf

Filesize
93KB

MD5
da6fc66a193755e2cd0771174070b8b5

SHA1
b9908eecd22588c453c4c7ca549c4f73ce28c30a

SHA256
85ddead45cc88880287fec39bde87106b91a1339d3635b0f20e72eec29d70573

SHA512
978d0201049909b727b722bf20585756c14c411bfba29c4da2789bda53b276b67bb80d2d75d624d2e2c28ce58c90bc109fa86b30710ee8c6f53790f1301f4e29

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\client32.ini

Filesize
664B

MD5
10ce8cdbd256efe0f7da6b3e843066b7

SHA1
4f25814cd655a7aeeb8f28414cf2fd918b2cd5b7

SHA256
4897c9d486367c98f54f93ebf1e38d871fdeab84f7935450da91f10837142a9a

SHA512
f734059b69c7592be86a3d1a87d2f1c6c8efc8037020bf66abb3a0161a2316d28f3f7380b6f95bbd17842b700a2d37184032fb17cf18dc00ff9585dbd14e994d

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\dwemr.exe

Filesize
103KB

MD5
8d9709ff7d9c83bd376e01912c734f0a

SHA1
e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

SHA256
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

SHA512
042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

Download Submit
C:\Users\Admin\AppData\Roaming\leadchapter\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/1776-88-0x00000000080D0000-0x00000000080F1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads