netsupport | f491d8b510ee283d24d40aa5233743d8cf834a164d0f681af8870dd1f35b734c

Analysis

max time kernel
1175s
max time network
1199s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29-04-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WqZxLxZrOrnMWYaBaBKdLenVTu.ps1
Size

5KB
MD5

9e627a249d5f4f80c19ff51169a7db10
SHA1

2f8ee955a8765d25170ef3a0c36356d0dbe42c85
SHA256

f491d8b510ee283d24d40aa5233743d8cf834a164d0f681af8870dd1f35b734c
SHA512

02dd75ce82af639aff79e29fe7f3581b668a337eadea9bf2f00a35740c23d1e509a714ab5e1ddcfbe8598022ed69eac56db181cfd5bcb555fb08253b4159305f
SSDEEP

96:nGzO1DZtqKMPfas4g54jP5fPceEn6dYPJ/P8eEHPyUXPceEn6dYPJ/P8eEHPyb:nT1DDGPfBXOjP5fkpnxPJ/EpHPyUXkpB

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	1740	powershell.exe
37	1740	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	client32.exe
1884	remcmdstub.exe

Loads dropped DLL 5 IoCs

pid	Process
2684	client32.exe
2684	client32.exe
2684	client32.exe
2684	client32.exe
2684	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4768	powershell.exe
4768	powershell.exe
1740	powershell.exe
1740	powershell.exe
3344	msedge.exe
3344	msedge.exe
4776	msedge.exe
4776	msedge.exe
3432	msedge.exe
3432	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1740	powershell.exe
Token: SeSecurityPrivilege	1740	powershell.exe
Token: SeTakeOwnershipPrivilege	1740	powershell.exe
Token: SeLoadDriverPrivilege	1740	powershell.exe
Token: SeSystemProfilePrivilege	1740	powershell.exe
Token: SeSystemtimePrivilege	1740	powershell.exe
Token: SeProfSingleProcessPrivilege	1740	powershell.exe
Token: SeIncBasePriorityPrivilege	1740	powershell.exe
Token: SeCreatePagefilePrivilege	1740	powershell.exe
Token: SeBackupPrivilege	1740	powershell.exe
Token: SeRestorePrivilege	1740	powershell.exe
Token: SeShutdownPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeSystemEnvironmentPrivilege	1740	powershell.exe
Token: SeRemoteShutdownPrivilege	1740	powershell.exe
Token: SeUndockPrivilege	1740	powershell.exe
Token: SeManageVolumePrivilege	1740	powershell.exe
Token: 33	1740	powershell.exe
Token: 34	1740	powershell.exe
Token: 35	1740	powershell.exe
Token: 36	1740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1740	powershell.exe
Token: SeSecurityPrivilege	1740	powershell.exe
Token: SeTakeOwnershipPrivilege	1740	powershell.exe
Token: SeLoadDriverPrivilege	1740	powershell.exe
Token: SeSystemProfilePrivilege	1740	powershell.exe
Token: SeSystemtimePrivilege	1740	powershell.exe
Token: SeProfSingleProcessPrivilege	1740	powershell.exe
Token: SeIncBasePriorityPrivilege	1740	powershell.exe
Token: SeCreatePagefilePrivilege	1740	powershell.exe
Token: SeBackupPrivilege	1740	powershell.exe
Token: SeRestorePrivilege	1740	powershell.exe
Token: SeShutdownPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeSystemEnvironmentPrivilege	1740	powershell.exe
Token: SeRemoteShutdownPrivilege	1740	powershell.exe
Token: SeUndockPrivilege	1740	powershell.exe
Token: SeManageVolumePrivilege	1740	powershell.exe
Token: 33	1740	powershell.exe
Token: 34	1740	powershell.exe
Token: 35	1740	powershell.exe
Token: 36	1740	powershell.exe
Token: SeSecurityPrivilege	2684	client32.exe
Token: SeIncreaseQuotaPrivilege	3428	WMIC.exe
Token: SeSecurityPrivilege	3428	WMIC.exe
Token: SeTakeOwnershipPrivilege	3428	WMIC.exe
Token: SeLoadDriverPrivilege	3428	WMIC.exe
Token: SeSystemProfilePrivilege	3428	WMIC.exe
Token: SeSystemtimePrivilege	3428	WMIC.exe
Token: SeProfSingleProcessPrivilege	3428	WMIC.exe
Token: SeIncBasePriorityPrivilege	3428	WMIC.exe
Token: SeCreatePagefilePrivilege	3428	WMIC.exe
Token: SeBackupPrivilege	3428	WMIC.exe
Token: SeRestorePrivilege	3428	WMIC.exe
Token: SeShutdownPrivilege	3428	WMIC.exe
Token: SeDebugPrivilege	3428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3428	WMIC.exe
Token: SeRemoteShutdownPrivilege	3428	WMIC.exe
Token: SeUndockPrivilege	3428	WMIC.exe
Token: SeManageVolumePrivilege	3428	WMIC.exe
Token: 33	3428	WMIC.exe
Token: 34	3428	WMIC.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
2684	client32.exe
2684	client32.exe
2684	client32.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
2684	client32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1740	4768	powershell.exe	82
PID 4768 wrote to memory of 1740	4768	powershell.exe	82
PID 4768 wrote to memory of 4776	4768	powershell.exe	84
PID 4768 wrote to memory of 4776	4768	powershell.exe	84
PID 4776 wrote to memory of 4388	4776	msedge.exe	85
PID 4776 wrote to memory of 4388	4776	msedge.exe	85
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3632	4776	msedge.exe	86
PID 4776 wrote to memory of 3344	4776	msedge.exe	87
PID 4776 wrote to memory of 3344	4776	msedge.exe	87
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88
PID 4776 wrote to memory of 2532	4776	msedge.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WqZxLxZrOrnMWYaBaBKdLenVTu.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- - C:\ProgramData\netsupport\client\client32.exe
    "C:\ProgramData\netsupport\client\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2684
  - - C:\ProgramData\netsupport\client\remcmdstub.exe
      remcmdstub.exe 2484 2496 2472 2468 %COMSPEC%
      4⤵
      Executes dropped EXE
      PID:1884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        
        PID:1828
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get domain
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.wsj.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee7503cb8,0x7ffee7503cc8,0x7ffee7503cd8
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
    3⤵
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:1792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
    3⤵
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:1
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,7162223203879645897,15992662777514812340,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4880 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netsupport\client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\ProgramData\netsupport\client\NSM.LIC

Filesize
259B

MD5
1dc87146379e5e3f85fd23b25889ae2a

SHA1
b750c56c757ad430c9421803649acf9acd15a860

SHA256
f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2

SHA512
7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

Download Submit
C:\ProgramData\netsupport\client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\ProgramData\netsupport\client\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\ProgramData\netsupport\client\client32.exe

Filesize
54KB

MD5
9497aece91e1ccc495ca26ae284600b9

SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

Download Submit
C:\ProgramData\netsupport\client\client32.ini

Filesize
631B

MD5
adffa0c2fedb1506087178c51efbd377

SHA1
a3218fa2fbefaa5447b970481a575fcdea0bd2f7

SHA256
6b115c0c710bb0dfb234d297b0e8a862d8aff972ce9915b3fdfbc4d12a698d6f

SHA512
2284360ed332d66856c8a78698d1a4ad4d9919f3d1e08e5c6a648391c529ebef66b1af081ec88efbe9bcd68375b2243d76bf5532cda5f831642fef4b1ca57f07

Download Submit
C:\ProgramData\netsupport\client\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\netsupport\client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\ProgramData\netsupport\client\remcmdstub.exe

Filesize
61KB

MD5
35da3b727567fab0c7c8426f1261c7f5

SHA1
b71557d67bcd427ef928efce7b6a6529226415e6

SHA256
89027f1449be9ba1e56dd82d13a947cb3ca319adfe9782f4874fbdc26dc59d09

SHA512
14edadceeceb95f5c21fd3a0a349dd2a312d1965268610d6a6067049f34e3577fc96f6ba37b1d6ab8ce21444208c462fa97fab24bbcd77059bc819e12c5efc5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5710c39b3d1cd6dd0e5d30fbe1146d6

SHA1
bf018f8a3e87605bfeca89d5a71776bfc8de0b47

SHA256
770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

SHA512
0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d5e555f6429eb64461265a024abf016

SHA1
05a5dca6408d473d82fe45ebc8e4843653ad55af

SHA256
0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

SHA512
be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
748KB

MD5
28284f5c0a5840364e38eefb6b26e92d

SHA1
088d1145f3ceebf44e48ee1fd116b6ddcb7d4358

SHA256
67f35132b6297242d673f04cde046216c3702b22dceeaed17037083681a5e3be

SHA512
8a8f4bfd0cccd5fa5c85a06166de4b66dc3c4a3e609a327a579f7abe8eef1c3671e64b6f4aa0eb98ec96c47fb42f90eeda65ab00b16f935d730cb4491b032a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fdb9eba5f903ef1f7b4be563df05bbf1

SHA1
520b90871cb9e2948996c21594ccf7f81d46dfa7

SHA256
2ec964baea6a6089d36c9d84b0bccb79adddade5ae2f338f86039d41aa68f936

SHA512
9442275196ac86e089d2f19c110473bebf9769d74803c8acfd53819b8db85d8669900d4198e8263bd87aca0668bfcaf73ae7b604b16139954726fe88b9fdf6b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e3695970230546eebdfd0f237541861e

SHA1
eecdb323be8b6eeac6b3bb09394a94e93880a7ae

SHA256
f07b6886042490bff66466644e2ca0ed486f586272e979d84892a6e9305c5f76

SHA512
d48bbc37b93b9a14abbd6af9aa9063306a4e2491b3f2314ae8875809db2e706e6a2cb47e673a0cb31fcee59dcc85b82c8e978cd84f9f9dc8462632ff2a940500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
116B

MD5
a4241c693fbb0890faa305764d6cf50d

SHA1
e856d3421567a3cfd8d790825d6952ba524fe463

SHA256
197eaf026300dfbba19cdaa31982c92741d973f655d875b6362246d6f89d07df

SHA512
7e9cdeb74e86bbb4afcf620a148f82a03f38d3a0d370ea37143e7cffce45109b5bb7638aaa77c97505d046a8ac4ec6f9e4dd630c54ffb44b57296d066d308bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
75fac07195bc4a759c76e37067c2493c

SHA1
009b50b0b9e3edd2a4e89f5a7239efb8a6f47c0f

SHA256
838f374e34677e6cc23b98d5b78c63a5f424b982db1f97310dcd4232d1cee5ef

SHA512
1f0e77da781f2a8d4a65dcabf3378196c31f61c42b002fa525fbb8940035a3ea1eb77ef8b77138d561f7142316cbb79d6af3085711b1f10e7a928e254ba5ffc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a3821c1f420f8dd48bb0a561a81ae16

SHA1
322cc1f30d09dd37c51ae50a7af49d1f6a99c37e

SHA256
f562d0befb5eb7ac29f0eeb8278435ed4682a38515d7ce78ec6ef530d6fcc00f

SHA512
e040590bcc1eecb5733c0ff58a8688f7c9e5c78c5eeb91472d5173ba797d6f6739e84b4c0e1fced7dab964e0ec4c615c93f1d34629ef2c72579edd5ba01dec06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db758c0339ea9f7586486261054468ee

SHA1
a2f261c94aa61043b091c7505c22c41841db4de8

SHA256
aca90c8c800013c0c54e1507cea5134dc003d4417dfda1032801a99aabc45632

SHA512
eeaad124409918a0bbd5c9067d0e7c8d5b51463aef670306c7f8d077ef306863060720c9264b56a82aa198226e256d98234f02e1864fa7664355962c23c7e692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6b67aac0db558b0f8e74e889cb4ae116

SHA1
09ba3a252d5fd4276e1a93f4cecb0c590fe598ce

SHA256
b4d66f65e3dabc547caf06985d1270d4527aa3e11949cd5c77e25672c041a176

SHA512
172118b86ceb1df2aacefc409bf605642caed9d34a274b8676e681d0da858c5220c633ea3dee03e9d315227079859529550d5f1bcc0ca68c53aa1363bbe9400d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e66d41984253accfb725414aec84972e

SHA1
dc06ce89dfb86bd90fb9ea2001771c5a98c7feeb

SHA256
31043658cee839fb19ab1755e3f57bf0b40fadecd7cdff91a21234103f991907

SHA512
49de9df396b32bb12406ee9fb7ce14e3122f577a691e1d49f5efc12f541cccd145c3e8458b56ad3fdf2ffd9e65b68080e9a5c82a1a56960faacc5c799a3ce80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d8579e2a4a9e2f19ade2e9421ed3bc66

SHA1
9c7850d085a9dc972a5654d16daf4b1f18ff2594

SHA256
6f051f1e6f8320a9d9423c9b52dae51d14f28739466bc3a7a3b9d22538c7f3f5

SHA512
5f7b0db0df07ab4596ae4c1e9c0f2f2e63eaef0245f726f4a9dc2d670759efa173606bfff6eddc5222f5b7564f2895b90651e9f86e15fd661e95a3488a6cabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmtl01s5.mxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1740-15-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download
memory/1740-138-0x000002C1FD9C0000-0x000002C1FD9CA000-memory.dmp

Filesize
40KB

Download
memory/1740-56-0x000002C1FD9F0000-0x000002C1FDA14000-memory.dmp

Filesize
144KB

Download
memory/1740-137-0x000002C1FD9E0000-0x000002C1FD9F2000-memory.dmp

Filesize
72KB

Download
memory/1740-55-0x000002C1FD9F0000-0x000002C1FDA1A000-memory.dmp

Filesize
168KB

Download
memory/1740-122-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download
memory/1740-124-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/1740-123-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/1740-182-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download
memory/1740-25-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/1740-24-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/1740-26-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/1740-125-0x000002C1FD3C0000-0x000002C1FD3D0000-memory.dmp

Filesize
64KB

Download
memory/4768-8-0x00000156FB200000-0x00000156FB222000-memory.dmp

Filesize
136KB

Download
memory/4768-104-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-92-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download
memory/4768-99-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-183-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download
memory/4768-112-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-14-0x00000156FBA00000-0x00000156FBC0A000-memory.dmp

Filesize
2.0MB

Download
memory/4768-13-0x00000156FB670000-0x00000156FB7E6000-memory.dmp

Filesize
1.5MB

Download
memory/4768-12-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-11-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-10-0x00000156FAB90000-0x00000156FABA0000-memory.dmp

Filesize
64KB

Download
memory/4768-9-0x00007FFEF3B80000-0x00007FFEF4642000-memory.dmp

Filesize
10.8MB

Download