netsupport | 08d4a681aadff5681947514509c1f2af10ff8161950df2ae7f8ee214213edc17

Analysis

max time kernel
1164s
max time network
1207s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_17_06_2024_5767063.appx
Size

5.7MB
MD5

8ccf6e48807afdf1ae0304fddaa232c8
SHA1

8f9f24a7856de7845f8bd3a389182fd3847f1298
SHA256

08d4a681aadff5681947514509c1f2af10ff8161950df2ae7f8ee214213edc17
SHA512

b416abb388f20242de28e152c27c709bc64e1c81b781e8dc3159c75006249131461048a6cb6c22e8fb7b604927180445db7b07a3bfc2ff9a50ec1fa017c2d7e3
SSDEEP

98304:1prM2Fn76yeCJMAeAbIqwRhDKb9h6R4I7Ow6EQJ2wfWpQ8kjHcgWLSzYr0:7PF+yeCiANILRhDKBhEJ7RRQJ2wfKsHl

Score

10^/10

netsupport execution rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
3120	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3120	client32.exe
3120	client32.exe
3120	client32.exe
3120	client32.exe
3120	client32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2036	Powershell.exe
4968	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
4696	7za.exe
896	7za.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4484	powershell.exe
4484	powershell.exe
2036	Powershell.exe
2036	Powershell.exe
4968	powershell.exe
4968	powershell.exe
3744	msedge.exe
3744	msedge.exe
3960	msedge.exe
3960	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2036	Powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeRestorePrivilege	4696	7za.exe
Token: 35	4696	7za.exe
Token: SeSecurityPrivilege	4696	7za.exe
Token: SeSecurityPrivilege	4696	7za.exe
Token: SeRestorePrivilege	896	7za.exe
Token: 35	896	7za.exe
Token: SeSecurityPrivilege	896	7za.exe
Token: SeSecurityPrivilege	896	7za.exe
Token: SeSecurityPrivilege	3120	client32.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3120	client32.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 2036	3552	PsfLauncher64.exe	84
PID 3552 wrote to memory of 2036	3552	PsfLauncher64.exe	84
PID 3552 wrote to memory of 2036	3552	PsfLauncher64.exe	84
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 3552 wrote to memory of 1196	3552	PsfLauncher64.exe	85
PID 2036 wrote to memory of 4968	2036	Powershell.exe	95
PID 2036 wrote to memory of 4968	2036	Powershell.exe	95
PID 2036 wrote to memory of 4968	2036	Powershell.exe	95
PID 4968 wrote to memory of 3960	4968	powershell.exe	96
PID 4968 wrote to memory of 3960	4968	powershell.exe	96
PID 4968 wrote to memory of 3960	4968	powershell.exe	96
PID 4968 wrote to memory of 1144	4968	powershell.exe	97
PID 4968 wrote to memory of 1144	4968	powershell.exe	97
PID 4968 wrote to memory of 1144	4968	powershell.exe	97
PID 3960 wrote to memory of 2100	3960	msedge.exe	98
PID 3960 wrote to memory of 2100	3960	msedge.exe	98
PID 3960 wrote to memory of 2100	3960	msedge.exe	98
PID 1144 wrote to memory of 4696	1144	cmd.exe	99
PID 1144 wrote to memory of 4696	1144	cmd.exe	99
PID 1144 wrote to memory of 4696	1144	cmd.exe	99
PID 1144 wrote to memory of 4696	1144	cmd.exe	99
PID 1144 wrote to memory of 4696	1144	cmd.exe	99
PID 4968 wrote to memory of 2864	4968	powershell.exe	100
PID 4968 wrote to memory of 2864	4968	powershell.exe	100
PID 4968 wrote to memory of 2864	4968	powershell.exe	100
PID 2864 wrote to memory of 896	2864	cmd.exe	101
PID 2864 wrote to memory of 896	2864	cmd.exe	101
PID 2864 wrote to memory of 896	2864	cmd.exe	101
PID 2864 wrote to memory of 896	2864	cmd.exe	101
PID 2864 wrote to memory of 896	2864	cmd.exe	101
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103
PID 3960 wrote to memory of 1272	3960	msedge.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\GoogleChrome_bkv38496wzae2!NOTEPAD
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\PsfLauncher64.exe
"C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\PsfLauncher64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\fix.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\fix.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/intl/en_en/chrome/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe266646f8,0x7ffe26664708,0x7ffe26664718
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
        5⤵
        
        PID:1376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        5⤵
        
        PID:3224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
        5⤵
        
        PID:3668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
        5⤵
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
        5⤵
        
        PID:2764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
        5⤵
        
        PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
        5⤵
        
        PID:4032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
        5⤵
        
        PID:3068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
        5⤵
        
        PID:1508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
        5⤵
        
        PID:552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7216248162391458682,3180600633232912253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1084 /prefetch:1
        5⤵
        
        PID:5004
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\client2.7z -oC:\Users\Public\Music\Client -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\client2.7z -oC:\Users\Public\Music\Client -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\Client\client1.7z -oC:\Users\Public\Music\Client -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\Client\client1.7z -oC:\Users\Public\Music\Client -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
  - - C:\Users\Public\Music\Client\client32.exe
      "C:\Users\Public\Music\Client\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3120
- C:\Program Files\WindowsApps\GoogleChrome_4.12.107.0_x64__bkv38496wzae2\VFS\ProgramFilesX64\PsfRunDll64.exe
  "PsfRunDll64.exe"
  2⤵
  PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c28fb56f14db8079c74addbb9b3f6ec1

SHA1
6c946984d14c4f7a25265e26ace587dabe8f4841

SHA256
577ba6e2cc888392c1beb111157dd97e5f68b92957d7a233abfaf09635285eb2

SHA512
d92ab0ef724a66348572a02608972ba48bbfbaf13bc33dc653081b8aecb6b1df28d9e6097d4c2ff37927e898744cfbe184624f638715c100f056cf5fd531aebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de7735e6a23cc55238fb81eac4842241

SHA1
71bd8835cab3c5b45fba835d96970f64dec765ff

SHA256
d7248329b7c2646e6f6510157e0fecaa2bcc4922bb209af8a2ca5cf092c6022a

SHA512
b84b82b52caa9246924d8379445ce9ed9e3668e9a8950c9ca6caa308fb523d0a25d4e8248e78d9bcaebb7de52e220a464156d58f15d4ebffe1cb0a999b8f8a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3bf89a1dfdec49b87254d8429b10944a

SHA1
a091cef02f74f00f00cb1f96672b79e7b3ede7a3

SHA256
182c6505bdb68716fdd512016676ca35f77036d339581b44ab8189ae05692c42

SHA512
7b50377f154871196a67258c669db39719b538eea1dbbbac642615365646b7067daedb421de709b4fa57e9074e6b025414d57209cfbab16020c0156a5d920711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f55a2484a061c42f497138bd615ead8d

SHA1
76f5fcb19384b5b7c71fc4b3252a1b43991d5e5d

SHA256
be08b3dea90d09066b9f9b768cbbb942ca0d074c3dc2d535ee440c7d51e3199c

SHA512
6d152fd5f9db7b8b053c5992845721cfdffacfc81ada7f0f28dc21cdbcdfcfb88d3fc0dcbe8e8f35c93151b289c73d3e21d6d577c7bd2b244af8807a8848643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_raf5lanc.qd2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\Client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Public\Music\Client\NSM.LIC

Filesize
1KB

MD5
0387502d4bf03a8243555e5c695f939c

SHA1
907b7e7000d015ebe3648ea1c464abd89a509394

SHA256
e4715acf55d7d4ecca21097ce1ff755883fbd131e3d2a00a645af29bf68d3aca

SHA512
e2988f9f4fd7a3720d2c586c7f49371cc8de07560e48df5de1e20ff06e171655edacd857e29b36842a26d09407b24c809952b97931e0feb77cd0abb6d626040a

Download Submit
C:\Users\Public\Music\Client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Public\Music\Client\PCICL32.DLL

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Public\Music\Client\client1.7z

Filesize
1.4MB

MD5
9fd76d76972c432871ae7caa0a5dbd25

SHA1
b057f9ce9a20ca8cebf4cbc2a439f979b922635c

SHA256
67ee25ede866a4c3daaa433f5b2bfb0e8323b8ff28cbb85754b7ba092444b755

SHA512
f1993efee3e9558cad1403951ac049ff141b858d68606af42e1052db6e382973a671d6159e4d07144a5394e46edecc2bac587f47c05d2081072567150381f2d5

Download Submit
C:\Users\Public\Music\Client\client32.exe

Filesize
54KB

MD5
0390d6c23eb9001759fc654ad8b91a1d

SHA1
30a485118e69f66c0dce1d656b5b366f62eb638c

SHA256
1dfc715e9f4c9d0dd16b23f9d4d289aa9961b1781273aef11721a8543f348711

SHA512
dadfa7656d070e724319303f8b9c67a5fc8d64f0e4ecc460c03ac0bad9aee9c5f3e5dc5859f665a3a7ad3d2b783755eb5b89a04f824c6ec0629405d428cc35a9

Download Submit
C:\Users\Public\Music\Client\client32.ini

Filesize
652B

MD5
84311b11dde5fbaa2bad02b4cfac8767

SHA1
f15f2745bb6632158132b2b9d8ae06cad5a1c3b1

SHA256
207bbb927354bc7b42db49e985943cb10931a2d27c45ef2c6fc393d16a01c676

SHA512
8a75bd204e86fe09eebe0f81ce724b12f3efc6374f7f90fc1e99d5819f7a83419b3d58b9792b2b2cb6ca49dac52dc35c854a47b3b406e3d2f7e834e9497f6620

Download Submit
C:\Users\Public\Music\Client\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\Music\Client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/1196-20-0x00007FF6EBC40000-0x00007FF6EBC50000-memory.dmp

Filesize
64KB

Download
memory/1196-18-0x00007FF6EBC40000-0x00007FF6EBC50000-memory.dmp

Filesize
64KB

Download
memory/3552-21-0x00007FF6421A0000-0x00007FF6421B0000-memory.dmp

Filesize
64KB

Download
memory/3552-16-0x00007FFE0CCF0000-0x00007FFE0CD00000-memory.dmp

Filesize
64KB

Download
memory/3552-15-0x00007FF6421A0000-0x00007FF6421B0000-memory.dmp

Filesize
64KB

Download
memory/3552-17-0x00007FFE4CD0C000-0x00007FFE4CD0D000-memory.dmp

Filesize
4KB

Download
memory/4484-0-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

Filesize
8KB

Download
memory/4484-14-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-12-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-11-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-6-0x00000207C4EA0000-0x00000207C4EC2000-memory.dmp

Filesize
136KB

Download