netsupport | 68672e134eeb33ed9beede872a000843694e382697abf3309cafa6367b6c7154

Analysis

max time kernel
145s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-09-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe
Size

6.2MB
MD5

f30257ceae9a67d36a4e62f20ca7da00
SHA1

e3ca7a72b61fac410b406163ecc299b89f01224a
SHA256

ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e
SHA512

f301745a2474911510066eb58178a804c1aedff3f40102b1ecd6078dd87ee59f12dd6217c23481c1ef78ab625079e1a733ae70d7de470a321802a5f0afcf378b
SSDEEP

98304:Cwi471aEj6tOKNnwp2QNNVNDP+f4GXpcNB6wijexMRq:I4AErp2oWj5fjexb

Score

10^/10

netsupport discovery evasion execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TSConverter.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2556	TSConverter.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine	TSConverter.exe

Loads dropped DLL 64 IoCs

pid	Process
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe
2556	TSConverter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced OBackup Controller = "C:\\Users\\Admin\\AppData\\Local\\Programs\\TS Recovery Module\\TSConverter.exe"	TSConverter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConverter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\WOW6432Node\CLSID\{A7D1D0BE-40CB-497e-81E5-5D732FCB1B7D}	TSConverter.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2556	TSConverter.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	TSConverter.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2556	TSConverter.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	TSConverter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	TSConverter.exe
2556	TSConverter.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2556	2052	ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe	79
PID 2052 wrote to memory of 2556	2052	ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe	79
PID 2052 wrote to memory of 2556	2052	ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe	79
PID 2556 wrote to memory of 4516	2556	TSConverter.exe	80
PID 2556 wrote to memory of 4516	2556	TSConverter.exe	80
PID 2556 wrote to memory of 4516	2556	TSConverter.exe	80
PID 4516 wrote to memory of 1604	4516	cmd.exe	82
PID 4516 wrote to memory of 1604	4516	cmd.exe	82
PID 4516 wrote to memory of 1604	4516	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe
"C:\Users\Admin\AppData\Local\Temp\ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\TSConverter.exe
  "C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\TSConverter.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\TSConverter.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\TSConverter.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\AsMediaInput.dll

Filesize
445KB

MD5
51cebffde43c239da5e69b0e64954522

SHA1
a2f4bc0f6a7b49ea3902d654a953b3cc2239e6c1

SHA256
ceaa4c00412760b2f15c241f2d7b57bc4744c15d3d1157d9d2a9693d2ee84318

SHA512
e0d641e7ad666115f50dff0a304b8f3fa03f2d86f64ad38159c86bd3724682d12b3f5cdbe06ddebefa00e6d3abc5a4a0519170b6029c959ed93a8255935f7ae6

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\AsPlayer.dll

Filesize
213KB

MD5
8b0f978c7615eab0fc9b0bb6d60b3edc

SHA1
5f6116f0fdf43f40933e909597d1d263cb0da348

SHA256
c10eba110d341c2d3a52bbca670d47d2a8a586b0ac09150b7b639e22885e79be

SHA512
2756c2f509680a5e0e8316dcfe201a74ba61efedb9e15aba790edc1fa792cb133e3b8197112b625a623c6bbc59953808953c2b2e55e22f673a3aef8b8fe0b308

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\CommonCtrls.dll

Filesize
111KB

MD5
75a2af2dea3da4e77bfe3939ce779fa8

SHA1
4cd02b95ca14d23947f578de1473b939117f4303

SHA256
9e2d384fb2b7c0d044400729f1f7b85284f62497b2db619059fc16aa76077027

SHA512
a74be65b74822fa3baad9d424b81ea164f1bad39ed15695ee8b90b352b3cbe8e264391f004622af45294abdda045df97835dbfafe67ae831954896944f2e116d

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\DownloadManager.dll

Filesize
63KB

MD5
494aca51661c838a2e6b6035aa3dc8e3

SHA1
0456add0c5a4617bf6a0a8973fc4faadeb399021

SHA256
79fc5eed59b3ce4d97490074c0d189aeb721fa5e84c503371f4b665de7fab609

SHA512
1818f1be75eedd7cc9782454313c2b23bd8d9c76cc954af7ce1a96ce0688632a3ba933a5da85e54efc7d0d900b884d32b122b6215ecef5a423cffdadd644cebf

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\FfProfile.dll

Filesize
334KB

MD5
7a99eacb3808e194ec874c66fc86a603

SHA1
7383c7cf256a461f2747ce9f72dfb172904a8090

SHA256
dcad80572bc2336cddd99d9abc432d241554dd0b694b36f5031be5a993232b88

SHA512
273b977cc56c01149f13592c31f6b6595825cce41ef5bcc501aec6d8758bc446294d961ca24ac6a2a61c2c43490f8348dfd6c6ae5c166a236b634d501ea3a3f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\FfVideoEditor.dll

Filesize
1.0MB

MD5
97638522de02899961efa883e48af48a

SHA1
7921f7c4b0a4fdf8d78a66d3ab0bbd445f59ea9f

SHA256
db00ca4f3b8e9b127b28921d88ed5efcaec342bef510367556fc15c81e6f99e2

SHA512
a7d5c538a157a145110708a3d374ff11d64b781942b3a87891cdfd834baff04ccb29da4705ac79f741f1c29041703f4568d57a5161025457d93f66f2059b4740

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\FfmpegWrapper.dll

Filesize
242KB

MD5
362be76a3f8c15111aaeb3e2316a2ade

SHA1
b544dd53e8a16e7d257ed8c9070af57647c395a5

SHA256
76ecf30a1a83d49fb710f4b808884a285f82e9242a81228beeb767848d6ead44

SHA512
eab608c54b2ea32a0fa197157ab65e79beb2a6e030c018db13b6e2a0f338ad26842a9ea2258e5f43387a8c9e5fbf2f1e54fb7ab15b1d82d23362382a4555f7e2

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Framework.dll

Filesize
1013KB

MD5
d224e12162e977ede4fe2d07380c5b22

SHA1
3b8ae72d45c544efe4dda03c5aa6443eda4e1279

SHA256
fdef4926120a2f5bf25256c7a0300e203e476e60a29c333e73b2dba515465035

SHA512
6c103264bbd597000201654843857d48408c6e36350b779fc283774e4b38d0e04ae1b62ac95bb3154ea7c7371c03302beedbfcfb3fc37f55ad7cabe8aec19cca

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\MSVCP120.dll

Filesize
444KB

MD5
a883c95684eff25e71c3b644912c73a5

SHA1
3f541023690680d002a22f64153ea4e000e5561b

SHA256
d672fb07a05fb53cc821da0fde823fdfd46071854fe8c6c5ea83d7450b978ecb

SHA512
5a47c138d50690828303b1a01b28e6ef67cfe48215d16ed8a70f2bc8dbb4a73a42c37d02ccae416dc5bd12b7ed14ff692369bc294259b46dbf02dc1073f0cb52

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\MSVCR120.dll

Filesize
948KB

MD5
2fb20c782c237f8b23df112326048479

SHA1
b2d5a8b5c0fd735038267914b5080aab57b78243

SHA256
e0305aa54823e6f39d847f8b651b7bd08c085f1dbbcb5c3c1ce1942c0fa1e9fa

SHA512
4c1a67da2a56bc910436f9e339203d939f0bf854b589e26d3f4086277f2bec3dfce8b1f60193418c2544ef0c55713c90f6997df2bfb43f1429f3d00ba46b39b0

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Core.dll

Filesize
4.5MB

MD5
678c947dec2979c843f8cdd24796ef46

SHA1
f5f8f41e6480f9b42344241b76e8e384adb6b9a0

SHA256
0b407af1ed1a77ffd7503ed396a1091e41e0ae6865204d3e38dc6af147a1dbf2

SHA512
e34583d7cfe5b555d59218b019469171c02e2a193e74f9cb587a24e0abd82969102bdf0c4a06929f1c13602d613b43f653b58c233e7edbd5d1d4c5db2a707055

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Gui.dll

Filesize
4.8MB

MD5
6d77fd2afc773f604380e34172f313d6

SHA1
8c938f8000e262746eae7ef9fbb813eb2302e674

SHA256
f719214250d7b36bfddfd78b2d094500f025a8d50d0e297d9c29927e65a4aeca

SHA512
8ae8153d5d69ab9596f9ca572f75d817cc9a7b2005915b438e4448114d05ffa4b6ac0426ecfd6cdbbda26461a766a1ca58b0cd7f8d0ef09c5d3a91c19547fed1

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Network.dll

Filesize
844KB

MD5
11a576944c9aaadcd9deb12dfc173bd7

SHA1
ac08ddd705859529241310abfea6280f5554306b

SHA256
fce717eecf407cafdf6a30f33246e3244a568ef06d9077823695d014c79f910c

SHA512
5fde256826f8e5a4020817c2b2b6fcd969cdd6055b002e103c73c5248c56fcd7a0909339eb60e2b9ccf2bbdc45883887361bbe63631e879e9c08fc13df3774e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Sql.dll

Filesize
160KB

MD5
3a7a38f0c80f7e609adb774a3d74f509

SHA1
cacc5ce6b9b3ba06ed12a832fbfbafec60e655aa

SHA256
887ebfd1b365a043a435d6e23649b5f0d4fcdc6b143be31228f7eb8146f509c7

SHA512
1af7fbbbf020eab7c5e91394c95899cdaeea40aaefa265f58bc1c26091bcbd6ef4a308dcdd077e69dbb111b3aecc7c042fec201ba47891d6824f15ff9701723d

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Widgets.dll

Filesize
4.3MB

MD5
26110086dd51fe3b5c864e0e3578aefc

SHA1
3be4e4f87f5dfdb58e0cfd9b7745de3e48d45df4

SHA256
64d2a7dae905617df9833118247c10de51352aa48dd9c72ae5c223f3ed54b4b4

SHA512
a852e740d7a0cf41bc6329a259c3a2ced80f9d3654b3e23bc5b9c0eb93552a26850d7ebcc824c7648550d1b5d7bdc6c8809d0bbb1c68a4856669fadf5e48aceb

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Qt5Xml.dll

Filesize
158KB

MD5
dfc32358acf8e8a7e6f13c271554fa06

SHA1
d3c3208af1f5783ee788738460dcf3a234e4b010

SHA256
ec05c9858e097bb423e7ad0af2b5c4fd3424ba470e76334f451b2300ca3ec944

SHA512
4f5021d899d05741f4eef57fbebe6476a10ab899891620b1bc832b2af29caece8664637a3899b679bed6a45edaaf8cd4b95fc53379f18352890c7b992a510349

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\SDL.dll

Filesize
1.3MB

MD5
5a6f456d255b03be9343edffe8c520bf

SHA1
db1f3c9997a54997053f76c5f46a437915ce30ab

SHA256
df5100c87689e2dee348c7f3976a8e0c22c6b0a2ae08771d2ea636f9233982c7

SHA512
2452f5e12be7c8eca332a49dfd1363b921892486a70d387cf01e7f94679b2eaa9501019e081ac76c92bf77afd9511a59a8be1d810d030f63eb720e7ed6b4032f

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\TSConverter.exe

Filesize
184KB

MD5
f6f5488c05f0c4a347d927bd10f6b36e

SHA1
b889342b7d64d53dc08773c3653ea494f1eca08b

SHA256
9f30e1d9f9f18f57b06a447f825e7483dc1ccdec7ae4440e50afd00b9e820be9

SHA512
f4d41b1323916e95b9e76ce220e66710f380d5806f4d47f9a4fab2e94f78980106c88955ea8ce1a713a43e95ae4aca5fda792ce91931d733049a610e4a65f945

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\Utility.dll

Filesize
22KB

MD5
e77e9d216b52bbdcad73fe47bfb5debe

SHA1
8e522595424733a275aa7af7600175b200fee462

SHA256
0be323496abfd4b8a246c44d1c6a790ea9866a114445a87fff7c2610a0808a08

SHA512
f7fe76d23c4a79b23db50ba9739c5427c879d64d19c4f94ce5a28243c4726f20d6cf6757949e2dcb0720018614b488c07406d3ca745a870b70f87ca221a08436

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\VCReport.dll

Filesize
29KB

MD5
effab3ddc3d33491f066903c4c95d361

SHA1
9be3bf66f3b8990fa919b5459b564a34ab81aaeb

SHA256
fddaecd2bd619e12fc2916e196592488090d558a9668429f570582b0ea557028

SHA512
8a569acd8fa384e1b529b7d63041d247e88cc15ef0477b457a7ed6d43a21b13e814193085224f67233c554b9d5e8aa598504fc3d3c1dd9650e69784d20d4d993

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\avcodec-56.dll

Filesize
19.0MB

MD5
d252bad2bb26a0b1b7cb46ac36394a65

SHA1
4185c56dd7408df6ad1a10cd94905af1c06a3ecc

SHA256
484cf9310f35f79f83ba5327e20909420d0cea286ed0ea8fa5755bd5f2b00ce3

SHA512
66e8eb94097932460f4df82d56ea00807b89e0ea78806d5618daa2a3521b5a343162b42ea68cf491114708d86aab018a0df4486793c31fee7e150a97c8a7ea20

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\avfilter-5.dll

Filesize
1.2MB

MD5
4dc29ce2b9ee297a6a1f4f8ac04b8acb

SHA1
57253632652dd8f04a8726d7fc5bc0dab515392a

SHA256
a2c74d26143fa42ff496776959ed6ee1eba5bd64f97089fcff674a11a51a6d67

SHA512
afb1f72451e0d19001be410b84c0437cd3aec6b1524895661e07f41ecca9fb763bf3c677538b416a36fd57bf779f49a824c6a7d0a9540f5a0a38b40e6a786a4d

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\avformat-56.dll

Filesize
2.1MB

MD5
ddfa82dd7995a1f1d1989da271d2d4ef

SHA1
061fa31f10508a7039b36670da160f168ba3b26d

SHA256
b06d887d7d545c308ae5ab1b2927c780d25adbb9865f14b6a61a0227e498a0e7

SHA512
22caaeb378d19703d0098ca61e6843b507a8762884212326946a9839c91ff6624a4399b93a8062e7b4f76fb94ba1af52f4304f0469300fea4ca719372368abc6

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\avutil-54.dll

Filesize
410KB

MD5
9c200ca1d22c6b82a172e715cc82d526

SHA1
9aa93fb66d6d4c06595c24348748d70c3211843a

SHA256
ca176820ec3ff40076f1c4977c81d2ef7e3165a6674187e4175f34fb3926c77c

SHA512
a30f4ff1f71db7c21c4a6a1ab7c956c98d82ceb02ca93639649678aa24f3ad08641ac30a0f7c19d3e9d8c38857bf368002ca78e4fb7ceb26db21d23a9cdfba45

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\glew32.dll

Filesize
323KB

MD5
9533a084af09bc8d4943c833a5be8edb

SHA1
c4fd1398e98a925dffd92c562722d5d4b63c8d64

SHA256
935d588e8fe3a3db351463bcfabba7a50b7e7d2f5e4186494d754b61d949f3d2

SHA512
824b11de7d0ca9069b2d81d64dabf50d10b47ce96868602551f671f2e74235d9fae3e129fcca124e36cd797b332c3487bccca4ecffa91fbbd3da59fd02f185be

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\libcrypto-1_1.dll

Filesize
3.1MB

MD5
fcf37fe41a8f0466c54cb9c01bdb441b

SHA1
174ff3d88656d993fe29cf6da61b8412ef7d7841

SHA256
e452d65faa47a924c141346dc3c38bdd281e9c77cb183dff4d20d6d08b039897

SHA512
59c58793fbf63ad7db2223c7a1d4e43b4a0fe3a2356227ffa1b57186c2308387df77d4ea819937759671bc2e9586a31d5fe78119451be64bdb1eceb972ec8327

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\libcurl.dll

Filesize
300KB

MD5
c58ceaff039ac8d0633b8e74e285fcb1

SHA1
eb1f91176b8d39a75688ddec31c0a04d459da0fd

SHA256
8e063579a9d83e81820d1328af4d9b6457386bd161466fd02826e2032282efeb

SHA512
607836e3444836633436043c12ec0b19ef5b434e5aff017e6878c4fe4c9c835c346d3b2e7cded7844d152cda51d2981d82ca0ecc73b37c4a8bb9fb5b175ae95a

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\libssl-1_1.dll

Filesize
922KB

MD5
ae5d185887069aac46b8aa8918f88c77

SHA1
ebcd4352d71f7ef4b8dad26be6d25cdf4b651f61

SHA256
a937155612c6bf6257da4c4f835e68b02359540577db3f37729e1e2871f89ec1

SHA512
5941e24085d70c6de29c0c345d7f5d8a683993f1ca218ae1655c14509a1968dc240c9dec611341ae37eceb410ade009bf6520f247eb753b4aba0886d9f2f8078

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\main.dll

Filesize
673KB

MD5
ff3f9fcb6dac5ed607008a117dfcbcb5

SHA1
d53a919936575147681e6d86808e04346fd67a95

SHA256
1f01405fcd4c108862159469da98010346db94de971053132a515252caa95a4d

SHA512
ad30496099ca5901e327beb3b1ffa493c9ee8210c559285b344bd506f4624aca3ec4193de36f4da45246be1917d388698574a6fc0baa9d38e374cf89a6dc5177

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\nsm.lic

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\pcichek.dll

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\platforms\qwindows.dll

Filesize
997KB

MD5
382166cd2b5ceeba4237104f9b0c0e14

SHA1
d5fbfe37c92f8016334faceb2e2e219871b4d431

SHA256
c24bb651c1ab40f3afe045ce15b613f8b481795957b77387f9ce3bad1e4377b9

SHA512
b60e1ea7b397a9d2fc2123cdb815c58c2573dfacb4386ec213fce3052e94cc63871c63b959ef6168ae9ad7e10bd21987fff5a4008e01ee00e8466c3e9acf8ce0

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\swresample-1.dll

Filesize
122KB

MD5
666213dc161525ade471727fc902b874

SHA1
6b3c36b8fac94465baecb1027a6107d8dad2f47d

SHA256
1a2204993d2dcc6e344b6822c634ba901f07296839c5704bec0a0541beec0529

SHA512
cd442bbbe82ba756ce5c8dedcd7e562b6275b89aeda537bee6578a8dcd89068d91ebaf1aa7429fdd9d50d2d802b1ad4d8e3d3f352af6b4f9ad405ac4e3a84010

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\swscale-3.dll

Filesize
512KB

MD5
14aab81288f2fc4b1f9281581d4e279a

SHA1
bac25da329cff0c4a07fa566dc685d91a31580ef

SHA256
8306bfa4407a9efb05391024fcd0d1986c43c39d06577c8361b5f3b8b48ae5f9

SHA512
52e6561fd4612acd4c5b6117dfbe047527dca5163ba2ef089a735324f79f9bcdc0cd7568979104b16ab55fe9115b145a0258ccda32df4d61bb9368346f01362d

Download Submit
C:\Users\Admin\AppData\Local\Programs\TS Recovery Module\sync.1.1.dll

Filesize
3.5MB

MD5
a287be4e1ed7034fa4504d25d3fdfa6b

SHA1
083934f2ee7504ad34d295528d9df8a04acc93df

SHA256
84527db776684dc49ee0e309ba47ee369511fd26a076c8d1509d686f50cbb0af

SHA512
8c0d50473f8004319cb0865501adcccb0a326a533041a8a9d2b3f78bc1613b565800b478c874f38d196e483615dee565187db185e294f88e39df6870ee53f28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5u50a3u.c5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1l0.0

Filesize
16KB

MD5
fc7260eeaf3874843f87130518d48da0

SHA1
1bb708030e39b73ff7f516791071f3da34c473a3

SHA256
d364158e5f7bd80e92e34667f88f29ebf12791ad6ffc6412e83b0018907011a6

SHA512
caf98f15b3dac4c3e0da9c1d7014de89edf958e83659c05b207a1e34f1f355d83e0aa1096a3cc10f5fb7839e01a1d929b69299139c1606359bc12b6772cf281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1z0.0

Filesize
16KB

MD5
b5af7f4c1a0c3a69a0fd3585125d75c0

SHA1
80e361f887714490d99c8814e6071214731098f9

SHA256
750a1e476dd59ee4cd3fc7e745c3de81bb50f291a4a25005c5ce76c0dd66f9ab

SHA512
19144a3f2ec86fe9cc30c045bfad2529e75dd27a02c76b79a7e09ac7ce20ef49fe3fe2a006ebda7f14e66f6bb6051a87e1ba459fcccdd2619e8bc56d1043ef00

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1z0.1

Filesize
16KB

MD5
f1c0ac9897b63ea3aabae76cb2fb1567

SHA1
cb5d1ba4cfea2513d04df9e71114723762f69a2b

SHA256
9f8b8937e46ddeeb094cd8bf2b3fc59927bb34a5f8f7c9d7f4d6676b01df3f23

SHA512
7e10add21959f408658f81c0b1f303845cb67a2f1256de20c2b43e2ffb32ae2fce181d014e10c0eca0e58842904376c2affac2a683449b600447f14a85f29aa3

Download Submit
memory/1604-708-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

Filesize
32KB

Download
memory/1604-672-0x0000000003280000-0x00000000032B6000-memory.dmp

Filesize
216KB

Download
memory/1604-673-0x0000000005B20000-0x000000000614A000-memory.dmp

Filesize
6.2MB

Download
memory/1604-674-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/1604-675-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/1604-676-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/1604-685-0x0000000006250000-0x00000000065A7000-memory.dmp

Filesize
3.3MB

Download
memory/1604-686-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/1604-687-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/1604-698-0x00000000076E0000-0x00000000076FE000-memory.dmp

Filesize
120KB

Download
memory/1604-699-0x00000000079A0000-0x0000000007A44000-memory.dmp

Filesize
656KB

Download
memory/1604-689-0x000000006AB00000-0x000000006AB4C000-memory.dmp

Filesize
304KB

Download
memory/1604-688-0x0000000006CD0000-0x0000000006D04000-memory.dmp

Filesize
208KB

Download
memory/1604-700-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/1604-701-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/1604-702-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/1604-703-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/1604-704-0x0000000007C70000-0x0000000007C81000-memory.dmp

Filesize
68KB

Download
memory/1604-705-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

Filesize
56KB

Download
memory/1604-706-0x0000000007CB0000-0x0000000007CC5000-memory.dmp

Filesize
84KB

Download
memory/1604-707-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

Filesize
104KB

Download
memory/2556-238-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-219-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-205-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-202-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-200-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-199-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-210-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-480-0x0000000070330000-0x0000000070774000-memory.dmp

Filesize
4.3MB

Download
memory/2556-198-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-197-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-222-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-196-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-195-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-194-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-193-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-192-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-191-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-190-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-189-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-187-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-186-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-203-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-204-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-206-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-207-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-209-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-212-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-211-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-213-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-214-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-215-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-217-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-218-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-208-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-221-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-223-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-224-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-225-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-226-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-227-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-510-0x0000000070330000-0x0000000070774000-memory.dmp

Filesize
4.3MB

Download
memory/2556-228-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-229-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-231-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-232-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-233-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-234-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-235-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-236-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-237-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-239-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-240-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-241-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-242-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-243-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-245-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-246-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-247-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-248-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-249-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-244-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-230-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-220-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-216-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-201-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download
memory/2556-188-0x0000000072B90000-0x0000000072D87000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads