netsupport | hxxps://www[.]4sync[.]com/web/directDownload/S06W9sUX/Xnj9cMHB[.]8fe7375c02815b856cddb787ae1c67e1

Resubmissions

19-02-2025 12:03

250219-n782rs1jan 8

Analysis

max time kernel
105s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
19-02-2025 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/S06W9sUX/Xnj9cMHB.8fe7375c02815b856cddb787ae1c67e1

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
33	2416	WScript.exe
34	2416	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1080	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
1080	client32.exe
1080	client32.exe
1080	client32.exe
1080	client32.exe
1080	client32.exe
1080	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\lomnodj\\client32.exe"	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844404237075501"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO8521BF79\scan_doc_000_501.js:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\scan_doc_000_501.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
4696	7zFM.exe
4696	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4696	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeRestorePrivilege	4696	7zFM.exe
Token: 35	4696	7zFM.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
4696	7zFM.exe
4696	7zFM.exe
1080	client32.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1680	2220	chrome.exe	88
PID 2220 wrote to memory of 1680	2220	chrome.exe	88
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 4672	2220	chrome.exe	89
PID 2220 wrote to memory of 3888	2220	chrome.exe	90
PID 2220 wrote to memory of 3888	2220	chrome.exe	90
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91
PID 2220 wrote to memory of 2840	2220	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.4sync.com/web/directDownload/S06W9sUX/Xnj9cMHB.8fe7375c02815b856cddb787ae1c67e1
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4d84cc40,0x7ffc4d84cc4c,0x7ffc4d84cc58
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1880 /prefetch:3
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1992,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,9324968682746439188,10187435095179241667,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4632,i,8472368907592355691,7708928369085365785,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:14
1⤵
PID:864

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4696
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO8521BF79\scan_doc_000_501.js"
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  PID:2416
- - C:\ProgramData\lomnodj\client32.exe
    "C:\ProgramData\lomnodj\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1080

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5152,i,8472368907592355691,7708928369085365785,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:14
1⤵
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lomnodj.zip

Filesize
2.5MB

MD5
0b3ae8e77296377d45d8cfef9e6472da

SHA1
60e3e53d445ff65fc2d2a7b0564fbace4442db76

SHA256
4eef722c0579731531122938e35ff52a380bf03199bfdfe9dca82b68b5316d96

SHA512
84683fb11060121293adfae7a4d4b12815b0b704e8bc9cc4f4e0c97e153b66ebbe45bc4d8e641d95e1d2309b55b6cd0e07cb46a84b71ad16fc7e9d3502162614

Download Submit
C:\ProgramData\lomnodj\HTCTL32.DLL

Filesize
306KB

MD5
3eed18b47412d3f91a394ae880b56ed2

SHA1
1b521a3ed4a577a33cce78eee627ae02445694ab

SHA256
13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

SHA512
835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

Download Submit
C:\ProgramData\lomnodj\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\ProgramData\lomnodj\PCICHEK.DLL

Filesize
27KB

MD5
e311935a26ee920d5b7176cfa469253c

SHA1
eda6c815a02c4c91c9aacd819dc06e32ececf8f0

SHA256
0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

SHA512
48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

Download Submit
C:\ProgramData\lomnodj\PCICL32.DLL

Filesize
3.3MB

MD5
77b3988cbae5a2550caec42cc5e8ec35

SHA1
5fa1eeb60e881bfd82eb7c3d9e911587982aaa38

SHA256
650382fe6596c8dc0c1739713c2076d4ddff32d5c177210b1241550bb8148cfd

SHA512
480f3abef7b799bd604ba9825e2b8cf681e7850373761c579ef181607980d5159c225fb486996e3088f39662f873743d25b52368045d3ae5bd8d45e44d1e8bec

Download Submit
C:\ProgramData\lomnodj\client32.exe

Filesize
117KB

MD5
1c19c2e97c5e6b30de69ee684e6e5589

SHA1
5734ef7f9e4dba0639c98881e00f03eea35a62ee

SHA256
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

SHA512
ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

Download Submit
C:\ProgramData\lomnodj\client32.ini

Filesize
732B

MD5
d77c51ea81963ee93a78aa91112c656a

SHA1
a0becd865a1f98a652d51ff01c69f5da4772da69

SHA256
8fd748ce5016fc856e0ff3a582d05be78c8695a32467699f52a83fbf8e9a0428

SHA512
0467d084f2f25a07532399c0a0b8803fd55d32ec662ad72c97805817676ccb4ef936e290aca032741ff73ce8f40a1217bc70e32042649dfba7159c1515f99302

Download Submit
C:\ProgramData\lomnodj\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\lomnodj\pcicapi.dll

Filesize
44KB

MD5
9daa86d91a18131d5caf49d14fb8b6f2

SHA1
6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

SHA256
1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

SHA512
9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7dc27899fb317cdd697a9031169fd7c4

SHA1
0f68fbbdc287e0b3c484ab4f9285e547c5523c12

SHA256
988d10873016629921abf4a48c0e26dd43442da5be979121b8b30b7b1fa9eec0

SHA512
0d85423350063f76ec1440a1ed514784c5c76cb5f52377fe75c115740dec95ae378b32d99cd25723e1bba1c8334a46edf2ddf89158ce2662499eb28e74ee626d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0216e8bcf4365d1c9c5a08d2dfe1cb39

SHA1
e7f0ea02f6be8d75488c968e023d5e99b584d7e9

SHA256
94681d37764adf2760e91a11ea5223869d8b397af60f5031ff60fb59bc76ec81

SHA512
83e1bfdfcd91185f3319423c8f64854f249e02d4e220b28ea03565a1c2a2339eda62683252519dc3fae8e4cbb9abe94ca199865aae424cb5ff772f0ae1cb7af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cd020301b7e1ce6690823f3de73ba9fc

SHA1
66d05c56b3841ad16244b26d6eb6e59696b9b4eb

SHA256
5784990b214655e8116b19417d7424f7d24f282716942d59631fd9f4534f31f0

SHA512
429b10c0db352567d9af60e7c40231bfa98454f27993678a803367aa40bc44fd9f38d8fd2c3bb8ff423476b1a168345981ea171ec516369e8a7e3008e7fd380f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f0c0752f19496b0812fd05ee24f7b4c4

SHA1
266fcd1bf8acb0d9582b436299525387f0e48349

SHA256
e8d6889a759aee77de49c4aaae88af80f4aad0f0660635634f3ca389a445c4d6

SHA512
bd0b9137a50482def71a2cc630ceb74f1e2a40c1aa139a2207f79e0796648100eeb628147ae35fcd610096921e1b78499e33bcf9dbbc624a4402736c4779ad57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
41df6146c280810f0b511088fc23da4d

SHA1
4e7fa1337500667e0a01b508b1673ac69ea1b995

SHA256
1e6b34a1aaa19d7c4e0872f8233839f0cd8e347ba048d9595477cbe2c950fb80

SHA512
fabd6b5fb1b6886828d503677c1440a9b971c56703af9ac78fa317c1ef63bafcda73b20c9485235984901757cea1b10a690d3371e0d2fb745ea5e1f358112d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
534d1f4935e52f896b290dbcdbc2f377

SHA1
65acdb38abe021a59d665b8a199e2a2cbcb1c6a1

SHA256
5f7ce128a137c68372edaf2418e228f65915560a4177bf1eb4c7ba43d1895590

SHA512
8cc7b9ffd2432efc2514db7021d35ee467240cf979f77967160288f16ac35d95e9d689332f586e85ba6342a3e90d41aaa522de0ab5377488fe9f7e9da14aa123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1b0cf90bdaaee76641b060de5123372

SHA1
7b25d359ac81bb2922501b9261fb9d88ef0cc3c4

SHA256
ea81105c5465cc4e2dfedbfcd34c6ff062670f02adf24c0303355467e430a835

SHA512
93afcf8b1b9b365d8163379fed743f54334cddb18d802518f574b9b204a4353f77cffc72280687e23050add5fda984ca4bfec08e42f819dd03bc110a4e9abf19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
cc81a8e1506f99d3da3cb210b533b40c

SHA1
8725e7a5f253549e0be51a60259f3987cccfb440

SHA256
b11596f322a1ced1c3361aa219a5c6428e735fd66c83a6539abd16bcf804960f

SHA512
d0553b248d94a273a78533050f9f218aade6d530d846195100faca500314f36d0d087dd1d39197e3b10bdc1b1cf1232737667a73f5d74e1ca1d8ea34781bbcbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
0e6588383fe5a505c0b6f63c3f7b53e4

SHA1
595a3647d3ae1c456d4c343ee029cb85db87acec

SHA256
ec3b80360dd60a8dca260ef4f02404af4793a07a118b84cdb2e0fd99347e1eae

SHA512
ca8bd4712012812a3ebcefea94ca6cd1d124e4323a21948f8341f79da74da837a529786e1c9254fd19820e316c4aac80e5f8c7f345f64a4dfbdecff63868f1b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2066f12c-b882-42d1-adbf-3b04c3919a86.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8521BF79\scan_doc_000_501.js

Filesize
369KB

MD5
5c6dea7996a810c5f72ad3b44e2c71e9

SHA1
1a1b3912fe0f1ff5816e6ea6c25897e371f77abe

SHA256
14d96afb5efb95afdb6a577c61674092c6221f5551d0febbbaf412a48e8e6894

SHA512
493d344ad29e85cded2f72bf806a745f094118a81c38ace659ee50c8376bcb6bf38766fadf480da7c839542cc8df9415873f67252f1124a0c68ba3fb1e217da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8521BF79\scan_doc_000_501.js:Zone.Identifier

Filesize
218B

MD5
4714a6bda7bf306c4ab96a01d7d8a3ba

SHA1
64de6c6fd825930e45c13e080c426576524699c8

SHA256
bffbff389b39ca63e8883bcaf9a4555448f2ba08e7761e7d8c821c9f16cd114d

SHA512
5b1ee6d43f5e882ca4853d337d05bf8f0b858fe397b1a86207247cfb42f0245840f1eafc40e2cfcb0979be2b1caef13c84e8f540083b0a90a8637e7e04408926

Download Submit
C:\Users\Admin\Downloads\scan_doc_000_501.rar.crdownload

Filesize
152KB

MD5
1822c0f3bb4e718e9a05e4d7f79f7993

SHA1
d89f23f5522804e780a8f54ea92e1d7e64c09813

SHA256
1dae991043442a0cc66f6e13c96b2a81ac737b0533d4e6843fcc4411ad492858

SHA512
d9cc34ee73a0840c2ef37e6e1d9849aee491ce47c47ecc7713f93fb786e75c6b9ea4817dbefa63d6936380bd948a52cfc85e0b2862febbcbf1d5a09a40cf9757

Download Submit