netsupport | 9a4e39fcb4033a9c849890085b67faea7265eaf56744e77aa8180b1834b7e14a

Analysis

max time kernel
1165s
max time network
1206s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OwJViJVcVDtGwyBrPZixBrwr.ps1
Size

5KB
MD5

48ec3b15711ce5f49ee79e8cbf8c0f1f
SHA1

9d263753c22d21681fbde1bda539beee56ded769
SHA256

9a4e39fcb4033a9c849890085b67faea7265eaf56744e77aa8180b1834b7e14a
SHA512

61f7696e8c0dcf59e354fcbbdaa0aa0845a2b2d02d3762a7410a83cb211db87d571dea95308db54aaf060189627dbe4785ee951a28a7ba152e973555424d808e
SSDEEP

96:0NNYJo13C6KjlHHCiGqPaHPgfnRk+qPIKsO1ezfgmwqPoase1ejvysKEO1ezfgmX:8Oo1NKjNwqPaHPgfnR7qPIKsO1dbqPoX

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
65	636	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
5944	client32.exe
4768	remcmdstub.exe

Loads dropped DLL 6 IoCs

pid	Process
5944	client32.exe
5944	client32.exe
5944	client32.exe
5944	client32.exe
5944	client32.exe
5944	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4916	powershell.exe
4916	powershell.exe
636	powershell.exe
636	powershell.exe
3920	msedge.exe
3920	msedge.exe
2768	msedge.exe
2768	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
5540	msedge.exe
5540	msedge.exe
5540	msedge.exe
5540	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeIncreaseQuotaPrivilege	636	powershell.exe
Token: SeSecurityPrivilege	636	powershell.exe
Token: SeTakeOwnershipPrivilege	636	powershell.exe
Token: SeLoadDriverPrivilege	636	powershell.exe
Token: SeSystemProfilePrivilege	636	powershell.exe
Token: SeSystemtimePrivilege	636	powershell.exe
Token: SeProfSingleProcessPrivilege	636	powershell.exe
Token: SeIncBasePriorityPrivilege	636	powershell.exe
Token: SeCreatePagefilePrivilege	636	powershell.exe
Token: SeBackupPrivilege	636	powershell.exe
Token: SeRestorePrivilege	636	powershell.exe
Token: SeShutdownPrivilege	636	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeSystemEnvironmentPrivilege	636	powershell.exe
Token: SeRemoteShutdownPrivilege	636	powershell.exe
Token: SeUndockPrivilege	636	powershell.exe
Token: SeManageVolumePrivilege	636	powershell.exe
Token: 33	636	powershell.exe
Token: 34	636	powershell.exe
Token: 35	636	powershell.exe
Token: 36	636	powershell.exe
Token: SeIncreaseQuotaPrivilege	636	powershell.exe
Token: SeSecurityPrivilege	636	powershell.exe
Token: SeTakeOwnershipPrivilege	636	powershell.exe
Token: SeLoadDriverPrivilege	636	powershell.exe
Token: SeSystemProfilePrivilege	636	powershell.exe
Token: SeSystemtimePrivilege	636	powershell.exe
Token: SeProfSingleProcessPrivilege	636	powershell.exe
Token: SeIncBasePriorityPrivilege	636	powershell.exe
Token: SeCreatePagefilePrivilege	636	powershell.exe
Token: SeBackupPrivilege	636	powershell.exe
Token: SeRestorePrivilege	636	powershell.exe
Token: SeShutdownPrivilege	636	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeSystemEnvironmentPrivilege	636	powershell.exe
Token: SeRemoteShutdownPrivilege	636	powershell.exe
Token: SeUndockPrivilege	636	powershell.exe
Token: SeManageVolumePrivilege	636	powershell.exe
Token: 33	636	powershell.exe
Token: 34	636	powershell.exe
Token: 35	636	powershell.exe
Token: 36	636	powershell.exe
Token: SeSecurityPrivilege	5944	client32.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe
Token: SeUndockPrivilege	2480	WMIC.exe
Token: SeManageVolumePrivilege	2480	WMIC.exe
Token: 33	2480	WMIC.exe
Token: 34	2480	WMIC.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
5944	client32.exe
5944	client32.exe
5944	client32.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
5944	client32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 636	4916	powershell.exe	89
PID 4916 wrote to memory of 636	4916	powershell.exe	89
PID 4916 wrote to memory of 2768	4916	powershell.exe	91
PID 4916 wrote to memory of 2768	4916	powershell.exe	91
PID 2768 wrote to memory of 3004	2768	msedge.exe	92
PID 2768 wrote to memory of 3004	2768	msedge.exe	92
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 4988	2768	msedge.exe	93
PID 2768 wrote to memory of 3920	2768	msedge.exe	94
PID 2768 wrote to memory of 3920	2768	msedge.exe	94
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95
PID 2768 wrote to memory of 2988	2768	msedge.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OwJViJVcVDtGwyBrPZixBrwr.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- - C:\ProgramData\netsupport\client\client32.exe
    "C:\ProgramData\netsupport\client\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5944
  - - C:\ProgramData\netsupport\client\remcmdstub.exe
      remcmdstub.exe 2392 2240 2380 2412 %COMSPEC%
      4⤵
      Executes dropped EXE
      PID:4768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        
        PID:5220
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get domain
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.concur.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a2546f8,0x7ff97a254708,0x7ff97a254718
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
    3⤵
    PID:2880
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
    3⤵
    PID:5340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:5348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8606396548936479559,7442556963467513194,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3440 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netsupport\client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\ProgramData\netsupport\client\NSM.LIC

Filesize
259B

MD5
1dc87146379e5e3f85fd23b25889ae2a

SHA1
b750c56c757ad430c9421803649acf9acd15a860

SHA256
f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2

SHA512
7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

Download Submit
C:\ProgramData\netsupport\client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\ProgramData\netsupport\client\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\ProgramData\netsupport\client\client32.exe

Filesize
54KB

MD5
9497aece91e1ccc495ca26ae284600b9

SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

Download Submit
C:\ProgramData\netsupport\client\client32.ini

Filesize
631B

MD5
adffa0c2fedb1506087178c51efbd377

SHA1
a3218fa2fbefaa5447b970481a575fcdea0bd2f7

SHA256
6b115c0c710bb0dfb234d297b0e8a862d8aff972ce9915b3fdfbc4d12a698d6f

SHA512
2284360ed332d66856c8a78698d1a4ad4d9919f3d1e08e5c6a648391c529ebef66b1af081ec88efbe9bcd68375b2243d76bf5532cda5f831642fef4b1ca57f07

Download Submit
C:\ProgramData\netsupport\client\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\netsupport\client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\ProgramData\netsupport\client\remcmdstub.exe

Filesize
61KB

MD5
35da3b727567fab0c7c8426f1261c7f5

SHA1
b71557d67bcd427ef928efce7b6a6529226415e6

SHA256
89027f1449be9ba1e56dd82d13a947cb3ca319adfe9782f4874fbdc26dc59d09

SHA512
14edadceeceb95f5c21fd3a0a349dd2a312d1965268610d6a6067049f34e3577fc96f6ba37b1d6ab8ce21444208c462fa97fab24bbcd77059bc819e12c5efc5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
3c2f35ce0b0d24ced30b17df8d7366e6

SHA1
f311be2905479cd6ad131965fb4a4c5db9e60f97

SHA256
d02e591ea559f2d80e4f381437d1489f9025a54caa1388a1599c8cc90d7869eb

SHA512
180849b3b26871d2fd746777b57a654af545afb669842e436e4c376a26a006483311a5335a84ebc8d0c27b5921dd5bb88d1aea9a19e24bb37c4adee8d13082d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73c5cc6ae8a651248a938b8fd8b73e19

SHA1
ab6aed08e338f2aee407c49ff33f3e9ce521b1eb

SHA256
e708abeb9c51198b1a14d9196899223b3d13569b7e66fec6eb964eada87b1929

SHA512
43584cfb38359bfcb508271a5eaf67ec826d8806bbeb8ba2cc7af9f563994d3f947ab78777a9a5dd4fe608d6e40292bbb678982a00ef47d58c1318c9effcb1b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccd362e6b9b4d34d92a2b8dbdefbc425

SHA1
33725d48c16c9f008271992954efacb20f200962

SHA256
9ba170a62e0bbc86881e580ecb397481980a25505dc013e46e13a249093a9295

SHA512
4accdef7b5e8f69fa6eb061613207b5d37fb9699a504e637cc6d2e54b42fe55960c80bddff1639bb4b7b4b5c88d6a9d70d1e44573a0575c2b8cde2bd2d343358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a40c31ba0281ddb27c217da5820432a

SHA1
13ca597a7e9798e87ef43f2675f685efcd5b8584

SHA256
4b511c8d8d6cd394ced64fc6970c581f3b6a0395a3eb8a99f8292c4d0a50e34d

SHA512
cb67fb8166c4396d837566b4f440a24fb6cf68f24838876b33afdfc2d3ce317becc26204ac3df014193498db9619f09a7a248a9bd331aace199dbcf833f3a719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5hlrmit.vt2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/636-16-0x00000137BD330000-0x00000137BD340000-memory.dmp

Filesize
64KB

Download
memory/636-15-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/636-99-0x00000137BE200000-0x00000137BE20A000-memory.dmp

Filesize
40KB

Download
memory/636-92-0x00000137BD330000-0x00000137BD340000-memory.dmp

Filesize
64KB

Download
memory/636-91-0x00000137BE220000-0x00000137BE244000-memory.dmp

Filesize
144KB

Download
memory/636-98-0x00000137BE210000-0x00000137BE222000-memory.dmp

Filesize
72KB

Download
memory/636-90-0x00000137BE220000-0x00000137BE24A000-memory.dmp

Filesize
168KB

Download
memory/636-166-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/636-17-0x00000137BD330000-0x00000137BD340000-memory.dmp

Filesize
64KB

Download
memory/4916-143-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-14-0x000001912CBD0000-0x000001912CDDA000-memory.dmp

Filesize
2.0MB

Download
memory/4916-89-0x000001912B9F0000-0x000001912BA00000-memory.dmp

Filesize
64KB

Download
memory/4916-165-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-13-0x000001912C840000-0x000001912C9B6000-memory.dmp

Filesize
1.5MB

Download
memory/4916-12-0x000001912B9F0000-0x000001912BA00000-memory.dmp

Filesize
64KB

Download
memory/4916-11-0x000001912B9F0000-0x000001912BA00000-memory.dmp

Filesize
64KB

Download
memory/4916-10-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-5-0x000001912B9A0000-0x000001912B9C2000-memory.dmp

Filesize
136KB

Download