netsupport | 50a5e6a357c841e6c2058ee658c70756da4b803f2a4f6d2cf96ab882a03a5294

Analysis

max time kernel
448s
max time network
500s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
29-04-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wsj.appx
Size

1.0MB
MD5

71335ecc86d6504b5f6456999539a951
SHA1

757086717d21c9b6d5c20a497493dcd25c63e63f
SHA256

50a5e6a357c841e6c2058ee658c70756da4b803f2a4f6d2cf96ab882a03a5294
SHA512

23043daebeda61b4702b5e8a0d938bf74d3f61dab34452df964943d64f8a7161ded89455ef348af0ab48660644df854b9132b8d0eef97453cdfd02fc1d48db6d
SSDEEP

24576:GEnGpZC0OG9vMc/FkyOgnoQce6XBdi+J72ihgnW:G/pkRG99/FkyFKeiB8+J71mW

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
29	3864	powershell.exe
30	3864	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
2760	client32.exe
2760	client32.exe
2760	client32.exe
2760	client32.exe
2760	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
280	powershell.exe
280	powershell.exe
2704	Powershell.exe
2704	Powershell.exe
4968	powershell.exe
4968	powershell.exe
3864	powershell.exe
3864	powershell.exe
648	msedge.exe
648	msedge.exe
2556	msedge.exe
2556	msedge.exe
1840	msedge.exe
1840	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2704	Powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3864	powershell.exe
Token: SeSecurityPrivilege	3864	powershell.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe
Token: SeLoadDriverPrivilege	3864	powershell.exe
Token: SeSystemProfilePrivilege	3864	powershell.exe
Token: SeSystemtimePrivilege	3864	powershell.exe
Token: SeProfSingleProcessPrivilege	3864	powershell.exe
Token: SeIncBasePriorityPrivilege	3864	powershell.exe
Token: SeCreatePagefilePrivilege	3864	powershell.exe
Token: SeBackupPrivilege	3864	powershell.exe
Token: SeRestorePrivilege	3864	powershell.exe
Token: SeShutdownPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeSystemEnvironmentPrivilege	3864	powershell.exe
Token: SeRemoteShutdownPrivilege	3864	powershell.exe
Token: SeUndockPrivilege	3864	powershell.exe
Token: SeManageVolumePrivilege	3864	powershell.exe
Token: 33	3864	powershell.exe
Token: 34	3864	powershell.exe
Token: 35	3864	powershell.exe
Token: 36	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3864	powershell.exe
Token: SeSecurityPrivilege	3864	powershell.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe
Token: SeLoadDriverPrivilege	3864	powershell.exe
Token: SeSystemProfilePrivilege	3864	powershell.exe
Token: SeSystemtimePrivilege	3864	powershell.exe
Token: SeProfSingleProcessPrivilege	3864	powershell.exe
Token: SeIncBasePriorityPrivilege	3864	powershell.exe
Token: SeCreatePagefilePrivilege	3864	powershell.exe
Token: SeBackupPrivilege	3864	powershell.exe
Token: SeRestorePrivilege	3864	powershell.exe
Token: SeShutdownPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeSystemEnvironmentPrivilege	3864	powershell.exe
Token: SeRemoteShutdownPrivilege	3864	powershell.exe
Token: SeUndockPrivilege	3864	powershell.exe
Token: SeManageVolumePrivilege	3864	powershell.exe
Token: 33	3864	powershell.exe
Token: 34	3864	powershell.exe
Token: 35	3864	powershell.exe
Token: 36	3864	powershell.exe
Token: SeSecurityPrivilege	2760	client32.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2760	client32.exe
2556	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 3320	2192	PsfLauncher64.exe	83
PID 2192 wrote to memory of 2704	2192	PsfLauncher64.exe	84
PID 2192 wrote to memory of 2704	2192	PsfLauncher64.exe	84
PID 2192 wrote to memory of 2704	2192	PsfLauncher64.exe	84
PID 2704 wrote to memory of 4968	2704	Powershell.exe	86
PID 2704 wrote to memory of 4968	2704	Powershell.exe	86
PID 2704 wrote to memory of 4968	2704	Powershell.exe	86
PID 4968 wrote to memory of 3864	4968	powershell.exe	87
PID 4968 wrote to memory of 3864	4968	powershell.exe	87
PID 4968 wrote to memory of 3864	4968	powershell.exe	87
PID 4968 wrote to memory of 2556	4968	powershell.exe	89
PID 4968 wrote to memory of 2556	4968	powershell.exe	89
PID 4968 wrote to memory of 2556	4968	powershell.exe	89
PID 2556 wrote to memory of 1560	2556	msedge.exe	90
PID 2556 wrote to memory of 1560	2556	msedge.exe	90
PID 2556 wrote to memory of 1560	2556	msedge.exe	90
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91
PID 2556 wrote to memory of 2268	2556	msedge.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\WSJ_v3spfewvfazpe!NOTEPAD
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Program Files\WindowsApps\WSJ_4.12.80.0_x64__v3spfewvfazpe\PsfLauncher64.exe
"C:\Program Files\WindowsApps\WSJ_4.12.80.0_x64__v3spfewvfazpe\PsfLauncher64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files\WindowsApps\WSJ_4.12.80.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe
  "PsfRunDll64.exe"
  2⤵
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.80.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\WqZxLxZrOrnMWYaBaBKdLenVTu.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\WqZxLxZrOrnMWYaBaBKdLenVTu.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3864
    - - C:\ProgramData\netsupport\client\client32.exe
        
        "C:\ProgramData\netsupport\client\client32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.wsj.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4d3f3cb8,0x7ffe4d3f3cc8,0x7ffe4d3f3cd8
        5⤵
        
        PID:1560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
        5⤵
        
        PID:1416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        
        PID:3460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        
        PID:2300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        5⤵
        
        PID:2160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
        5⤵
        
        PID:2636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        5⤵
        
        PID:3452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        5⤵
        
        PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,15417195059902650857,9405368764259924630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5772 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netsupport\client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\ProgramData\netsupport\client\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\netsupport\client\NSM.LIC

Filesize
259B

MD5
1dc87146379e5e3f85fd23b25889ae2a

SHA1
b750c56c757ad430c9421803649acf9acd15a860

SHA256
f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2

SHA512
7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

Download Submit
C:\ProgramData\netsupport\client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\ProgramData\netsupport\client\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\ProgramData\netsupport\client\client32.exe

Filesize
54KB

MD5
9497aece91e1ccc495ca26ae284600b9

SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

Download Submit
C:\ProgramData\netsupport\client\client32.ini

Filesize
672B

MD5
b195a5ef0d805dd2acfb38e5df63b63f

SHA1
311e0113acba508a1ed3c64d42fd7a0f0e3af7ce

SHA256
2ac94a594e8583574f9a16dca49b68947e5caeac3afc6b35f59f5b8a2a819d94

SHA512
dc797da376790054c6c0de33b1bcefc4e1e3db8ff87026974f2ea4dfc555d10ff588031b86580d309d77fe9001e7d5c17955f83aab40d221da42cb7c3ccc5be6

Download Submit
C:\ProgramData\netsupport\client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6058061e747929eff4c11afa0be15102

SHA1
0b572b3fd45f9c9b030489c434d509aed28d5dad

SHA256
bf6b28f4bc67639f6ec0c7a13ba39c95ba2696484a092366a4d5b6cb4216ed54

SHA512
48f0bbfe05f764df5863c430dcb8b26dd8d55c779b684b3b7598d9704c420b227dc53b78517c9796c236aa2bd7f6389bc98bde24844a3d65647bc951f2137ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
431B

MD5
c1b777b2a65c6d5311365a3f95ee4698

SHA1
f02c6ff928ae5e8b1a1615a5eb101d88a1374e17

SHA256
fe0f31b37dbbd456b74643e8702156360482be9df8012d6f5a2a9e9a197d78d6

SHA512
622a40711b284338d85f463b41b31b0338ecb2944c46279fb66a5f4b32c8b6ff14769e0ca9a23d4762d3f263909354b7827ee3b0c4bb5c11953bc2fcf916131e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c517a64a2f6b4f5eaede29b7db8b1a1

SHA1
64cb3597510b08854bb57fa240cd7bd178bc25b5

SHA256
dbc48301e9aa409a7c94350c9e911f31632f3913759d7fb2534d605379ad6fe4

SHA512
b5ebad1bfd9c9e7b60d6a7dc7b199cbd9738f31d9d2b430cdfdfa12bcf8ccc864e0167eae0f23313b12f250194f2258402de16b62c953c3ac5157240bded4432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a7dc85c0789ad664901c49d122ab99f

SHA1
1f81bffecac39c0bddbe12b66abe59ea83f3f9ce

SHA256
13871b5d8636e3794092e5edcc2c93309297c0f54d24fd84c4fe51260f2e06d9

SHA512
34e0ffd77d71205989a333e1d3d996f13d797fe2209af393b55aa43835ec37d0bfe030856b1810f1b8f44194b7a33ed1d0c761363a2914683959675845be06b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
316286d001d31f9f5b7e0aa8efed16a4

SHA1
1c4d95a318607a90fab1493abab9bb82324a1fca

SHA256
08883a2975f9829953b7a0ea2d5d54d4206002253a421577e3214f5686e4975c

SHA512
54a5618d208758f4d2fb9d4e1b40076457a9d93c6c0c4b87050e6d5d13a0d610503aebc4ab71481e1152f1b06d13ab5e78036467d8d049f0015ee4f5ece14bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
870b908695e21c1006f929e8940809bf

SHA1
c15578c93687dd1935d3509f5bd0dbf08edfae88

SHA256
e0f0d7fb39b932cb3f596b21b4f9fbec7d42026d2d118fb1d0211ee834bd03d6

SHA512
b4e632a2a796c5d9f05f29c7b4581799d3592cb1a7a319664f3babb7c37608e77b44020e331f22d689f5c05e9b3c5c6104dc61c29e1dcf16417bdc0f40aaaaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
49b610ffcf59b489e90cf2a37d34b400

SHA1
17d276454056338a0ba03994a13339ca0de2fd53

SHA256
0d49b0e5cb355f1cf340513b66bd2058615f0d457b72f2a448d0b69181d9eb97

SHA512
967a9ee393cda880345ae514eb5643758b42646fc53693f69361f5869b34c8301caeb77c878bc12b465c55a6eecd6071946409a0f11df286c7f3f6b34db338c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
271a2877f40dff12f5df1b85f8844e85

SHA1
abdbff01e4aa13bf4e449d050fcd90251f37fb2b

SHA256
3ebd5b937294eeca66abfba6396e7698aade7f1fba82f86adfea497984a80725

SHA512
5d1697852cfd252e38868586d2cb97e94d507ed30b44407308f46df8d217077d4396db0ae719a509b383499f46d67506fe3b65ca384eb6b23a409d6e16336ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
34b159616f80c1d5893cf406775bad4e

SHA1
dff5f71c17b07b8549b36e1c768db925205e1b4f

SHA256
120aeb6d51d942abd453d508b7bfd606aff0c798e588ca2e18b23d5a993820ad

SHA512
3694b353483d4297944cf8d0ecfba7ed832d94dc25dd7012c7d6b4415b5bfcc90d72b468f3cf3a038f3936d5b56ee14622677eb069a3a29933cb18ee447bb82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5iem0woo.qad.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/280-10-0x000001211CBB0000-0x000001211CBC0000-memory.dmp

Filesize
64KB

Download
memory/280-14-0x00007FFE565D0000-0x00007FFE57092000-memory.dmp

Filesize
10.8MB

Download
memory/280-8-0x0000012136AA0000-0x0000012136AC2000-memory.dmp

Filesize
136KB

Download
memory/280-9-0x00007FFE565D0000-0x00007FFE57092000-memory.dmp

Filesize
10.8MB

Download
memory/280-12-0x000001211CBB0000-0x000001211CBC0000-memory.dmp

Filesize
64KB

Download
memory/280-11-0x000001211CBB0000-0x000001211CBC0000-memory.dmp

Filesize
64KB

Download
memory/2192-15-0x00007FF7B7AD0000-0x00007FF7B7AE0000-memory.dmp

Filesize
64KB

Download
memory/2192-16-0x00007FFE36D90000-0x00007FFE36DA0000-memory.dmp

Filesize
64KB

Download
memory/2192-17-0x00007FFE76D90000-0x00007FFE76E4D000-memory.dmp

Filesize
756KB

Download
memory/2192-22-0x00007FFE76D90000-0x00007FFE76E4D000-memory.dmp

Filesize
756KB

Download
memory/2192-21-0x00007FF7B7AD0000-0x00007FF7B7AE0000-memory.dmp

Filesize
64KB

Download
memory/3320-18-0x00007FF7598F0000-0x00007FF759900000-memory.dmp

Filesize
64KB

Download
memory/3320-20-0x00007FF7598F0000-0x00007FF759900000-memory.dmp

Filesize
64KB

Download
memory/3864-93-0x0000021DBB150000-0x0000021DBB15A000-memory.dmp

Filesize
40KB

Download
memory/3864-88-0x0000021DBB180000-0x0000021DBB1A4000-memory.dmp

Filesize
144KB

Download
memory/3864-87-0x0000021DBB180000-0x0000021DBB1AA000-memory.dmp

Filesize
168KB

Download
memory/3864-92-0x0000021DBB170000-0x0000021DBB182000-memory.dmp

Filesize
72KB

Download
memory/4968-41-0x000001E2FFD10000-0x000001E2FFF1A000-memory.dmp

Filesize
2.0MB

Download
memory/4968-40-0x000001E2FF980000-0x000001E2FFAF6000-memory.dmp

Filesize
1.5MB

Download