netsupport | hxxp://workable[.]uk[.]com

Resubmissions

30-04-2024 20:59

240430-zspv5aff61 6

30-04-2024 20:58

240430-zskleahd78 1

30-04-2024 20:50

240430-zm2bzahd23 1

30-04-2024 20:47

240430-zlb1pafe5v 10

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://workable.uk.com

Score

10^/10

netsupport rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://workable.com/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
205	5624	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3832	client32.exe
3832	client32.exe
3832	client32.exe
3832	client32.exe
3832	client32.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	api.ipify.org
64	api.ipify.org
65	api.ipify.org
62	api.ipify.org

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Workable_4.12.7.msix:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5752	notepad.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5252	powershell.exe
5252	powershell.exe
5252	powershell.exe
5152	powershell.exe
5152	powershell.exe
5152	powershell.exe
5624	powershell.exe
5624	powershell.exe
5624	powershell.exe
5868	msedge.exe
5868	msedge.exe
5672	msedge.exe
5672	msedge.exe
4152	identity_helper.exe
4152	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	firefox.exe
Token: SeDebugPrivilege	2756	firefox.exe
Token: SeDebugPrivilege	2756	firefox.exe
Token: SeRestorePrivilege	5068	7zG.exe
Token: 35	5068	7zG.exe
Token: SeSecurityPrivilege	5068	7zG.exe
Token: SeSecurityPrivilege	5068	7zG.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	5152	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeIncreaseQuotaPrivilege	5624	powershell.exe
Token: SeSecurityPrivilege	5624	powershell.exe
Token: SeTakeOwnershipPrivilege	5624	powershell.exe
Token: SeLoadDriverPrivilege	5624	powershell.exe
Token: SeSystemProfilePrivilege	5624	powershell.exe
Token: SeSystemtimePrivilege	5624	powershell.exe
Token: SeProfSingleProcessPrivilege	5624	powershell.exe
Token: SeIncBasePriorityPrivilege	5624	powershell.exe
Token: SeCreatePagefilePrivilege	5624	powershell.exe
Token: SeBackupPrivilege	5624	powershell.exe
Token: SeRestorePrivilege	5624	powershell.exe
Token: SeShutdownPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeSystemEnvironmentPrivilege	5624	powershell.exe
Token: SeRemoteShutdownPrivilege	5624	powershell.exe
Token: SeUndockPrivilege	5624	powershell.exe
Token: SeManageVolumePrivilege	5624	powershell.exe
Token: 33	5624	powershell.exe
Token: 34	5624	powershell.exe
Token: 35	5624	powershell.exe
Token: 36	5624	powershell.exe
Token: SeIncreaseQuotaPrivilege	5624	powershell.exe
Token: SeSecurityPrivilege	5624	powershell.exe
Token: SeTakeOwnershipPrivilege	5624	powershell.exe
Token: SeLoadDriverPrivilege	5624	powershell.exe
Token: SeSystemProfilePrivilege	5624	powershell.exe
Token: SeSystemtimePrivilege	5624	powershell.exe
Token: SeProfSingleProcessPrivilege	5624	powershell.exe
Token: SeIncBasePriorityPrivilege	5624	powershell.exe
Token: SeCreatePagefilePrivilege	5624	powershell.exe
Token: SeBackupPrivilege	5624	powershell.exe
Token: SeRestorePrivilege	5624	powershell.exe
Token: SeShutdownPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeSystemEnvironmentPrivilege	5624	powershell.exe
Token: SeRemoteShutdownPrivilege	5624	powershell.exe
Token: SeUndockPrivilege	5624	powershell.exe
Token: SeManageVolumePrivilege	5624	powershell.exe
Token: 33	5624	powershell.exe
Token: 34	5624	powershell.exe
Token: 35	5624	powershell.exe
Token: 36	5624	powershell.exe
Token: SeSecurityPrivilege	3832	client32.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
5068	7zG.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
3832	client32.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
2756	firefox.exe
5656	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe
5792	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2592 wrote to memory of 2756	2592	firefox.exe	85
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 3468	2756	firefox.exe	86
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87
PID 2756 wrote to memory of 2284	2756	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://workable.uk.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://workable.uk.com
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {367d7681-b466-49ef-adff-fa52f4daff8b} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" gpu
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9924947-04d9-4fae-ae9f-43a56c72fcc5} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" socket
    3⤵
    PID:2284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 1 -isForBrowser -prefsHandle 3508 -prefMapHandle 3244 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d086c102-1ed0-43e3-94e9-fe669d821c55} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 2812 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1fbc0d2-45d8-4981-8545-5b5330192618} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:1136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4744 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b6c017-caea-4b09-8b53-0693b5997906} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" utility
    3⤵
    - Checks processor information in registry
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eb401ff-cccd-4dd8-8f3b-06aaab7c8f47} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 3172 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c6ccec7-256e-483e-bc7f-d1a03d334872} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e18510a-53a0-415b-b12e-6b60ba5232c7} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 6 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ba69075-fc9c-499b-bfd8-36b0cc73541e} 2756 "\\.\pipe\gecko-crash-server-pipe.2756" tab
    3⤵
    PID:1284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1459:94:7zEvent18725
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5656

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\AHCHICSvjmApRFFQmAQXRyNbw.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:5752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\StartingScriptWrapper.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\AHCHICSvjmApRFFQmAQXRyNbw.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- - C:\ProgramData\netsupport\client\client32.exe
    "C:\ProgramData\netsupport\client\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workable.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc78a46f8,0x7ffcc78a4708,0x7ffcc78a4718
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
    3⤵
    PID:5848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:5844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:6092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:5216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4843168485661824169,3109470385990965060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netsupport\client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\ProgramData\netsupport\client\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\netsupport\client\NSM.LIC

Filesize
259B

MD5
1dc87146379e5e3f85fd23b25889ae2a

SHA1
b750c56c757ad430c9421803649acf9acd15a860

SHA256
f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2

SHA512
7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

Download Submit
C:\ProgramData\netsupport\client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\ProgramData\netsupport\client\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\ProgramData\netsupport\client\client32.exe

Filesize
54KB

MD5
9497aece91e1ccc495ca26ae284600b9

SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

Download Submit
C:\ProgramData\netsupport\client\client32.ini

Filesize
672B

MD5
b195a5ef0d805dd2acfb38e5df63b63f

SHA1
311e0113acba508a1ed3c64d42fd7a0f0e3af7ce

SHA256
2ac94a594e8583574f9a16dca49b68947e5caeac3afc6b35f59f5b8a2a819d94

SHA512
dc797da376790054c6c0de33b1bcefc4e1e3db8ff87026974f2ea4dfc555d10ff588031b86580d309d77fe9001e7d5c17955f83aab40d221da42cb7c3ccc5be6

Download Submit
C:\ProgramData\netsupport\client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8e778643667baa40d7bf2431c4df57f4

SHA1
c5b5a603dea9e14274ef2fde586c9a3cc222907b

SHA256
df37ba7adfdce24ceeab19875f621c52d18e8b2643013c92ccf06c09277c37ef

SHA512
8c0e9a93f9091653dfb1ff2653805a2cb35c0473c93ce6d444ab5a7c46987979823fae74f7f9db55e76a391aa55de61d77a81d426667265eb0ec023e6528460b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26a826ed64cecba7e2147a001931709e

SHA1
f9f15c0fae81ed56038c08f18bd3c0094a340979

SHA256
ab33866089b9ba23e4338df4e14139517042213b4f7d9c52e13cc9a961d1aa34

SHA512
a27afe49fd11fc54c79e5c034743945adf3df14c2cac235aa0e7182068abd4c40286e2ce174375aef2a757249e3db359cb0683432fe96a4b364304143b19411a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a5be581e5bedbd70d360b1972cae2179

SHA1
09f74c01f263f9131ba4c33404e2cc10dc7c9ece

SHA256
cf44ac0c9104741f00e7faf87cba400685073edc933565494a8e71926081a402

SHA512
31e36f3a6e49ec6aca2e42233a7fff089265091ee96636a001cc9a28737128567923bdba25fb5fc88e00ff3a2c211dbb9d3030945cd3a7900d315540e880c072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d0cc6879accaf5d633798a2a0cd4388c21d41ab3\e2f32d32-043e-4dbb-bd29-0e1568f43831\index-dir\the-real-index

Filesize
72B

MD5
7dfdea1f103d8e5df6809037427bfa7c

SHA1
22da537482a0a8108980427cc617e1ae0e9d1ed8

SHA256
c2219f5ec260111a03e2c76dc490f8656b919b9874d32833014902661a4cba76

SHA512
0fe75d912adcfe6d954c25405de6723093275d6eaec7eef8fe4c4261612a91d722b5f7b28693c1be45aa801b82eb5955fa9d74092208aceefce59d71016baba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d0cc6879accaf5d633798a2a0cd4388c21d41ab3\e2f32d32-043e-4dbb-bd29-0e1568f43831\index-dir\the-real-index~RFe58d0d8.TMP

Filesize
48B

MD5
634b8fd20cb478a0760976523b29357e

SHA1
6c0e25328e74bc2c3e460532be094bdc81d1ddff

SHA256
6c97d88b15bb3edb5432bad60e573f760a26301a486a0fa34f0b8bbed908010d

SHA512
b8f517e2996574274b6f0ccc0a5b4314bf7c10a96e2389688e70f2c96b83656ebf9c1ff0c3e3921c5cdb10c559bb7265fe5c6a2bb269b9546a46c35d17e2eb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d0cc6879accaf5d633798a2a0cd4388c21d41ab3\index.txt

Filesize
91B

MD5
a76f76b175c7e65eea063a3b9638b6cf

SHA1
162d6a421b8de24b1542d304fe027641c61d4611

SHA256
dda391a53d40ed049f76e7cf7071a5682dd8f9bb79562b80e71275f3fa9685fc

SHA512
e43824b21a68d0e54be0cc7e4e2a27861e65c17fd0db89c0df45f49681cf3d1c51e1b9754a0834e261031e515a1f681e4efcb075a4fa3c0ca8b29a02b73286ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d0cc6879accaf5d633798a2a0cd4388c21d41ab3\index.txt

Filesize
86B

MD5
6822b1fff440da1d19530fc6446a663f

SHA1
79d3e60fe5217a0b2c31d66f1fce29f19f701554

SHA256
c50319a7018daf3c52c16881bbf5cd042eba32ebdc1d094e54098f1330ec90d8

SHA512
7284696d2a1bee330cee99072f92357d2eaa9fddb74d236e49999d11322da3220795cfac6534883c1c9578041625bb6cfa907f4f8f2169a0af85387d79e22705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
1c94913877c0e7e56138b3634c613f32

SHA1
e24170eaca96ae022b5e435a1e9e9156e87a9178

SHA256
500f401cf8521f06068f28f710ba687518953972c836b7d30e473791c38238c4

SHA512
effc69e6caca6970912a1f0d31b289ada2d516216a5d03de8bb40647a508516b39a79ae0a32c9934579a502d3e488a93a07580c3693648f80a83c33d751005c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d6e3.TMP

Filesize
48B

MD5
5ec8d0abf2385cc7d989c2c5e8e22f2f

SHA1
7bbbea5c3596ee9e160be62bab7a3ee02d6452e3

SHA256
6068437f6d57873486c72502835a6b2c95f081009685848ab37bebb959ad203b

SHA512
2a454263c1c64a474deb0c29452178c9604f1e187822b76946de405b2189401726a7f559a98b3274e08123ea44fc636d6089768d93ae929f422f0a405c225027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
59c50fa2a4b591db4c7a6eea7ec67445

SHA1
40426ad9ed679f16285c75b5167b7bba8c41b772

SHA256
b30f6ab0c487ceaf54e161d3f9bec35eef0826d73e687740bf08e0fd77142ed4

SHA512
8340da1a83e5717233b9c81dc2ce657f6721b6da3018ffe1ab604d198d4126c500cf768d0e0a1ae7d272333e83ad46644c7843f4aec6a3efe17c73ce6e58a60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d26e.TMP

Filesize
3KB

MD5
1094a4021313a47fabcb023986b1cbe0

SHA1
873d7fef16a714e4a26382e56b44ac106c0da253

SHA256
8f55efa6c0fc1d99bb08a66799eba8e1f17c594cd0433b01eee24e9792177d3d

SHA512
9cedb84dd4693a7341fca815716d8c174d1fdefa1e364d9a4ee271e5cbc6bf2da2e394b7374ad608e6c6cca879c0205960071cfed4de3e9e9c90b6855f244bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c82eaa48121b909e90052518e8268c4d

SHA1
ab230f500325588436ef54e1b738712ca66d5de6

SHA256
b8e9159f921422294b366692203604dfb793fb8241a170ed63a15ef0c3f5160e

SHA512
dcef2ddbf38ced99f2897a828d3cb2c333ce937c50b9641fdb20badd0c42a85d4324bab4e3508cb67b5f3639fe6c5e2d2fb51256a957f13d634ea6829aaee937

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eaae514x.ys1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
90397e1ab8457d3059a84741f4a4eda7

SHA1
eaf202bf8628cef7fbcf748a39e2f2afeb9865cc

SHA256
6b6a7e542c3a7ff73da56d712e171ebd93b9ce4b0bb7e34df4c9e7a35abdd486

SHA512
2de3287b83d3d5f9865733a16cc8016e5a5f2f100e1360e8f06b77e368c29663f22fdd394ba7a079226cbd0dc6f45a9ad2882f75fd5bec026b74dae8c7b0935e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4855287cbe61b113ad6349638db5891e

SHA1
3301e9f487a4e2663161983e55234b37d668b424

SHA256
336c83212e4d172877d1b922de6dbbe0f7bcb240dfb1de3d3adc69cf3fe5163f

SHA512
73fd1e18da54f7d61f8355e17ef0b8b32f6035138a3b4091e00e68176756bff6d9d86698f12fbbce5610903fd2125277a767789cf1f1a0760692cca8d265f25d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\AlternateServices.bin

Filesize
7KB

MD5
be7b66feee3bc83c9fbb7976050c3f71

SHA1
9b0d375c67c6915bc43d7cdf5992628a9d507e3c

SHA256
64444bed973da06fc38796f21de3e91012f02a7777275300ab7d3418c629b4ba

SHA512
2c6c178b8ae9b82284f2afd0dde71d36393759f8bc260b366893dc71bf8eff95692f37280e710d6045693fe060b0a95d20e0874282779929c19e88ea1e7491b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
644b0fb6657b936034ed132f99193b55

SHA1
e54077062bd9ba4bfdb14977eb7172428c0a2988

SHA256
964f29db41feb22f82b7c5dbaca63f6deac28045b6aef96c5f4999df9bb4a994

SHA512
4a816f6714cfb474c6047ab69181d0d85f632ec9ca02cb0aca2ef02cc3fcb611f566b50b751088b9b69c09786cf60ce9478671d5e42b37ba64755cb8855cedad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\1f53097a-3c34-48e9-888a-2fcb8c251527

Filesize
25KB

MD5
79ff74aa7432d9fe9989d548f0855162

SHA1
efe10adb28f8d54f5b2ae12bc28a335a0c1c7fff

SHA256
c196a9952430989e02f2e08eab97d8f5d464203aa2bf635c0ac85418dbae93fc

SHA512
1a76fa1bf80418d610129f66f7e850ec3a059473f71f540212e79589724d9ae34cefc27e7c637c4d51a51d493eee0c1a12d2af8a95cfed2428019216660d548f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\545cff19-fb36-42c3-acb6-fae482655bfd

Filesize
982B

MD5
e2ab8eb81316b7f559dfd64923de1d12

SHA1
160fb54127e08fadf5ecf44d6ce756d46208dec5

SHA256
bd1c4acc5b5a4289ed58087df8d249a124bb434b34b821280977b911d625d9ed

SHA512
6753d109e81e9c96a1fd33253ebcc65c3834afbff72313037784bdcba64dbbf591cce134a1b2e2301dd81d088a6f689c6c0788dd211dce2f5d918524ee588eab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\fde61e4a-a16d-407c-aef8-f82abd5479c7

Filesize
671B

MD5
ecf835c3c22a702460a1c5ede5f620e1

SHA1
d40cc71cf4dd1fd64cb49b1a8fa97e6ff7a15778

SHA256
a0d364a7ef27c804ccccf1caee51bcabad0217485aa8e0b6661d8321515583c3

SHA512
1353ac73c49c86b495e93fab4086f3327f182d84ba7f3ca5a01220ed4dff2afe60c0eeed42144b56c4e92778d2c412fd2d3c15c364d511bceea2209896b49acf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

Filesize
9KB

MD5
b88ba32f08d3a479851c22301762c58d

SHA1
3f24d19d25a729ebdb406fc4b550e248a3a2dcfa

SHA256
81b0b39edb0f9ff6ae12108668eb678d394379033765c6515bc65549047d9c05

SHA512
3cdf1b6188c852fb1a3851086c9b2519f223727368c135842bb2a19aa44c4de7fe4bc2febe404d56128ab958de7f93320170d9c26ab138f132beea6581c88f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

Filesize
8KB

MD5
6d60f1ce1bcdc84c79fbf1a6bb4134b7

SHA1
8fe6619b046458acc5e76a587ef017fddce9e390

SHA256
33f0e7949326948a1505755b32f4573ed9a95a308957db7e1a77989debe8f0d6

SHA512
c43e3c6bd6f6f2ee2315db3b15c6f1414ebbd4556ee027921b8229eddbe47fa2361cda990615612a6646a4f0350078560ed94503ffe4b71e385599c9e8a9698e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

Filesize
8KB

MD5
2bf57d0b537b284cf227b248318eb489

SHA1
f2f144e39aeb4c7abca1fe946544e93f6c2a1190

SHA256
1afe3650b39e2ef25a3f5f7b13c450f4a87bd4d4bc7481b0140b869b163326fc

SHA512
65e812ff28514ba54d80e8e9f18b8111bac393b523e98b2e30a68acd837f89b9d784380d756550680a4fda2d7e6ce2f13244ea365c8db2309ed6e905973d2d44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
670975e89b75d54cf33574bf8d949db0

SHA1
11f5101d4ea449ef5d25914e249ff3d6e82ca411

SHA256
e6d4437f0e0108244154aa7a0b1c49d732738244884d45bf35692d40779d65e5

SHA512
a011ca4638726b32d08e8eab7d18ed6c7f37298f1af61887c59d934dee9f71ab19c68908e8b0bf44fb860fd73e117124d26762fdc3354edc4ac90bec6dff5708

Download Submit
C:\Users\Admin\Downloads\AHCHICSvjmApRFFQmAQXRyNbw.ps1

Filesize
5KB

MD5
f899781c5239e59fd7d11c9211c08d28

SHA1
cdd606e1955704796dec7e581b9ce30c5fdf1757

SHA256
c3ecbc6023bfa170c31eaf7033b68495798e305111ca9f2f203f58b9ec942384

SHA512
c9f399cf1425919d798dd7437ad049e5ac3dbb9324010f0bf231a5aad767cdd785ee1123d9b4b95e75e2b3d3b79bf67b6c57974af7b0feb497ff22fd715b575d

Download Submit
C:\Users\Admin\Downloads\StartingScriptWrapper.ps1

Filesize
14KB

MD5
da5bf3010154020db9db4cf8832b42ea

SHA1
15ba3dc3bbcb16a26839862d79b3519e74a5e03a

SHA256
7778c658411a2f1649ced14cdfe8a92145c1c7fa53b1ce5b14920000fe99bd98

SHA512
d70c6df571a069797f5eb1ac9a3e30293914b8f1378714e97ae0b881ee5a833f0944ee7246e2768ed74747637deade85306e837a25b1757a1bc3abb7d6eaa9e2

Download Submit
C:\Users\Admin\Downloads\Workable_4.h3REcGmm.12.7.msix.part

Filesize
1.0MB

MD5
318bf7ea84487c8a63a3996e24494455

SHA1
243ed6b028aeb2c94eeafbffcad193f43b808444

SHA256
184a400fe334027ff287ad0cf83c165fdf4605507c83ec054fb2b544f877163c

SHA512
930738b8da136831754b076374e0c6d215608d271501418bae142279c915d51df447b44ead4414e7f4995c8ef756b3b2e489ae88d72d7e98e40cbf8dd0b3d83c

Download Submit
memory/5152-521-0x0000020B7F2A0000-0x0000020B7F416000-memory.dmp

Filesize
1.5MB

Download
memory/5152-522-0x0000020B7F630000-0x0000020B7F83A000-memory.dmp

Filesize
2.0MB

Download
memory/5252-504-0x000001ED7F100000-0x000001ED7F122000-memory.dmp

Filesize
136KB

Download
memory/5624-708-0x00000245B1D20000-0x00000245B1D2A000-memory.dmp

Filesize
40KB

Download
memory/5624-707-0x00000245B1D30000-0x00000245B1D42000-memory.dmp

Filesize
72KB

Download
memory/5624-681-0x00000245B1D40000-0x00000245B1D64000-memory.dmp

Filesize
144KB

Download
memory/5624-678-0x00000245B1D40000-0x00000245B1D6A000-memory.dmp

Filesize
168KB

Download