netsupport | 3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee

Analysis

max time kernel
1163s
max time network
1211s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_21_06_2024_8007376.appx
Size

5.7MB
MD5

cf0ee8a6c9012e71d181916641b2228d
SHA1

029da267489f40b80f0f2096396f63ab0f692d58
SHA256

3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee
SHA512

f161f286110c0ab643c901cbd30d2970b5d03081c59f2e741c2a30b871ba22359eb08a97f4601ea76f033f947e8e43118950398511d8582be6ceac0e122cd8a1
SSDEEP

98304:6p2MdFnpfy/CJTAeAbIqLkh0Kboh6R4p8lw6tyJRwfWUmbyK82OCX36dSA1a:BsFty/CxANIUkh0KkhE88mcyJRwfjmbZ

Score

10^/10

netsupport execution rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
712	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
712	client32.exe
712	client32.exe
712	client32.exe
712	client32.exe
712	client32.exe
712	client32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4180	Powershell.exe
4668	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1144	7za.exe
5052	7za.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4568	powershell.exe
4568	powershell.exe
4180	Powershell.exe
4180	Powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
3612	msedge.exe
3612	msedge.exe
740	msedge.exe
740	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4180	Powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	1144	7za.exe
Token: 35	1144	7za.exe
Token: SeSecurityPrivilege	1144	7za.exe
Token: SeSecurityPrivilege	1144	7za.exe
Token: SeRestorePrivilege	5052	7za.exe
Token: 35	5052	7za.exe
Token: SeSecurityPrivilege	5052	7za.exe
Token: SeSecurityPrivilege	5052	7za.exe
Token: SeSecurityPrivilege	712	client32.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
712	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4180	2320	PsfLauncher64.exe	91
PID 2320 wrote to memory of 4180	2320	PsfLauncher64.exe	91
PID 2320 wrote to memory of 4180	2320	PsfLauncher64.exe	91
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 2320 wrote to memory of 3572	2320	PsfLauncher64.exe	92
PID 4180 wrote to memory of 4668	4180	Powershell.exe	95
PID 4180 wrote to memory of 4668	4180	Powershell.exe	95
PID 4180 wrote to memory of 4668	4180	Powershell.exe	95
PID 4668 wrote to memory of 740	4668	powershell.exe	96
PID 4668 wrote to memory of 740	4668	powershell.exe	96
PID 4668 wrote to memory of 740	4668	powershell.exe	96
PID 4668 wrote to memory of 4380	4668	powershell.exe	97
PID 4668 wrote to memory of 4380	4668	powershell.exe	97
PID 4668 wrote to memory of 4380	4668	powershell.exe	97
PID 740 wrote to memory of 376	740	msedge.exe	98
PID 740 wrote to memory of 376	740	msedge.exe	98
PID 740 wrote to memory of 376	740	msedge.exe	98
PID 4380 wrote to memory of 1144	4380	cmd.exe	99
PID 4380 wrote to memory of 1144	4380	cmd.exe	99
PID 4380 wrote to memory of 1144	4380	cmd.exe	99
PID 4380 wrote to memory of 1144	4380	cmd.exe	99
PID 4380 wrote to memory of 1144	4380	cmd.exe	99
PID 4668 wrote to memory of 2124	4668	powershell.exe	100
PID 4668 wrote to memory of 2124	4668	powershell.exe	100
PID 4668 wrote to memory of 2124	4668	powershell.exe	100
PID 2124 wrote to memory of 5052	2124	cmd.exe	101
PID 2124 wrote to memory of 5052	2124	cmd.exe	101
PID 2124 wrote to memory of 5052	2124	cmd.exe	101
PID 2124 wrote to memory of 5052	2124	cmd.exe	101
PID 2124 wrote to memory of 5052	2124	cmd.exe	101
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102
PID 740 wrote to memory of 4656	740	msedge.exe	102

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\GoogleChrome_4n6cyy4rypx2p!NOTEPAD
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\PsfLauncher64.exe
"C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\PsfLauncher64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\petXzS.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\petXzS.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/intl/en_en/chrome/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d13446f8,0x7ff8d1344708,0x7ff8d1344718
        5⤵
        
        PID:376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:4640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        
        PID:2132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16326815900208357336,745102350924938138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5484 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\user2.7z -oC:\Users\Public\Music\User -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\user2.7z -oC:\Users\Public\Music\User -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\User\user1.7z -oC:\Users\Public\Music\User -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\User\user1.7z -oC:\Users\Public\Music\User -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
  - - C:\Users\Public\Music\User\client32.exe
      "C:\Users\Public\Music\User\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:712
- C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\PsfRunDll64.exe
  "PsfRunDll64.exe"
  2⤵
  PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
eb72a590d435023f309dda7814e6506f

SHA1
aac5699035934eb4303b39d23b56d92775e84e24

SHA256
d9e69fc720c77927de0ce757f738d8f25cd029faff85a6b058713bd0893bc633

SHA512
e1c709281960cc82bc364c2cfd6aa8300e3264c170af39f1840435919b850fabf3bffa9acf0be19fa46743dcf5ff2d126311589fcb2cde7638f0c24315bb1083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7632b607c1a81475c41bd56bc3730992

SHA1
ab68cd40de350038c4ff379fa169efbcfbe8bd16

SHA256
8486ca20f9fa6c1ed81b682caf632ba756fa90be052f94df552f6e710b23f677

SHA512
779154f6ede7ab2435bf9926609ae243dd98bae2081defa388644ec2e1ca72ccdc11fdce200b06df8d8281fb70dae0c4b0902639d768941195c335757c4a7634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
786a76fc13ed68405d70f24ae566a746

SHA1
37c3f9152d0a80c8446eff4477fd5b20bdcca1b1

SHA256
38bbf80bfa2338ee5581304559f47a1537a9428390f6b94b0108f92b8cadbb67

SHA512
60f4e57c4990880bf2862252ed46d94c39bd48bdc4925bbc5f346eff94d5f8c8567189afeb91f41bc5879f13539c931c3f93906cfba2ba89028eccba7730cabc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7a79856d7ecd71a84d6492890da2aa5

SHA1
031b38bf2a594518ff967d101ad1f4cbdfea2b5f

SHA256
76dbd0ec1e56503da98df141ce297b2859b9fd76979990a0ca3f6c97f4f8696b

SHA512
4ebf8f05837d96206197edc1171dd050b0514cb44563d7dec7e0296e39f0d968e75a54c18ab31c1d7f959006c157d229596f720fc1aaedbe584db258d04c8506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93f6a4b47b785e4efb864f541321a469

SHA1
93148e11ea798a3bfb335c28b1675f341d6c14f6

SHA256
916174cabc0fc386906335922d82354f27ecb1cfb5a448bb36cdac80f8be7359

SHA512
d2206128dc034d313ae16531e54a4081468bb84775c5088fa592a42d58d6c4d5afc98b442b3c52589c32af9f2fb5d859e7f392dd240f9f20279f6398f8a410d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0201240c5d3120cec61629a9122a0b57

SHA1
ec2b6ad6f54789b27884cacfd5d97a4199971b50

SHA256
3d4cafef6b63e601b6db23eef78d4b9e1497f41892018c1d4baa1cf7c5043767

SHA512
76a6b74f3d19e352466879b4f78a3721400a7eb2d80045ef2989f9b573b13f9310c4666b358b84b996d83bda4b01d682604f5ab99bb4ba476b72dcdad4a31a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_raxigotc.z4f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\User\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Public\Music\User\NSM.LIC

Filesize
1KB

MD5
0387502d4bf03a8243555e5c695f939c

SHA1
907b7e7000d015ebe3648ea1c464abd89a509394

SHA256
e4715acf55d7d4ecca21097ce1ff755883fbd131e3d2a00a645af29bf68d3aca

SHA512
e2988f9f4fd7a3720d2c586c7f49371cc8de07560e48df5de1e20ff06e171655edacd857e29b36842a26d09407b24c809952b97931e0feb77cd0abb6d626040a

Download Submit
C:\Users\Public\Music\User\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Public\Music\User\User1.7z

Filesize
1.4MB

MD5
1ad7a17e862a9fcfe4dfff9a108aa05a

SHA1
34cb59d46f8d25a6cfdfcce5dfb9973503e1fbb7

SHA256
acda7353548effcb928eb640bb6a761567f6e5e48b45241bc32c29130e846384

SHA512
16be14cfb3a370071326631dd409c2527d1bcecccbc8667ef4e5ffdb2c134d656b35111f75d705e01075aca4b133fbb47480806d792e3c28bbdcd94bf367e082

Download Submit
C:\Users\Public\Music\User\client32.exe

Filesize
54KB

MD5
0390d6c23eb9001759fc654ad8b91a1d

SHA1
30a485118e69f66c0dce1d656b5b366f62eb638c

SHA256
1dfc715e9f4c9d0dd16b23f9d4d289aa9961b1781273aef11721a8543f348711

SHA512
dadfa7656d070e724319303f8b9c67a5fc8d64f0e4ecc460c03ac0bad9aee9c5f3e5dc5859f665a3a7ad3d2b783755eb5b89a04f824c6ec0629405d428cc35a9

Download Submit
C:\Users\Public\Music\User\client32.ini

Filesize
653B

MD5
405b3920863a3824113bc7d6769181c6

SHA1
34d5acbf5e2bee49588adffc3a3acf26a0ff5aef

SHA256
c221e9d616158cddfa2f768d3e3004ced7bfea7af4ab92a6afbb8652499c5d88

SHA512
d8e50a32ea3a978c6601ab91b1ffb3f4c8cdbfd557fe2e4840bfe6421f767cbf2aa1462f4583187853837156f6e0d902ecf39311f7756b7b1d42c68b14780b49

Download Submit
C:\Users\Public\Music\User\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\Music\User\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Public\Music\User\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
memory/2320-16-0x00007FF8B8BE0000-0x00007FF8B8BF0000-memory.dmp

Filesize
64KB

Download
memory/2320-17-0x00007FF8F8BFC000-0x00007FF8F8BFD000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x00007FF720F50000-0x00007FF720F60000-memory.dmp

Filesize
64KB

Download
memory/2320-15-0x00007FF720F50000-0x00007FF720F60000-memory.dmp

Filesize
64KB

Download
memory/3572-20-0x00007FF63A150000-0x00007FF63A160000-memory.dmp

Filesize
64KB

Download
memory/3572-18-0x00007FF63A150000-0x00007FF63A160000-memory.dmp

Filesize
64KB

Download
memory/4568-0-0x00007FF8DC9A3000-0x00007FF8DC9A5000-memory.dmp

Filesize
8KB

Download
memory/4568-14-0x00007FF8DC9A0000-0x00007FF8DD461000-memory.dmp

Filesize
10.8MB

Download
memory/4568-12-0x00007FF8DC9A0000-0x00007FF8DD461000-memory.dmp

Filesize
10.8MB

Download
memory/4568-11-0x00007FF8DC9A0000-0x00007FF8DD461000-memory.dmp

Filesize
10.8MB

Download
memory/4568-6-0x000001CEB5740000-0x000001CEB5762000-memory.dmp

Filesize
136KB

Download