netsupport | 3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee

Analysis

max time kernel
1159s
max time network
1207s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_21_06_2024_8007376.appx
Size

5.7MB
MD5

cf0ee8a6c9012e71d181916641b2228d
SHA1

029da267489f40b80f0f2096396f63ab0f692d58
SHA256

3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee
SHA512

f161f286110c0ab643c901cbd30d2970b5d03081c59f2e741c2a30b871ba22359eb08a97f4601ea76f033f947e8e43118950398511d8582be6ceac0e122cd8a1
SSDEEP

98304:6p2MdFnpfy/CJTAeAbIqLkh0Kboh6R4p8lw6tyJRwfWUmbyK82OCX36dSA1a:BsFty/CxANIUkh0KkhE88mcyJRwfjmbZ

Score

10^/10

netsupport execution rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
3104	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
3104	client32.exe
3104	client32.exe
3104	client32.exe
3104	client32.exe
3104	client32.exe
3104	client32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
956	Powershell.exe
1896	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
4264	7za.exe
920	7za.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2492	powershell.exe
2492	powershell.exe
956	Powershell.exe
956	Powershell.exe
1896	powershell.exe
1896	powershell.exe
4536	msedge.exe
4536	msedge.exe
4588	msedge.exe
4588	msedge.exe
904	msedge.exe
904	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	956	Powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeRestorePrivilege	4264	7za.exe
Token: 35	4264	7za.exe
Token: SeSecurityPrivilege	4264	7za.exe
Token: SeSecurityPrivilege	4264	7za.exe
Token: SeRestorePrivilege	920	7za.exe
Token: 35	920	7za.exe
Token: SeSecurityPrivilege	920	7za.exe
Token: SeSecurityPrivilege	920	7za.exe
Token: SeSecurityPrivilege	3104	client32.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
3104	client32.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 3244	4756	PsfLauncher64.exe	79
PID 4756 wrote to memory of 956	4756	PsfLauncher64.exe	80
PID 4756 wrote to memory of 956	4756	PsfLauncher64.exe	80
PID 4756 wrote to memory of 956	4756	PsfLauncher64.exe	80
PID 956 wrote to memory of 1896	956	Powershell.exe	82
PID 956 wrote to memory of 1896	956	Powershell.exe	82
PID 956 wrote to memory of 1896	956	Powershell.exe	82
PID 1896 wrote to memory of 4588	1896	powershell.exe	83
PID 1896 wrote to memory of 4588	1896	powershell.exe	83
PID 1896 wrote to memory of 4588	1896	powershell.exe	83
PID 1896 wrote to memory of 4808	1896	powershell.exe	84
PID 1896 wrote to memory of 4808	1896	powershell.exe	84
PID 1896 wrote to memory of 4808	1896	powershell.exe	84
PID 4588 wrote to memory of 1540	4588	msedge.exe	86
PID 4588 wrote to memory of 1540	4588	msedge.exe	86
PID 4588 wrote to memory of 1540	4588	msedge.exe	86
PID 4808 wrote to memory of 4264	4808	cmd.exe	85
PID 4808 wrote to memory of 4264	4808	cmd.exe	85
PID 4808 wrote to memory of 4264	4808	cmd.exe	85
PID 4808 wrote to memory of 4264	4808	cmd.exe	85
PID 4808 wrote to memory of 4264	4808	cmd.exe	85
PID 1896 wrote to memory of 656	1896	powershell.exe	87
PID 1896 wrote to memory of 656	1896	powershell.exe	87
PID 1896 wrote to memory of 656	1896	powershell.exe	87
PID 656 wrote to memory of 920	656	cmd.exe	88
PID 656 wrote to memory of 920	656	cmd.exe	88
PID 656 wrote to memory of 920	656	cmd.exe	88
PID 656 wrote to memory of 920	656	cmd.exe	88
PID 656 wrote to memory of 920	656	cmd.exe	88
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89
PID 4588 wrote to memory of 3860	4588	msedge.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\GoogleChrome_4n6cyy4rypx2p!NOTEPAD
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\PsfLauncher64.exe
"C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\PsfLauncher64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\PsfRunDll64.exe
  "PsfRunDll64.exe"
  2⤵
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\petXzS.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\petXzS.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/intl/en_en/chrome/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd12b13cb8,0x7ffd12b13cc8,0x7ffd12b13cd8
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2004 /prefetch:2
        5⤵
        
        PID:3860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        5⤵
        
        PID:1080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        5⤵
        
        PID:3300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
        5⤵
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        5⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,15149577854612848933,1401904929684564746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5168 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\user2.7z -oC:\Users\Public\Music\User -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\user2.7z -oC:\Users\Public\Music\User -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\User\user1.7z -oC:\Users\Public\Music\User -p9503789Zz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Program Files\WindowsApps\GoogleChrome_4.12.111.0_x64__4n6cyy4rypx2p\VFS\ProgramFilesX64\7z2404-extra\7za.exe
        
        VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Music\User\user1.7z -oC:\Users\Public\Music\User -p9503789Zz
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
  - - C:\Users\Public\Music\User\client32.exe
      "C:\Users\Public\Music\User\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
a07f6ae15be438a492f7448c97e62c60

SHA1
b65b2db19f94321faf84ec10ec8e60fc1dfe6b3d

SHA256
876f90f553980c7ef7ae47b1a6ba254ce4ea4007b9846390bf3b14fb745c7f0d

SHA512
88dc066c7e8855917ecd44717db346a756a8affde9be6cf6eb2575080b86e18af25378d72dc5c8df4c16917aea63863aadbbc32ec6c7b50312cefb239a904042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1b084213193a84aae8cf3891c2588922

SHA1
219d8b8c5736e345f130942d049f40e95bdb0acd

SHA256
922968681400ccb0c8aca2a487ac790e9a04f85630ada77a332ac4669a0bc2b9

SHA512
2a23ba65f2f017553fae60e503dbb1f192484c3edeaa55c7f917e5a69fec21e910ee3ffe61c7450b77a54344a050a15f6ea15a7a4a3b57eeb3025951f66323f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82865630e556651612256ab6911673d7

SHA1
e0f1ed1b79434b36af01a80cb4471ff1f472ff6b

SHA256
891ddc0b3b32cb9e07f73cefb7403e5c331d220e3519f3def8506b6a5bca31d7

SHA512
820aca49a5fa3eb361a0b6cd5b8b67f2219113c7f13a451a87b8b2175a40516eadc854133fbd4239c99eacf0e583a7501f7ca26557fc7656274cafcee75a010e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a92e6430596257ee76ac1a11897d8602

SHA1
2cdf587ed9b9c06d7eea74dc3879d6f5d78348e4

SHA256
8b8cb12a34eada60c3fff6fdd136e77e9a273340a521fbcefa463a23ee898c8d

SHA512
06b3a4b7ea9b52b6fb9cf21d256a3f6a6843c46106644a026dcf6aa93b95269370d6fb0732d83dbc6933316b941293f38a6e7b0dcf6509e9dd6557a8259dac47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98ff13d6653694fd343da9bb9e5cb1f9

SHA1
2c7911b62ce64d095566a9457b5b81ff6d01df6d

SHA256
463eef1c9aba9b16225ef2177d1d65d483b0202b84d44cdfbe21b4d8ff4ae116

SHA512
7a501d88eb773bb1cdf7ce31f88576a8bfda91d8acd6fc9c18912fb812b43ec29a3c67ae8cbc5934ea2e0002d9380f572bb1723fa049eb30952f52064d3aa72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
41d4047912ae271191fe6cb130e80ab8

SHA1
582651c8cfc131a43270b096209714141e362d59

SHA256
a0ab7974163d4f6dbf58721f0ddfccb80e979c6a7400a62b347500af1defa525

SHA512
a5b3fba792b2eb1b6e0fd8a263e6a4e8cbe9bad1a9965092862d1e8dfe52185ea7cd6aa407c2a055ecf8afc1dfd1bbe8d86b5dec680752e45fe1cd83271f625a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
161de29ff4705cf39e6556c01e4fc2d4

SHA1
4f01fd7c35010c7db28214749228bb2fbcdcf1ac

SHA256
e862d1a314d8a2e3d8263ad44645bf5ab51f01493f382e9e47709d887203dc4e

SHA512
8c80458c85308a55b975704b0863ad585de10e57119684cf4667d00d0d92ac7ac76235c9af0521966bcc4cea827b1c2d1389247e5bc498792adb7fddcbd4f482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
271a2877f40dff12f5df1b85f8844e85

SHA1
abdbff01e4aa13bf4e449d050fcd90251f37fb2b

SHA256
3ebd5b937294eeca66abfba6396e7698aade7f1fba82f86adfea497984a80725

SHA512
5d1697852cfd252e38868586d2cb97e94d507ed30b44407308f46df8d217077d4396db0ae719a509b383499f46d67506fe3b65ca384eb6b23a409d6e16336ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
db58473f1c8de0535150b143e0f83032

SHA1
c876f77f6fcea039bb1833fe1194439d018d61b3

SHA256
cf2c716974160473d141b5e6f59da185d555608a51c546a6b54110de61bfa70c

SHA512
f168b906f6bedb9f045a3fd1fc4f93465f45ddd2a717f38a9c7163499f9851802619f33565009e225e6754908db08c0601949e475e159b1b3a93051247759ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3jbuphi.2gh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\User\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Public\Music\User\NSM.LIC

Filesize
1KB

MD5
0387502d4bf03a8243555e5c695f939c

SHA1
907b7e7000d015ebe3648ea1c464abd89a509394

SHA256
e4715acf55d7d4ecca21097ce1ff755883fbd131e3d2a00a645af29bf68d3aca

SHA512
e2988f9f4fd7a3720d2c586c7f49371cc8de07560e48df5de1e20ff06e171655edacd857e29b36842a26d09407b24c809952b97931e0feb77cd0abb6d626040a

Download Submit
C:\Users\Public\Music\User\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Public\Music\User\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Public\Music\User\User1.7z

Filesize
1.4MB

MD5
1ad7a17e862a9fcfe4dfff9a108aa05a

SHA1
34cb59d46f8d25a6cfdfcce5dfb9973503e1fbb7

SHA256
acda7353548effcb928eb640bb6a761567f6e5e48b45241bc32c29130e846384

SHA512
16be14cfb3a370071326631dd409c2527d1bcecccbc8667ef4e5ffdb2c134d656b35111f75d705e01075aca4b133fbb47480806d792e3c28bbdcd94bf367e082

Download Submit
C:\Users\Public\Music\User\client32.exe

Filesize
54KB

MD5
0390d6c23eb9001759fc654ad8b91a1d

SHA1
30a485118e69f66c0dce1d656b5b366f62eb638c

SHA256
1dfc715e9f4c9d0dd16b23f9d4d289aa9961b1781273aef11721a8543f348711

SHA512
dadfa7656d070e724319303f8b9c67a5fc8d64f0e4ecc460c03ac0bad9aee9c5f3e5dc5859f665a3a7ad3d2b783755eb5b89a04f824c6ec0629405d428cc35a9

Download Submit
C:\Users\Public\Music\User\client32.ini

Filesize
653B

MD5
405b3920863a3824113bc7d6769181c6

SHA1
34d5acbf5e2bee49588adffc3a3acf26a0ff5aef

SHA256
c221e9d616158cddfa2f768d3e3004ced7bfea7af4ab92a6afbb8652499c5d88

SHA512
d8e50a32ea3a978c6601ab91b1ffb3f4c8cdbfd557fe2e4840bfe6421f767cbf2aa1462f4583187853837156f6e0d902ecf39311f7756b7b1d42c68b14780b49

Download Submit
C:\Users\Public\Music\User\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\Music\User\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/2492-12-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp

Filesize
10.8MB

Download
memory/2492-9-0x00000258D8E20000-0x00000258D8E42000-memory.dmp

Filesize
136KB

Download
memory/2492-10-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp

Filesize
10.8MB

Download
memory/2492-0-0x00007FFD1BE63000-0x00007FFD1BE65000-memory.dmp

Filesize
8KB

Download
memory/2492-16-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp

Filesize
10.8MB

Download
memory/2492-11-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp

Filesize
10.8MB

Download
memory/3244-19-0x00007FF6D5320000-0x00007FF6D5330000-memory.dmp

Filesize
64KB

Download
memory/3244-21-0x00007FF6D5320000-0x00007FF6D5330000-memory.dmp

Filesize
64KB

Download
memory/4756-15-0x00007FFCFBC70000-0x00007FFCFBC80000-memory.dmp

Filesize
64KB

Download
memory/4756-17-0x00007FFD3BC8A000-0x00007FFD3BC8B000-memory.dmp

Filesize
4KB

Download
memory/4756-18-0x00007FFD3BC70000-0x00007FFD3BD2D000-memory.dmp

Filesize
756KB

Download
memory/4756-22-0x00007FF5F3930000-0x00007FF5F3940000-memory.dmp

Filesize
64KB

Download
memory/4756-14-0x00007FF5F3930000-0x00007FF5F3940000-memory.dmp

Filesize
64KB

Download
memory/4756-23-0x00007FFD3BC70000-0x00007FFD3BD2D000-memory.dmp

Filesize
756KB

Download