netsupport | 4c2f8feced7768f756ac7d4fa633b08fd61f0ba198c860fa4f1093dedbf060d2

Analysis

max time kernel
150s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09/07/2024, 07:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

iefbugpaeitgbpietu.ps1
Size

561B
MD5

3a0ef7cf40cc50d47cb956fce8baa456
SHA1

381b421b49f88e035b274711d315050f83c43e22
SHA256

2bd6b5cbeddab8b01e14ed4c073afdbd4316340aada77e3e55ba5e1af21652f7
SHA512

16d510ae8d35165f2ef012f11c74c13c0f9758fde07809017411197f06b39c3b7d08c6963392278ee37c9f7db42003e3e15ace8829685f74f5a55fb176dbfa44

Score

10^/10

netsupport execution rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
3152	file.exe

Loads dropped DLL 5 IoCs

pid	Process
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2464	powershell.exe
2464	powershell.exe
2320	msedge.exe
2320	msedge.exe
3920	msedge.exe
3920	msedge.exe
4400	msedge.exe
4400	msedge.exe
1028	identity_helper.exe
1028	identity_helper.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeRestorePrivilege	980	25.exe
Token: 35	980	25.exe
Token: SeSecurityPrivilege	980	25.exe
Token: SeSecurityPrivilege	980	25.exe
Token: SeRestorePrivilege	4552	25.exe
Token: 35	4552	25.exe
Token: SeSecurityPrivilege	4552	25.exe
Token: SeSecurityPrivilege	4552	25.exe
Token: SeRestorePrivilege	2792	25.exe
Token: 35	2792	25.exe
Token: SeSecurityPrivilege	2792	25.exe
Token: SeSecurityPrivilege	2792	25.exe
Token: SeSecurityPrivilege	3152	file.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3152	file.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3920	2464	powershell.exe	81
PID 2464 wrote to memory of 3920	2464	powershell.exe	81
PID 2464 wrote to memory of 988	2464	powershell.exe	82
PID 2464 wrote to memory of 988	2464	powershell.exe	82
PID 3920 wrote to memory of 4088	3920	msedge.exe	83
PID 3920 wrote to memory of 4088	3920	msedge.exe	83
PID 988 wrote to memory of 980	988	cmd.exe	84
PID 988 wrote to memory of 980	988	cmd.exe	84
PID 988 wrote to memory of 980	988	cmd.exe	84
PID 2464 wrote to memory of 2208	2464	powershell.exe	85
PID 2464 wrote to memory of 2208	2464	powershell.exe	85
PID 2208 wrote to memory of 4552	2208	cmd.exe	86
PID 2208 wrote to memory of 4552	2208	cmd.exe	86
PID 2208 wrote to memory of 4552	2208	cmd.exe	86
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 240	3920	msedge.exe	87
PID 3920 wrote to memory of 2320	3920	msedge.exe	88
PID 3920 wrote to memory of 2320	3920	msedge.exe	88
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89
PID 3920 wrote to memory of 4700	3920	msedge.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\iefbugpaeitgbpietu.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/chrome/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffedf73cb8,0x7fffedf73cc8,0x7fffedf73cd8
    3⤵
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
    3⤵
    PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
    3⤵
    PID:4284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,2048870059400149696,9444443055273340396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3016 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1448
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\25\25.exe e VFS\ProgramFilesX64\Documents3.7z -oC:\Users\Public\Documents\Documents -pDocuments3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\25\25.exe
    VFS\ProgramFilesX64\25\25.exe e VFS\ProgramFilesX64\Documents3.7z -oC:\Users\Public\Documents\Documents -pDocuments3
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\25\25.exe e C:\Users\Public\Documents\Documents\Documents2.7z -oC:\Users\Public\Documents\Documents -pDocuments2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\25\25.exe
    VFS\ProgramFilesX64\25\25.exe e C:\Users\Public\Documents\Documents\Documents2.7z -oC:\Users\Public\Documents\Documents -pDocuments2
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\25\25.exe e C:\Users\Public\Documents\Documents\Documents1.7z -oC:\Users\Public\Documents\Documents -pDocuments1"
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\25\25.exe
    VFS\ProgramFilesX64\25\25.exe e C:\Users\Public\Documents\Documents\Documents1.7z -oC:\Users\Public\Documents\Documents -pDocuments1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Users\Public\Documents\Documents\file.exe
  "C:\Users\Public\Documents\Documents\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11b22949a84a750056bef0aa6ea4fc45

SHA1
c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8

SHA256
59db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f

SHA512
01bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b1f20c797906f82fd003270485ceaef

SHA1
51ee0859382d77aba329e0ec2dad81b383c534ed

SHA256
7980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91

SHA512
7b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
82c9d4074739361b5c673f932d5ac60e

SHA1
18c937d827f9caa9a06e87a2212e18facea55b67

SHA256
a20458001678361cd30379c2b285c219a4bbcd7797515b2992e49ce22840a4f6

SHA512
e7a3540e6705b42708272e2792a6674f298b044f021f2a1cf2851b3db6bf2f0bdbc970f768af09e3b5bfee9aaa2a8ac7dce4d600cda5055599787d9b00072c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1e9753873d0251ef032d9dd2867ed5e6

SHA1
313994e5a605a41af390b54091c4777530fd0671

SHA256
1e1eebc712fbef41aeba1984db041d3447343c7febe410ee702a7d8afe1470d4

SHA512
bc52e99841051ed500bf81d5a0af8a3520455e6660cbb29d0181ab1602bc5f3d3d36df8d8178afe82df3d922460cb41cda143a015e0708f4bcc789213051b2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a53fd76d8370ca3d3d8139c993468cd

SHA1
77d6018745c6f01b2a5851be886d6e53cbd39ae0

SHA256
263e2a16ab603d19bf935d39ca043d4b5e8c46556b1223cf9eb0573c8bb1bcb3

SHA512
5c4ed4dcc84f9eba3d4467f3c7e61ebdf22842314f8336eddd7aca22850d1c0527350f4dae99e645eb5046bf935248bb0a378b84a60bf673742781d3ee8237da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15dbeb00f1b33c5df5719809ca5fb8e5

SHA1
a6613f31d0574be6837a5c0721ea3a892eddc5d2

SHA256
3c1739aaef6d683c8d2f6c5c9c38a5613903e907b90d7140aa3d4ac3e5a65ddd

SHA512
c7f5d97c2f1afc8f48da1fa7b54f36c4415d2776b8774fffb541b5db8c717929f210fc3446eae369c1322488ef8bddba52e8c02c85aadb1cc8ada8b3cf37386e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ad3f42e899591ddf2e5edb1218a6f1d

SHA1
98c5e5507af445b4abf20109cd300cd5ea51488f

SHA256
eaa7419fb20af7ec83aac1ff98f387a36bc90539e0858dc2442f70e1e15eb7dc

SHA512
e423cb3e99f534fd1bc12ab6034120add883fa4512bd8690017cb09fe377893e06eedf80d07a69236a078c2b47a5a2bac3e842d523f01854e5867f62a5bc5a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1b12c446c3ace88c64be012b600257a

SHA1
5bea9aa2ca116a98771ec51199c43bbab58b6953

SHA256
b930e2c7a69454b3bb95df8854b8ccee31d24fa5dbc26195e7c0ba664b684685

SHA512
17922c55430c93dab10a47a858a4f7067daa2d197115e3d2287694758c597c4db70f8df2d22a880c319479389eca1869bc1cc05a6b65884e9eb285bef2b20dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxkckkdy.5pz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\Documents\Documents1.7z

Filesize
1.4MB

MD5
c143483d862381f1a9ac6048b9a4d699

SHA1
4d6e7d231d4457bf0f70ecf01e51da4884d1234f

SHA256
76540185c3f4be75b3ef02ba4faa6ecebe4a7665e56f0db0edc1b6e07e30a0e1

SHA512
394fef1a59b65e49d7e83240167ac07868f9eafdad79c918599c54c27bf1ec33949571e891ee4a4f01039ce47ba555c8e21ccec50b5be17e4dffd9907a56de44

Download Submit
C:\Users\Public\Documents\Documents\Documents2.7z

Filesize
1.4MB

MD5
9be854758878966e7523d5018999563f

SHA1
19678ec416e7b1efad6fa1922e19498a642dad99

SHA256
926ef4e22a3709d05207a8bfc84c74598580f56ef04b9ffbd54dfc4dfc19c2f6

SHA512
601de1c5736a96a4d32e2d59c133fa1c22365c49fe30d1504709be21240c26f892068eb002ba7a901a9b3835bebab86bd6f573ce4571ac51da98be53fc92a2ad

Download Submit
C:\Users\Public\Documents\Documents\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Public\Documents\Documents\NSM.LIC

Filesize
1KB

MD5
20727baed6d7dee8dc4ed4200cb84cc0

SHA1
1e33094656bb59f3780463b4f6202790b9c1c3a9

SHA256
59790e75c0d9b4a8024ad28d1850ce8095762e24b7fbc9dc00e6f72ac21132ff

SHA512
1ba64309e02be3557750de5c05d77fa9e6ebc56946a9f59b015d62d33ac9b416357ccc1245c333cb58f384b1d946003241893ea245716bdc0449d0d7f54ffdcb

Download Submit
C:\Users\Public\Documents\Documents\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Public\Documents\Documents\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Public\Documents\Documents\client32.ini

Filesize
651B

MD5
f3ba3a72be77578c4c8b3cde0134c3f1

SHA1
79f8b80976dd7c352b83f6f76bd091ad93fa8227

SHA256
5749a17b1e0ebb56b5f39b519d462b9a5d31b2d06b8c1850926e6106e82240c2

SHA512
ec97746a15a50d476caf234c4cdfe8dbe15450368a2da9e978fc519b96e4d5ed81909671963d94d6d27947d09f87774a9a44267933c3ca9ef049e80e28ae507e

Download Submit
C:\Users\Public\Documents\Documents\file.exe

Filesize
54KB

MD5
443d48f993d073c0f7027ce386ddb862

SHA1
7c947415d46f55291267c3e1fa47a797a3503aa6

SHA256
b2ada18bbaf798c8a641df5b0ff1b48006f6029ccb9c5a529d91673367de3e35

SHA512
8abf630ddecf9ebab1196bbc9c87f1004c5d58ef576b5f1d08b6316f06ba55d78edffdec6d6676ddd1ba27ff1e7fa8a6ac2c1fb659e0dd0b2c4989a59c711e05

Download Submit
C:\Users\Public\Documents\Documents\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\Documents\Documents\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/2464-118-0x00007FFFF4AF0000-0x00007FFFF55B2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-0-0x00007FFFF4AF3000-0x00007FFFF4AF5000-memory.dmp

Filesize
8KB

Download
memory/2464-12-0x00007FFFF4AF0000-0x00007FFFF55B2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-11-0x00007FFFF4AF0000-0x00007FFFF55B2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-10-0x00007FFFF4AF0000-0x00007FFFF55B2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-9-0x0000022F7BA00000-0x0000022F7BA22000-memory.dmp

Filesize
136KB

Download