agenttesla | 0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Balance payment.exe
Size

392KB
MD5

9380d44800fbdf3899fe1d04af533d1f
SHA1

a052510980763e83d19c3f9824ea58a5f4eab2b3
SHA256

0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904
SHA512

8e2e205984f1672df25d4c78fca631290706e793677f480b0d088e60bdbef6b91b5e7752175cef0d85fc6c381adf39c64cb3ba6c4578ddbd5b7a79dff9f7be99
SSDEEP

6144:WSodkdIGvvJXFj+3vsW5qeP0sCuTiw14LqcCiNMF2eR2BQ1hZnhG5rO/lGFNzTbn:WSFdIGZVjukc044NCiSx71HsKGXJSA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Balance payment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	Balance payment.exe

Drops startup file 1 IoCs

Processes:

Balance payment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs Balance payment.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

description pid process target process

PID 3256 set thread context of 1420 3256 Balance payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	Balance payment.exe

description	pid	process	target process
PID 3256 set thread context of 1420	3256		Balance payment.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4148 ipconfig.exe
3568 ipconfig.exe

pid	process
4148	ipconfig.exe
3568	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Balance payment.exepowershell.exemsedge.exemsedge.exeBalance payment.exeidentity_helper.exe

pid	process
3256	Balance payment.exe
3828	powershell.exe
3828	powershell.exe
2280	msedge.exe
2280	msedge.exe
4080	msedge.exe
4080	msedge.exe
1420	Balance payment.exe
1420	Balance payment.exe
1420	Balance payment.exe
2380	identity_helper.exe
2380	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe
4080 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Balance payment.exepowershell.exeBalance payment.exe

description	pid	process
Token: SeDebugPrivilege	3256	Balance payment.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	1420	Balance payment.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Balance payment.execmd.execmd.exepowershell.exemsedge.exe

description	pid	process	target process
PID 3256 wrote to memory of 4048	3256	Balance payment.exe	cmd.exe
PID 3256 wrote to memory of 4048	3256	Balance payment.exe	cmd.exe
PID 3256 wrote to memory of 4048	3256	Balance payment.exe	cmd.exe
PID 4048 wrote to memory of 4148	4048	cmd.exe	ipconfig.exe
PID 4048 wrote to memory of 4148	4048	cmd.exe	ipconfig.exe
PID 4048 wrote to memory of 4148	4048	cmd.exe	ipconfig.exe
PID 3256 wrote to memory of 3828	3256	Balance payment.exe	powershell.exe
PID 3256 wrote to memory of 3828	3256	Balance payment.exe	powershell.exe
PID 3256 wrote to memory of 3828	3256	Balance payment.exe	powershell.exe
PID 3256 wrote to memory of 5052	3256	Balance payment.exe	cmd.exe
PID 3256 wrote to memory of 5052	3256	Balance payment.exe	cmd.exe
PID 3256 wrote to memory of 5052	3256	Balance payment.exe	cmd.exe
PID 5052 wrote to memory of 3568	5052	cmd.exe	ipconfig.exe
PID 5052 wrote to memory of 3568	5052	cmd.exe	ipconfig.exe
PID 5052 wrote to memory of 3568	5052	cmd.exe	ipconfig.exe
PID 3828 wrote to memory of 4080	3828	powershell.exe	msedge.exe
PID 3828 wrote to memory of 4080	3828	powershell.exe	msedge.exe
PID 4080 wrote to memory of 3124	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3124	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 3084	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2280	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2280	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2376	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2376	4080	msedge.exe	msedge.exe
PID 4080 wrote to memory of 2376	4080	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:4148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc66ce46f8,0x7ffc66ce4708,0x7ffc66ce4718
4⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
4⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
4⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
4⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
4⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
4⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
4⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
4⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
4⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
4⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1776442133644775483,15933202683322420178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
4⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:3568

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Balance payment.exe.log

Filesize
1KB

MD5
8c2da65103d6b46d8cf610b118210cf0

SHA1
9db4638340bb74f2af3161cc2c9c0b8b32e6ab65

SHA256
0e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac

SHA512
3cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c89e9212e22e92acc3d335fe9a44fe6

SHA1
c43c7e1b5fb58a40a01a6d8dd947c41a48e0b41f

SHA256
18c46c863404b31fcce434662806fa34daff0f9af0a9379d898f772b5c398b44

SHA512
c6961c171af63ddc7a72aaba4c9d910cc6a424794c416cd1ce51206f7c7f1100ca51c9e41d07d68489105dccded2294c1d761a8dc6be80d22c661014efd6a9ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
de46e80d5281a6744013253786f7474c

SHA1
1de166d525f31deecd86771241b97de21a572c32

SHA256
de2dc6dbe93c3604d0f2f214a492444db77081a69340a007839b607a88c32b42

SHA512
1af80e7cb138808a57ddcc6c7c3f2973592b0e3074ccbf2d8245d4a3de42e8e88e00d9f195c0792d1fcf28d7e111c91a14374dbcfcb15d4792a1bcd265ff89e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d3bf261b69b3659d04bff42c6188d7a5

SHA1
1d39407c59cd1e152938a3d85921dbdf65ab8462

SHA256
d2c8af497e9e8d0f354ced4d5ffc7c89e78638d5b44a4d89d7d4f6ecf0dee8ca

SHA512
67973ac480666d1ed23f6ba8560e69822fddebfa8ddd54da9c162909ba0ae7fc52dbfbc39eea87992cce4e6532ae4616497f8532144bd93ff19b296ba9ec4ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cdccdd0defd1c82ec64b4a63ed65c55

SHA1
fa696e7bb20b8454c9b97755818317195c87e2a6

SHA256
e19a95110f0935eb55948aa0bb7cf35ee4bb091290236461685a26e31f8ae5d1

SHA512
8f84da58a44a5f1fb422da6b2b80247e8fb5cb4e99caebfc4a33528639397ebab8ecd03f50d49e1eb1fdf05460d556db1d79358f8a6e18dbd090fa6903f5eb1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8ecb23ae1d1c2c87b74e3875686149e

SHA1
057a9c715fce05e5d1d7952f6309b818fc41d09d

SHA256
405be6af40963029aba4a28353a2c7e3a7ad4c545a24f5296d9915f33363a709

SHA512
c1033cac49415072734385e9422f1b5576f25fa84be4353b63592cf502ff9c3f618ce8e3f03a5a0f34f0713374334cd1386225cae710a687c64a6ddfdf432acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d7b2b29ef1d9a33e61e1167984c8ca3e

SHA1
9a0da1a3cf9003ecf6aba220a8a00ca34a7ebd34

SHA256
7d4bbec0e8bf4e62f352750240a0bc0f7844d58fea590bc6a9fc972c3b752dc2

SHA512
3cc40b7e35c0749e419b035a73768c8f76bace77ed44be6a59469a032b643da15162733e5aaa94064494b055858a24e4f79326a863f31f1c28eab44cec35cbec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f1c73ae6b7961dba8e670061c9c2d02f

SHA1
868d6a447cb7a5d0353b9f44a8f4a6a76d4a00b7

SHA256
b111fa7ff939df057e4da713c63f8b90bbdbec8fb24134b7587804b6e2d73f27

SHA512
35225a42853ac7d1f451a234743e6ed1467de19678ad89b1dac22446abb150884fb7afd5dde0dddfc8eeb431a5d8426a72d48dcdd5b6f0009025da52a99a1036

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tg541bog.4g4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4080_AULTHJFMBPCUBVRS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1420-114-0x00000000065C0000-0x000000000665C000-memory.dmp

Filesize
624KB

Download
memory/1420-113-0x00000000064D0000-0x0000000006520000-memory.dmp

Filesize
320KB

Download
memory/1420-79-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1420-75-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/1420-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1420-168-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/1420-169-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/3256-11-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3256-76-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3256-1-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3256-2-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/3256-3-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/3256-4-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3256-5-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/3256-6-0x00000000051B0000-0x0000000005208000-memory.dmp

Filesize
352KB

Download
memory/3256-7-0x0000000005210000-0x0000000005250000-memory.dmp

Filesize
256KB

Download
memory/3256-8-0x0000000005360000-0x00000000053A0000-memory.dmp

Filesize
256KB

Download
memory/3256-9-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download
memory/3256-10-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3256-0-0x00000000004F0000-0x0000000000558000-memory.dmp

Filesize
416KB

Download
memory/3828-35-0x0000000006B30000-0x0000000006B4A000-memory.dmp

Filesize
104KB

Download
memory/3828-20-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/3828-16-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/3828-14-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/3828-17-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/3828-18-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/3828-19-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/3828-15-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3828-39-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3828-21-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/3828-36-0x0000000006B80000-0x0000000006BA2000-memory.dmp

Filesize
136KB

Download
memory/3828-34-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/3828-33-0x0000000006A80000-0x0000000006ACC000-memory.dmp

Filesize
304KB

Download
memory/3828-32-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/3828-31-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download