agenttesla | f6d967435c3fdbc87483ed30cb16031cfd6e582fc13a6449cab72654033fc725

Analysis

max time kernel
144s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Balance payment.exe
Size

392KB
MD5

9380d44800fbdf3899fe1d04af533d1f
SHA1

a052510980763e83d19c3f9824ea58a5f4eab2b3
SHA256

0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904
SHA512

8e2e205984f1672df25d4c78fca631290706e793677f480b0d088e60bdbef6b91b5e7752175cef0d85fc6c381adf39c64cb3ba6c4578ddbd5b7a79dff9f7be99
SSDEEP

6144:WSodkdIGvvJXFj+3vsW5qeP0sCuTiw14LqcCiNMF2eR2BQ1hZnhG5rO/lGFNzTbn:WSFdIGZVjukc044NCiSx71HsKGXJSA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Balance payment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	Balance payment.exe

Drops startup file 1 IoCs

Processes:

Balance payment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs Balance payment.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

Balance payment.exe

description pid process target process

PID 3428 set thread context of 3172 3428 Balance payment.exe Balance payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	Balance payment.exe

description	pid	process	target process
PID 3428 set thread context of 3172	3428	Balance payment.exe	Balance payment.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2856 ipconfig.exe
3456 ipconfig.exe

pid	process
2856	ipconfig.exe
3456	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Balance payment.exepowershell.exemsedge.exemsedge.exeidentity_helper.exeBalance payment.exe

pid	process
3428	Balance payment.exe
5104	powershell.exe
5104	powershell.exe
1856	msedge.exe
1856	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
3524	identity_helper.exe
3524	identity_helper.exe
3172	Balance payment.exe
3172	Balance payment.exe
3172	Balance payment.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Balance payment.exepowershell.exeBalance payment.exe

description	pid	process
Token: SeDebugPrivilege	3428	Balance payment.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3172	Balance payment.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Balance payment.execmd.execmd.exepowershell.exemsedge.exe

description	pid	process	target process
PID 3428 wrote to memory of 1172	3428	Balance payment.exe	cmd.exe
PID 3428 wrote to memory of 1172	3428	Balance payment.exe	cmd.exe
PID 3428 wrote to memory of 1172	3428	Balance payment.exe	cmd.exe
PID 1172 wrote to memory of 2856	1172	cmd.exe	ipconfig.exe
PID 1172 wrote to memory of 2856	1172	cmd.exe	ipconfig.exe
PID 1172 wrote to memory of 2856	1172	cmd.exe	ipconfig.exe
PID 3428 wrote to memory of 5104	3428	Balance payment.exe	powershell.exe
PID 3428 wrote to memory of 5104	3428	Balance payment.exe	powershell.exe
PID 3428 wrote to memory of 5104	3428	Balance payment.exe	powershell.exe
PID 3428 wrote to memory of 4252	3428	Balance payment.exe	cmd.exe
PID 3428 wrote to memory of 4252	3428	Balance payment.exe	cmd.exe
PID 3428 wrote to memory of 4252	3428	Balance payment.exe	cmd.exe
PID 4252 wrote to memory of 3456	4252	cmd.exe	ipconfig.exe
PID 4252 wrote to memory of 3456	4252	cmd.exe	ipconfig.exe
PID 4252 wrote to memory of 3456	4252	cmd.exe	ipconfig.exe
PID 5104 wrote to memory of 1596	5104	powershell.exe	msedge.exe
PID 5104 wrote to memory of 1596	5104	powershell.exe	msedge.exe
PID 1596 wrote to memory of 1640	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 1640	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4648	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 1856	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 1856	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4140	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4140	1596	msedge.exe	msedge.exe
PID 1596 wrote to memory of 4140	1596	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
4⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
4⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
4⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
4⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
4⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
4⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
4⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
4⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5582490240683898239,3236695247030960173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
4⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
1⤵
- Gathers network information
PID:2856

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
1⤵
- Gathers network information
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4c3446f8,0x7ffc4c344708,0x7ffc4c344718
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Balance payment.exe.log

Filesize
1KB

MD5
8c2da65103d6b46d8cf610b118210cf0

SHA1
9db4638340bb74f2af3161cc2c9c0b8b32e6ab65

SHA256
0e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac

SHA512
3cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26f8219c59547d181c1f9070c2f5b050

SHA1
cbe34c1b41c0d86e1dff1a0bd82b6c803085a39f

SHA256
3f534bb6f67e07afe3baf85bf750122c2e00b86df6aa258e5752dc6c946fc2d2

SHA512
1600ed7fb809d9f4fd571b99e606ac92f0054f684b6b7a3b72ede39d5edaf458cf551c568ca1bf967326bfbdaf2f7178906fb8d15d82c52049fb6c74205c9f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
74e81a9d509873d371adc13abdd80c93

SHA1
6f38c4fbd5b6f72701b24129d3e69eebb824535f

SHA256
90459179b11b3e1312bbb3224c48043d6184a280641ac170fdc94b8db2ae04af

SHA512
18145112d1f82e8fc47d074b2ebc31d29e78840897d42cf9a35ecbf712028ad1c815ab1693b314071342f51d38cdc8d2ea8d17f4d1bab127658e283e1c83b305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
266eec74845de4868fd9b2ac5eb03fb0

SHA1
cbc31b65e85c948c02b9c256d89a3b299bad2a14

SHA256
fd6351e1f257188cbb17b6c5caaee035684522c76f59189d4f41811bcc864eb2

SHA512
3a807cfd5eb4555cf0ba7542a0567c9d51d1d1b53b45b5f3fd11afb5aad5b7e85c43e358ce3736a36a81fcaacfda42b5480f2274a8ffe4c6489e011b2767d26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e672bdaebbb21f973472ab366f9582fe

SHA1
fea14eedf842266ce7632abfd58bee18de35a1a3

SHA256
5cbfc3f8758daee5d138bb2a0d48f41d6f2708a9a9c38f31973bde498886e270

SHA512
2feafb7aafe19649ad1ea2ce2f190811d4859810cbf79943b6b095f8b3395f3a8b008a88b4503c24dd67a1227e9bb2d87c18dc72aa17e4e4b786b62c4d219fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aed1dcf52fcdc83208918b69a7c729ed

SHA1
28849975e0d8c449fb95bf41d1020ecb07844f5d

SHA256
4666db016d174fc5a3558d7a3ec842dc1d31283ff93c89ac22de56f64169f9de

SHA512
e802fba16d14277d75585197846206155d43ddcfee616aa3c030a5e441d03d47bdef321817e4a911e51e175cc3797989d6fff736a047dd3bc33e247380404cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc31f9c58322cd1b8eb8a246be508c80

SHA1
a2ddff1b61ec55b2b0a0286525d56602f94ee208

SHA256
3e48d1f92eac300ee1a79ab17d281f11c0a9c41380a53a884daf73bc6de7aebd

SHA512
9c7e769a2d32855510b374e00d5ee8414db7efe547907747c8c3e2756376ad829e0f284d665b8e28df77ba58fcc84c3fae49c8af775abde3ae1c75b02883fccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d6fef546842b91fedd29b8ddb5407988

SHA1
ee11cada3c238abdc71f20a49a2e1dffd32c1ce6

SHA256
afa70129eaeb4c746062cf575b560680e52b2cedbe6636065375771a910f4c08

SHA512
ef4c42e049a71bc554ca7ed8611d7536314b14456070819d6446503a8af830539377a7806222bdad2117a649eef15f1df6f64fb19cdb5dd02608dbb32106191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5clxvgfs.vi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_1596_JSFDNRKJPIPITHEH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3172-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-114-0x0000000006430000-0x00000000064CC000-memory.dmp

Filesize
624KB

Download
memory/3172-110-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/3172-109-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3172-159-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3172-113-0x0000000006340000-0x0000000006390000-memory.dmp

Filesize
320KB

Download
memory/3172-160-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/3428-108-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3428-0-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3428-1-0x0000000000660000-0x00000000006C8000-memory.dmp

Filesize
416KB

Download
memory/3428-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/3428-3-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/3428-4-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3428-5-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/3428-7-0x00000000052D0000-0x0000000005310000-memory.dmp

Filesize
256KB

Download
memory/3428-8-0x0000000005500000-0x0000000005540000-memory.dmp

Filesize
256KB

Download
memory/3428-9-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/3428-6-0x00000000053A0000-0x00000000053F8000-memory.dmp

Filesize
352KB

Download
memory/3428-10-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3428-11-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/5104-35-0x0000000006060000-0x000000000607A000-memory.dmp

Filesize
104KB

Download
memory/5104-19-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

Filesize
136KB

Download
memory/5104-18-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/5104-14-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/5104-20-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/5104-31-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/5104-32-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/5104-22-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/5104-45-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/5104-33-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/5104-36-0x00000000060B0000-0x00000000060D2000-memory.dmp

Filesize
136KB

Download
memory/5104-34-0x00000000060F0000-0x0000000006186000-memory.dmp

Filesize
600KB

Download
memory/5104-15-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/5104-16-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/5104-17-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download