agenttesla | b09487ea9dc5e977f6a82ac84bc160b390aee483ac3746180217872a0f535027

Analysis

max time kernel
594s
max time network
547s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2 password.zip
Size

36.0MB
MD5

2c9f6406bac263b5d4fade5e717fbf7f
SHA1

d8a34f676de186af9da32a7a85f8eda25592d407
SHA256

b09487ea9dc5e977f6a82ac84bc160b390aee483ac3746180217872a0f535027
SHA512

1e2f03b7c505ced0392b91ab84018066cc27a29eb00cbeccc305aade4bccd473d3ddb118699ddd400ac318eb08be2895e0975ab1b135cfce88726814d40a4809
SSDEEP

786432:bCxzHbV1gXPrCT0kw0SJg9by8U0/4h6vdA8ZMCFEb6un3LOnUZUiaG2JbS:cbMXPrCTvbSJaQ0/4hcb+LnbgUSiaG2c

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-11-0x000001C971FD0000-0x000001C9721C4000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

XWorm V5.2.exe

pid process

1488 XWorm V5.2.exe

pid	process
1488	XWorm V5.2.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1488-1-0x000001C955000000-0x000001C955C38000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exeXWorm V5.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4840	msedge.exe
4840	msedge.exe
688	msedge.exe
688	msedge.exe
1032	identity_helper.exe
1032	identity_helper.exe
2880	msedge.exe
2880	msedge.exe
4288	msedge.exe
4288	msedge.exe
3112	msedge.exe
3112	msedge.exe
1236	msedge.exe
1236	msedge.exe
2368	identity_helper.exe
2368	identity_helper.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exemsedge.exe

pid	process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XWorm V5.2.exe

description pid process

Token: SeDebugPrivilege 1488 XWorm V5.2.exe

description	pid	process
Token: SeDebugPrivilege	1488	XWorm V5.2.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exemsedge.exe

pid	process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exemsedge.exe

pid	process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XWorm V5.2.exemsedge.exe

description	pid	process	target process
PID 1488 wrote to memory of 688	1488	XWorm V5.2.exe	msedge.exe
PID 1488 wrote to memory of 688	1488	XWorm V5.2.exe	msedge.exe
PID 688 wrote to memory of 1596	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 1596	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2800	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 4840	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 4840	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe
PID 688 wrote to memory of 2364	688	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 password.zip"
1⤵
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Users\Admin\Documents\XWorm V5.2 password\XWorm V5.2 password\XWorm V5.2.exe
"C:\Users\Admin\Documents\XWorm V5.2 password\XWorm V5.2 password\XWorm V5.2.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe79e43cb8,0x7ffe79e43cc8,0x7ffe79e43cd8
3⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
3⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
3⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
3⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
3⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
3⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
3⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
3⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
3⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
3⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
3⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
3⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
3⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
3⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13660036653322199921,6374902690959875140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
3⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe79e43cb8,0x7ffe79e43cc8,0x7ffe79e43cd8
3⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe79e43cb8,0x7ffe79e43cc8,0x7ffe79e43cd8
3⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe79e43cb8,0x7ffe79e43cc8,0x7ffe79e43cd8
3⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe79e43cb8,0x7ffe79e43cc8,0x7ffe79e43cd8
3⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
3⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
3⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
3⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
3⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
3⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
3⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
3⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
3⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
3⤵
PID:340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6738151366904426660,17777628356411639303,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5112 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b8b53ef336be1e3589ad68ef93bbe3a7

SHA1
dec5c310225cab7d871fe036a6ed0e7fc323cf56

SHA256
fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1

SHA512
a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6e498afe43878690d3c18fab2dd375a5

SHA1
b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd

SHA256
beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78

SHA512
3bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
282b7ecd3c3b8021c181c4c4590851ad

SHA1
0cd8ca5454d91579ceec81376c4ef55e8ef35d00

SHA256
e2b6a8666e301d4db5e2e594b124da6df841ea40eba12c7cf16093f222499401

SHA512
afcb679916f5cb415c6c7e5101d05e72370c9f877fef877b041bc13e7f1ef9bb2ddd90d6a05b420fe17f279240c6cad0b5730ea8a4e3ac48a880d3903cbe367c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9df60cf309656b1753eb4fe15ad7a38e

SHA1
7250c5b17e181821147c25a100095874e4a21c42

SHA256
d1d6218c7e6c2dde5fa1d6b0493b683d96807c34ad64c4c1f860057096edf036

SHA512
51fd34945daa797642a39737f6346bed88ebedafc088fcd00ff2e3abbe9c6a584856c3ba4ca923aa13b6d257dd01d03e2cddf83818276a19868b33b0d45637e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
112c528f37a4aeffb257d1b5a73d5ae3

SHA1
44cdda5b6ab7184511b545820a3f4db0e3cf28e1

SHA256
bdcb2f3f89e8d03480cc64aac77d1f965c5dd4e38d325ac2187e2767009b9394

SHA512
001056bac27b293baae21e1e7a95145be5ffb1c5238fc4524f20e6cadaf0a11e37aa327bed71888003dfc03e234168f785cd435dbc2aaf6cf49f613ca85ea841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
89643e31b6a33d856d2a780c456bbf2b

SHA1
7db55076b2d8108a46dad183e8a6d026e9ede15c

SHA256
971d252606ddd131f5d4c03f5067fd4ef20a6103d8f2f01164f24ea938fd4a8a

SHA512
42c1a4917c51c465f0bea641e0e753630802594b816525def54fa0eee7b09c03be4522d5c696ba60637223ee000e0eaf2c64c4dfabffb51b37b2fd9b23e544a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
1.0MB

MD5
3fa641867977126c2c7b5c5e1d23969b

SHA1
9a6850bb77dcd408ac422b6672f6c670970d3809

SHA256
d15ff53e525e463f13aafb9cd302d3ba7ad42390e6432b526092abd0769a2aa5

SHA512
778c288a44e3d39a3176c07f9882ebeed39a0d9a7c3140977c3204d98a3396854870545eb6e1b7432435753306d13fac84b1bd2e535e6452d0dc5ae26dfcf2f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
025b7bd5e839b3fae0c80e707155c5de

SHA1
11e13f9f221a879ad879a5c695209f0f57822146

SHA256
76d81cdfd809628d0fa35ab31622dff6fbef3b18baa71c50e644ff92c82bba02

SHA512
1424844cee526de58c5ec235bd0a796998f57fb67a23d4039b822ad5b558b31feb5ef3e4b9eded5077bce4f02c5182726a3de5b65c984f7fe976cf509d4b377d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
28KB

MD5
4c255731cbf559fe8bbf5e153ffc215f

SHA1
837262c5d71e54d1c834a01d489fe9181bbaca12

SHA256
287d47abb4af3a340290b18ff132be5522beb5a5b5cb259f035c891ee223493a

SHA512
3c3f45935e1d6b145cbf9ea48a809e45d5828c8c20c51d733d3386e3aca592a98f85f5ec6f53655e1b930a8423a0752268e52f47af4bd4c89fa131b423e2883c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
80KB

MD5
14e39be019da848a73da7658165674cb

SHA1
e016473c4189a8cc3dbff754a48b3e42d68af25a

SHA256
39595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd

SHA512
828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\efa986235cc38916_0
Filesize
2KB

MD5
bfa268ab29fed7d25af990ce4d2f7527

SHA1
3aa7994a3ae6026be53b9a7fa39d72ac122f5429

SHA256
285978f43771a419289f3d83ef9760425038a16dcc1159de86876bcdb55ee097

SHA512
0c4393672d0ca5531c1429bc45bbc1065455b888b776afa88178b4eb1f73fe24f7d6171c31795175af61f6c965c81118c0f5ed158118f1d562977b22e8651e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
a9c5eb5305e2c228baed713790df125c

SHA1
20165297029e484ee15dbdec1d1686629546687c

SHA256
b67877f426a6c229a36746c79552ff359fa11dec20596a2e39bfa422890bb2a6

SHA512
16e3eb4ff917354e9f1d623d8e46f1a37c7f64e80c367cc3cea125beac6e37c1b488b5d40f0f30dadd7d7cb4b4c231f1085b7cb47735b46e2af1eabda2e1eae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
80327f7d2c646492f217de0a6e230c73

SHA1
088e1cb543abaf09384c8f2ff67a950252a3bd0e

SHA256
d6076d0413931adffca6856ebcf26b2ed5ef71452cc9b80ce9191c549b9da6a9

SHA512
ee046deacb89890f6134470dca278db9a75893a8b9469ae0a492d7cab99d98b5a99615f730b5191e0d319d264f281887cd4f236dec08557ca007b4eeeec0aada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
51b4e7934e7485ecf010edda22744aac

SHA1
3576745f098308e60180f5e3f3add0427dd9018f

SHA256
2b4f2ebeb290e589df78db9103f92165e83e0839f824719985b47e672ac2cd2c

SHA512
3e94c032a6990acc3e5646ce6fea9c1dadbd6a86b717c8364556ecf99f021ca994edd2b495eec1e79fbe83edf85a483f9f39c68ed5a8442920e409eedd2be04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
116KB

MD5
5da793cb6810f459003871543f7d5b7b

SHA1
5fc5c9bf1974c75428a5b351358ab4d387a936ac

SHA256
63a60888678d0274dbaeaf088a5bb7c725ca24311bb43cf3179542cc3d0b13c9

SHA512
5d302cf55ddde61aad316ac0fde3a0defdfa9409a1b1c773a0a018a2070d089a2d2ca073bd0d863a800a003f61f57176ae8c1649e766046db37ee051711b16c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
509B

MD5
6dc7166292d2a0d5d1e72c7e5bcba6fe

SHA1
72ff5f0e306a7eaf27d5e854ed7df73502fecde0

SHA256
da6db10696d87314867681b30f80f7807ec3a436ebd0939bef83a8dc9acafa34

SHA512
0c8aac873398536094205f1d4567871014e708cfbffb7e4e553007866df4f01fd4ba127e9c9420b0ff1891e8f1b787d56a4ae62b1dd5ea5bf1b507415fd3a747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Filesize
20KB

MD5
3f24ddecd200a42c2158db11a4d4037f

SHA1
74fc65345bbbf06b2a3e0b4127673a8ee8f34bb4

SHA256
98db96ceee03f2816492086b8957d688a4eb08c087696d61f8a8ec04cfb0a643

SHA512
4ca4b454f6cdf0e90ed1a932fd7309c571202aee839a2cc2772bb40c33206f355f6e59ddfb7dd5dd8e2518640893d3df9ee96fb90de2f76c43a96db77b447d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
a7cbc3eadc41d39d23324c268d544cbc

SHA1
9c14c04300fa58e5eb4f70abb7a1bb66692d72a4

SHA256
6ed5dae4eba7a9c3c300e175a03d66af11be4d6ff1279aa34f57e3dad4510129

SHA512
e0aa164410e2a57704054a0b490f462526b427aca04ec391ff7bf881bbc3482c9257b3d57afc0a4d3018f61eeffda3fe061c22c36bd8e27fa3dfa61edb200d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
442B

MD5
572e517676fb7a49e2412e577f290b83

SHA1
27848c71e1fc24ae1162bd47657f4815e84a48a9

SHA256
f941dd2d7afb77b435a16f2ac4411d5d2972be162be66c663157e7d4b3487cfb

SHA512
cbf8b71581b6ebd167d6330d49b17e7225cadd386cf4da7afcfbd26259ed848d8b373736da9ef6487c88b02ed88335661f535552d40d05c317fce7060d95f956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
68eae0c7c25a336d2c473df8c1bb2283

SHA1
b43341be04107026b645f35d7696eac0e2ae062f

SHA256
042bc40eaa5cee4bf54fd6f2b27f8daa67c9c2fe011e52a21c3dc977c303de70

SHA512
a720e95ba76124175310f5e1acb277d5a16f4768e856214a5229c3bb274623f63b5fac609ef11086a3ac6117d18c6323fc8fc8d7909c3f5bc6031ab213ba4f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
787531810ae12c1e3ea737ae3efddd9f

SHA1
a099d7c58a3581411ac3d40c16476fd83d5c8c97

SHA256
dae448e980653de2eb0f8ed9dea9145cab87f99f9aa18b186c02bd37261e55d8

SHA512
42ab5bea6af1bf9a3a49d57ddb5f944f2251e855d45c30f65f8215f3103bc30f6e83e23ba8e23d9e7214581d9e684a713309db0e3cc25fc1203eca4b678b12e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
84b641ffb2603ad8a0ae88bb513f4e5b

SHA1
253f6a8d1e455f569aebe1a72480cb1db532a4a1

SHA256
da068fa52854aab123e5b159910b85136134b83f39fcb23fc2beae627f2e36ad

SHA512
38ad2838190a8696697d3c0701b89df76cdf2d913f48167541856ef0de4197a8f1779f1c97e7ab3d630d8c1aa3833cc11132a6be91b3cc9cba8cdb82701a7078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8e2b31180edcb82aad9577be594247cb

SHA1
4e9d75f50baa53b4981bd5e7bb1880513dfb0c43

SHA256
83ba6170e054eeb344e183a4587793441435004eb2a01b04d441f34204a7a170

SHA512
7b7ccc063a4133748387953773ce29b91eb68a4465c4b8a4760c2b96534ae47a2ce13a3a33dd1058b3e9f82499afc035a8c548b85ed162d1d0ef91c5ac07dd7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
241b9c25c7189696175183f08cb8a6cb

SHA1
e3bf5541a186ddf240eb01b659178bb4a20d0842

SHA256
70dfde791e18d066f9611a1da048ea62844cb55d0d78585d340da069cd13f973

SHA512
3286063d6e56b6aabb70be3b9f0db2fa508d465076a2cde962e9b328c77fafe6769c70a76c075a869227ef3e95457b28982fa50f2d286768905f192c2c0d7d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b9f735743e40bd55660536bea3068652

SHA1
ad757b3d8a5c91264a33edde9cfc4ea207a9019e

SHA256
727de0f5158afb4885c2719169c9923937cb1817da826a778e12c43ebe8a6fd6

SHA512
c66f0c16ada32c6b9375465c0dca300abb1c938eca65b8fa1f8c7d663c410481c63d7393bc19c8539c2d14a2e213cd96959846669f160afb71cb65db33ebbf68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f3d332ef6f28dc073e0f32075d059503

SHA1
824b9886eed6b92294f3b0fc5ab50933f4a14919

SHA256
bf8e481d8ba225feba14238bbe992caa559941a53de2a70fe26997db06983b6f

SHA512
61859399594493b29453f1c5574ef2e9476ba18c15a661d7b047de11913ce1e21010a80525d535e58372bc0fc16bd1000fa09d8fbfba177d4d19dc99537df93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
Filesize
346B

MD5
99eb4f3410780d4f7c9f432f5cc23f74

SHA1
186c87877609c9f2b5f44bbc3f9eece2e096f842

SHA256
f6644a9bb1515338c075e4566e5a4862e68cec526012120ab1269a36c1f2855a

SHA512
986ed64fa359668606a5e6b7528d9244cd0093097a8f8b701a8108de20d7f7cb09befcbb5653cfe1a0c32813020b5646a278cab9e4d5de2f2e40dd2492037c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
322B

MD5
de5d2571ec1e7348a88348f71c693050

SHA1
2e5f476de925143bb67742373bf497167499949d

SHA256
08cd6f663edba4ea402669f636c5212016adc45b9712412c0948f0245100a044

SHA512
24b290cefa885ceb53da7f6f31fa411f4b64db063d75468d7ff625ab60cd745bc4813c68d61df39d5bfa4d3bc1ef47e20f29a4d7e83e55d01ce76d4109918c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13359151420868956
Filesize
3KB

MD5
0ec0fdcf9c5e6fecffcc5df4bdd87119

SHA1
aece5aa7df875a4a5c95c6efc6f6d0b3e8ce76a8

SHA256
e1c88a968bb5ef8f992ac7057d4ee79a5d29adaf4ec36ca6f5452ab5d04cabec

SHA512
4e14edeaf7041c1c301696d8a07982705f168dd54bcb855c43b30dcde9544718b4e74d39d9e825c83ee47541538ac4a8cb6d264aadcdae7de4e4abe26111861c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
d790b765a051c9868bdd59a7bbb45fd2

SHA1
5989cb87a3ad191560f2ae893f1779f16c9c49b4

SHA256
ed1e74f6b3e2fcc7dab9efca25198a178801437252c24d05002fb2bbe98f38a7

SHA512
32d5d6b462c9001dc5de666707db6f4b93a8ab49df4ee0e272902cc446d167d2fd270aa85ed4d5e1d9e2f428332037b36806b3c464de7e1b9bcb3ecb10a3d376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
892122e11760b3cca0a9b263c6aa3736

SHA1
8c8fb682ea78311dc1b0d50fffb35146b55f1f10

SHA256
cc82c4337cdadc24530d6d335043d3d23b157a980a6754abec5b17991616ad16

SHA512
1914d25ffd8a337d31a7de13d6c3dd63d63e5805c3bbfa3c046d23c4c26177413a5657f21e0bd456a03091133864520bb74ec4e12ec581110af16adb7d658244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
3152fee8826ed8be52a7252bfba57b50

SHA1
8a896a1c44923feac0a1aa34ad10ef121c183644

SHA256
6e53469158ea0e4889385840e43b12c06245c0b62429ee3250190cc070605cfb

SHA512
3e4c967b7424a4e83cd58eea508dc8215c499377fbbc3300eb2eb0c3562e0794ea88c88cfd3cf4e0b0bfa76ec7a6f802dd5ddcf217be1f263cce5385d69fa309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
2b6e03e1d1e0cb5e9eae632698333195

SHA1
fbc374c4d1d3ad73c48f56316e8a88b7e5099490

SHA256
80c707c32e1f31feccefa261ede4a06c7ca86c2015ece6b7fa1b6d38b28dbd68

SHA512
efabd11ea070c6efe92fae97dd6b0877f7822ba12f9e378995f1345ef1b087ce64016b9dd98d3c385c9291d716eafe6fb6cf83b2fbff9385913af3e52791f76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
565c8ab94e89a6000a9889f897cda2fe

SHA1
5601d4f8c7cee182213da3682fbaca779a99d584

SHA256
c91e7ea67354972e736615cee182ad420c87e85fafbed10ec46283218a4a4e62

SHA512
695e8155c4270ec9abec0f06950a098c25bcc8b5df71dfeffac380c2ca9d05cbe645344549aa9ff5b01c286dafce14357f826e283c6d4b41c584b77b8d03f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a97ad.TMP
Filesize
538B

MD5
1de60e630569039a48d3888cfb21385f

SHA1
fccbde96a3a0ffac8e5b08c612f3122869c5ae12

SHA256
5d236514e54c81610dc7cf525254863e4d097845c8da45471248649df1a2e373

SHA512
486a2e357bfe4f809fee534b2b5edabbf4f91ebb7f8d1e574c31edf815fed43966eb7512b8bc0bef799f8dd4fdbd40d50e7ff99a1eea68cd86412cf1ab196eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
3a00919e59669f95acd51752d3b4980b

SHA1
a88fb5db93e6b8d0f4bb44d5056d4e4a7008a501

SHA256
d36ac2b6b719c5e43f5aa88f2c31be70a95ca77ed0fad67c5e63efda017ff266

SHA512
bd57f2f1239971cefc1bedca68520f2f610f515f811f5f1d4eba44ff318b27715c8d31199824e5102e4b594a22091da046189a52c1862e9372d391f5724a87ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
9f2e906765366c80c32124e81e2854f2

SHA1
8a5d58f02b6880b1963b38e028f7b46ed797b0bd

SHA256
064a5c6d210f8bfb2a70a1c6722933c4a45272fa5b7ee851f65c931b0b364990

SHA512
3159c937cc817ab5dc93f5f7b91de9c9d194a4747446077477401bb7f198da9312af331e124b8ee69932f3b6d9fc123d265514b8c811eac5407ea6998b17234e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
322B

MD5
d27acd784b2874d3dcd4f57fac8da671

SHA1
f78a476299a423268d865eaf3eb148ab471094d4

SHA256
78bbb6508dee0dad4fa94b8dd8f447b8e6f8288eb9a1866675d3d81d77bf4f09

SHA512
0ecbb20207163ae00e276aa160f063f2e0e042f9ae709351747c5bf234208d667bb36a4d421fe5ed95411ceb4b103da7ed11473487d03674cb5c28c4ddf9ee76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
318B

MD5
c4bfc34fd57928ee6c9e41a7894eabf2

SHA1
8bcd06799715959383bac494d475e6bff23fa35c

SHA256
39fe46fdf9f272d43bb1a60705e53a0e44bcf6df77d0b2de2fba8c6793befd38

SHA512
6a233d3b422ad2fa87acd4f95f50c1e8334a06b89ec52429934d31f8c5f0039f63f4263d5a99aef64c2112aa13f7d720c641ffcba7c1b3b2dfa093671f38e9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
340B

MD5
52fddeed838fb588202c5b6768036e84

SHA1
720e9d3e439c0ecaa2799bc00ba785eb2787bb2d

SHA256
ac46096a02cc300c518b26add570e5a11854887e28f9ec33dd01725de9b082c7

SHA512
eb29760d87b583be2f3f2e394600d5d750475b5efda9e917895beb68202830c0462769e383fb918164aa35abe03448bc0d75d06fa93649b53a6b5edff00e10f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
5434cd581f6c067b7253923b03d67d29

SHA1
547bc9716a9b60d21d14bf2be17b916b5da7623a

SHA256
41b8aaad21753ce0ea322ac05e529fcb209fd4f09d844735e29a3250469829b9

SHA512
272617051cd1cde1e8e0090fdf2c04a882486d55a31c757acb1a2eff9069852c7c22e408ad8bcec35d40d87718652b1c934220b4b32ac5888f570cf3925f0454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
465a9712934a383cb3c71cbfd3a15ef1

SHA1
7223d492f889b0ec01165f7652c2fe8ce2e93f53

SHA256
edb44f516faa801e30e85d9c8e9292944941346685b64c9ecc5cb921b5eca96d

SHA512
50991e12cf96634371d7f4c77ce6259256e24436cee3cbe6f48b463154f4ccc3038bef09fb774caae7fce059cda162c339629a915d2e1552ecbf8e838bce8dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
39528f0d3f40da14c4007ff69bf96d1f

SHA1
d261565edd2402a2891991605169514bda0e837d

SHA256
af58aca5d645a50ce69f09e08a2521f821cad886903a3dbdd3a5550f84ec0766

SHA512
0cd69259c20871d5622967e7a101f8aecac1e386915e492b6d4ad8754e395d6154510474fc4c38305be409088bb92fb592c15142264bb7731c1a3802d5d5680f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
Filesize
20KB

MD5
d713ba9b8bc6a09281e1c2166405e4fa

SHA1
da30fc10f5f79c7504081778243123394717159a

SHA256
4d0624fc5f612d174fb0fc97eeee9ce54e75f21606244733cd6bd92bb9f045d4

SHA512
4ad4ef2739e1f19c9d23b90d367c7185a65cb3ebd8e716297bb21c8d82352eb15eab2dd969a743db37b0316c680227e50c0fc4a96d814b856c73cab5d9f78dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
Filesize
20KB

MD5
2ec494e3841e8ead0d3921f298e1506b

SHA1
ba8d046f7923547a365dad8e77f6ad59406a35b7

SHA256
a327edaa945e3091546f39ebf0458d1fef0d60ea1221fc0ee291a7b2fa8fe426

SHA512
177445ed9255f01de7fe3fd7f32b621f1b4d687032033199881946f6f7bdb3440eb60124d44a7b43be5ec42c9e162e4b0c0815e8db33da5e444a9081962e3281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e47f071f6e35a7c41a379f9f6fcbf7e2

SHA1
cdf6904dbdd4fe746de4d7d2eed9c113655b893a

SHA256
455b356684df2db4cdfc5c1a1236ecfed67e062eb98680ec51eeededb6226096

SHA512
a0df7e176f27152079895976ebe943f10b310c384bc65023595597afa598f7e557147e598b05d4b818eb6cc125a7f5b51ecb2b17036dcbf80bbbd57402b1d0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
745f94b7ce1b0e1258a91d08b35a9d8f

SHA1
dfd63747f5fbe6ec6fb2a9ed48e58ce99ab0f46a

SHA256
0d65e305254e0dd0703edff50f16a12ae870480ff11e2faf10dd7ea442c48d08

SHA512
e0ea79ea75293fd64a05db946e0e892d718a1aac82033a7516eb2372b2cb4afc511e38920e1f5f5cbecf5cd3009717468b4cdd27163bb0d8e8c23ac79793cca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b49201ce139d04a648bd818eb75c9ca6

SHA1
8643148e5fe6808f6d7d41ca7cac800bbddec6a0

SHA256
4672c5278249b123127f84ae78ebc2e65e0cd8593500826d42ee1a50131646d8

SHA512
464daba51349ac6d4455243f14921ccee818676dd9af2d1417d25dbeb991e0b3af79838d7121ae232c20ef168d85a42ba84482457c6aa031f7551692064d064b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
69639f709e57ddc1ab22b57245dfe0fa

SHA1
d26612c1af88d727b986c83b2a42344c715602f6

SHA256
0fab920f15e991e8c9bdc7f4a367121693b674ca3d6c39a484b32824b5cb35bf

SHA512
d9afc57ee87e0f9390058329188d740611bb53a0beb394236d8665db081863485047929b43870ad13e928a45423ae6f91b8cae6d58e610bb4ecf20636e9724a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
\??\pipe\LOCAL\crashpad_688_VEKNAXLGYHXCXEZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1488-101-0x00007FFE5E353000-0x00007FFE5E355000-memory.dmp

Filesize
8KB

Download
memory/1488-0-0x00007FFE5E353000-0x00007FFE5E355000-memory.dmp

Filesize
8KB

Download
memory/1488-11-0x000001C971FD0000-0x000001C9721C4000-memory.dmp

Filesize
2.0MB

Download
memory/1488-10-0x000001C9710A0000-0x000001C971C8C000-memory.dmp

Filesize
11.9MB

Download
memory/1488-9-0x00007FFE5E350000-0x00007FFE5EE12000-memory.dmp

Filesize
10.8MB

Download
memory/1488-102-0x00007FFE5E350000-0x00007FFE5EE12000-memory.dmp

Filesize
10.8MB

Download
memory/1488-1-0x000001C955000000-0x000001C955C38000-memory.dmp

Filesize
12.2MB

Download