agenttesla | b9fdcdcc7221b4d0b59aed55f611ba2bd0d68fc4e882eeb479afaf4c6abbe717

Analysis

max time kernel
147s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fdcdcc7221b4d0b59aed55f611ba2bd0d68fc4e882eeb479afaf4c6abbe717.vbs
Size

24KB
MD5

57a38ec7fd0987672546f26cd5182a14
SHA1

44ea97d8f46a763572aa89d59306be3aa29c1b22
SHA256

b9fdcdcc7221b4d0b59aed55f611ba2bd0d68fc4e882eeb479afaf4c6abbe717
SHA512

2715e35768529206adee6416fba9ae11bd6c726f6e2189013d610373ebaf9cb153796ef15b7de59d6a539c97332958f39943354077181620e155153aa8c44fdc
SSDEEP

192:eiJVpMIfAiyRfcUxNKwK04QKxL0LDZPAMulxMllh9kbLGmA5UQ7RHVpiqrgSVJNn:eiJQaQKxL+2uIngiq3tZW6kCfDcDSqDO

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4376	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	api.ipify.org
49	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2924	1924	powershell.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435893937"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4291572110"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2B69CB7A-8C28-11EF-B9B6-CA65FB447F0B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed3363124000000000200000000001066000000010000200000008a7143820450fed02b1a33355a39026b9e36f1bbbdbd229ae247a7c3cbf251dd000000000e8000000002000020000000900b2446918971b320a0e60aaf93652a121d176d3df0860f1d8ae09bc36e461320000000acca2512cb42ef6202a62795bcd8bd23ee783393c25108ff6c6a9182c9d4f5fc4000000043f3f06624d7d46061cf0bdf2fb9165188d516b99232927843fa6b16ceca171ac99b3a40be3ec3a866bb4fd5d6436f05e498cac1f0a185f76074267a56ca946d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10882b003520db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137844"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4291572110"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "823489"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed3363124000000000200000000001066000000010000200000008ece7edcf59fd103fedae56defbd8b2457a123ae18753e5529edbd25d42987f4000000000e80000000020000200000006c3442a9fcb03f9b55c4832a4782204444ddb6b10f1a36f3ea894fd97459935720000000f5f88ac1a3ad6364dc697c55f4f5623060384c8c8f5577137659d5189e2db1694000000018beace0c8f4987ed790b62dcc4e67fd500bc96c9dbb0c38b10f8f314381846e56e762a0273d65bf45ac8e767f9692e60b5e34169e9c251034941b6fc9e47d3c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137845"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a626003520db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137844"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	WScript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
1924	powershell.exe
2924	MSBuild.exe
2924	MSBuild.exe
2924	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2924	MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3776	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3776	iexplore.exe
3776	iexplore.exe
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4376	5040	WScript.exe	84
PID 5040 wrote to memory of 4376	5040	WScript.exe	84
PID 5068 wrote to memory of 1924	5068	WScript.exe	99
PID 5068 wrote to memory of 1924	5068	WScript.exe	99
PID 3712 wrote to memory of 3776	3712	MSOXMLED.EXE	105
PID 3712 wrote to memory of 3776	3712	MSOXMLED.EXE	105
PID 3776 wrote to memory of 3940	3776	iexplore.exe	106
PID 3776 wrote to memory of 3940	3776	iexplore.exe	106
PID 3776 wrote to memory of 3940	3776	iexplore.exe	106
PID 5068 wrote to memory of 3528	5068	WScript.exe	109
PID 5068 wrote to memory of 3528	5068	WScript.exe	109
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 1924 wrote to memory of 2924	1924	powershell.exe	112
PID 3528 wrote to memory of 1088	3528	powershell.exe	113
PID 3528 wrote to memory of 1088	3528	powershell.exe	113
PID 1924 wrote to memory of 4672	1924	powershell.exe	114
PID 1924 wrote to memory of 4672	1924	powershell.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fdcdcc7221b4d0b59aed55f611ba2bd0d68fc4e882eeb479afaf4c6abbe717.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\output.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:4376

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TidgcioBlkpEhGQ.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1924" "2776" "2716" "2780" "0" "0" "2784" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4672
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3528" "2688" "2616" "2692" "0" "0" "2696" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1088

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\SearchHide.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SearchHide.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3776 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\output.vbe

Filesize
11KB

MD5
7658ff7270f15c5849ee32164ea101e2

SHA1
fcd386015cbcb9c609d65af4400b13dd787edfac

SHA256
15579ee0b5e735c4f168fc21e8090b1040f3f9d026377d1363ee84d2ba07fe37

SHA512
5c2f110d97dc0a4678efc5c6c3a73fd3ba05b812df8b80b52336e1d6bc1016ab51e24427d3f61fe9d82dbf57ebf00a4fa8d8acc9809e518dac3b0e5154da8028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9461a7cfb20ff5381df28f51b80c5ef1

SHA1
c86c53fca1dcbe307dafbefbb366abf52c9f5eca

SHA256
d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

SHA512
da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzzvhsyy.wrh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
91f697702bdceb3905e4bbf0a2366af2

SHA1
8645bde3f468045bcef5900d342bf1d98df6d20f

SHA256
f1912df9ec77b4838ddd0fa2f96e2c1613f5ec02c44ffef8d9667ff61e3626b4

SHA512
b8dbaae30e806f3b059e04eecdb5882ba19d2e32c6aad2c1f65957387b22a0dd7ad35d536a6eb4167741683d3081d6973883a55d29fcdefbc6acd7fd3bb77a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cd73dcd06d723b116f649baec4c27cd1

SHA1
af421ea01f7004e24e46a68abe49f2fff5b65433

SHA256
26b1d1cc91240900a78bab20b644c12545aa0215fa6d2fbf6b7c470e065741ff

SHA512
95688dc5fad143b08fdd1478c72885f5f606374bfb6d032f59b6b69c3227a82751aedcbcf4918572a1f02a8cb82d1130a75f5c855daa4ccce757321daa87f3e4

Download Submit
C:\Users\Admin\AppData\Roaming\TidgcioBlkpEhGQ.vbs

Filesize
2KB

MD5
8f97f3187a64baf0426d3faf656cd010

SHA1
6798db641d79614ad78ec589e0ff9c32404b727c

SHA256
d4bf9aa7c70ec053878e7c6b47146e2f5769938c4d3311f400f91ea1880156ea

SHA512
ed69831fa60be68d790986841d0bd5430a58d993548af4eab49154de40e62bcd7e22e81e4a3fcb69d76aac0b74ca4634605e56d7110105a58f1dcf8012582dd7

Download Submit
memory/1924-27-0x00000258D1880000-0x00000258D18F6000-memory.dmp

Filesize
472KB

Download
memory/1924-26-0x00000258CF1D0000-0x00000258CF214000-memory.dmp

Filesize
272KB

Download
memory/1924-18-0x00000258B7000000-0x00000258B7022000-memory.dmp

Filesize
136KB

Download
memory/1924-46-0x00000258CF1A0000-0x00000258CF1A8000-memory.dmp

Filesize
32KB

Download
memory/1924-47-0x00000258CF1B0000-0x00000258CF1BC000-memory.dmp

Filesize
48KB

Download
memory/2924-48-0x0000000001350000-0x0000000001390000-memory.dmp

Filesize
256KB

Download
memory/2924-71-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/2924-70-0x0000000006EC0000-0x0000000006F52000-memory.dmp

Filesize
584KB

Download
memory/2924-69-0x0000000006DD0000-0x0000000006E20000-memory.dmp

Filesize
320KB

Download
memory/2924-68-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2924-52-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/3712-25-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-10-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-8-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-9-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-11-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-22-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-24-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-23-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/3712-7-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download