agenttesla | 7913afc6334343706d7b99ba2f17fb2c2bb14a35dbd9a29852c842863869ace9

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase order (2).exe
Size

2.1MB
MD5

8fb77e0a72fd58877460ae734179d388
SHA1

2dba24ec72dcd704d98d96de2b93d4c9c3f82f26
SHA256

61af5cbcf8452d49cd6a2f9e562bebcd55a560a68aba7bf1d591f01bbb9c0290
SHA512

d3dd24ad1ebd82ff276b9c07a5597a7154045fa1ab94325691c4f4f7ad6a3930b16f6d1b6d20349874091ee5fa518f79acbdf52f67ab1d09ac2d94ae66740a20
SSDEEP

49152:XVSZZ9WBVVjJNOUrrbsyc2TP0DHEwb3zxG6R:hrrDwbzxG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Purchase order (2).exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	Purchase order (2).exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 4232	2288	Purchase order (2).exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2476	ipconfig.exe
3192	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2288	Purchase order (2).exe
948	powershell.exe
948	powershell.exe
3124	msedge.exe
3124	msedge.exe
2240	msedge.exe
2240	msedge.exe
2288	Purchase order (2).exe
2288	Purchase order (2).exe
4232	Purchase order (2).exe
4232	Purchase order (2).exe
4232	Purchase order (2).exe
3500	identity_helper.exe
3500	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	Purchase order (2).exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4232	Purchase order (2).exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1620	2288	Purchase order (2).exe	86
PID 2288 wrote to memory of 1620	2288	Purchase order (2).exe	86
PID 2288 wrote to memory of 1620	2288	Purchase order (2).exe	86
PID 1620 wrote to memory of 2476	1620	cmd.exe	88
PID 1620 wrote to memory of 2476	1620	cmd.exe	88
PID 1620 wrote to memory of 2476	1620	cmd.exe	88
PID 2288 wrote to memory of 948	2288	Purchase order (2).exe	98
PID 2288 wrote to memory of 948	2288	Purchase order (2).exe	98
PID 2288 wrote to memory of 948	2288	Purchase order (2).exe	98
PID 2288 wrote to memory of 4152	2288	Purchase order (2).exe	100
PID 2288 wrote to memory of 4152	2288	Purchase order (2).exe	100
PID 2288 wrote to memory of 4152	2288	Purchase order (2).exe	100
PID 4152 wrote to memory of 3192	4152	cmd.exe	102
PID 4152 wrote to memory of 3192	4152	cmd.exe	102
PID 4152 wrote to memory of 3192	4152	cmd.exe	102
PID 948 wrote to memory of 3124	948	powershell.exe	103
PID 948 wrote to memory of 3124	948	powershell.exe	103
PID 3124 wrote to memory of 3444	3124	msedge.exe	104
PID 3124 wrote to memory of 3444	3124	msedge.exe	104
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 4396	3124	msedge.exe	105
PID 3124 wrote to memory of 2240	3124	msedge.exe	106
PID 3124 wrote to memory of 2240	3124	msedge.exe	106
PID 3124 wrote to memory of 3548	3124	msedge.exe	107
PID 3124 wrote to memory of 3548	3124	msedge.exe	107
PID 3124 wrote to memory of 3548	3124	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4d4546f8,0x7fff4d454708,0x7fff4d454718
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
      4⤵
      PID:2076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
      4⤵
      PID:3856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
      4⤵
      PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6754855910405211244,16873766972456573635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:4496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3192
- C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
  2⤵
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order (2).exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
955b9f11bbd56856aa4476e5d927087d

SHA1
fdfee40ce75de07c59e923ac2571d263ab01d556

SHA256
002d11e3c9a1d62aa067e772834b4504850625ca222eb0fc49e50b798f4da7ae

SHA512
200aac068ebbbd7c7e93bc65833269dd781695b9e86b80a08f6dd060d7afbd08d77d47c235d33795f46ef8f10f02b7cb71a9aaef052b2445cf6e9c633ed84a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b4b9730ae84107f8e842c2e24b26d0f6

SHA1
c256f92f3883a4244dde7c844f916dca52c1a75b

SHA256
a7ed25fe78994096a2d5503132f2d4d9914bdc96eb90a5e9e31e72599dce1d58

SHA512
36bc8a8f805a0fc785b36c260124a89aa31cfdbb94650277bc7fa7023193a40ff7edf1ee931ea70fb2f6e7d9fc3eaecce66d0e739f1fc648847215711c49b4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60e1d822b37a1d76e29a252c4d538b18

SHA1
626e0d3f564b5dbb953ae07fe596fd01a4787379

SHA256
b44029a84a477c07f0178f57fe784d0e6206486271123d10f48e7f668aa72402

SHA512
9994e40c8da4ac0675f8c4d5ce5ce32513521c0f7f12d724336054fa1c8f7e861f6e3ecb70675ad0992824d8ac05aa1ea6d706bddd1e085c7c53c46b64c1113e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11bfa7107edee1e8ba14a227e10cafc0

SHA1
eec2f1e6650fe2b510e1349d21f89453b83dbb4c

SHA256
e2b6f96a1ac11a38e7c823005d1cbd74f1d4de9a93c0f4d5ae905771732e0177

SHA512
2b2c4fddc8c0461699013e0d82f21b7de16d52ebd742387be22294ce9a44ddf12c110645d5f164a694644bc0327ad24de17238248ab2e801f9e7347cc3f564de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dc41859712c6743a2e37adaf48d27d24

SHA1
cf242ee9745f987c432e531d60848cce55954467

SHA256
933bbe55dc057fdc4eca04c04eb76f4b996a5a6947d84d9743cb5392a4dd6679

SHA512
35000ddced93221447117a188ac686baaf49c69a4da2a5a875d587bd2494297a4c7d8a7f176c7b543ddcbbe8464a792b5d0a23180615706aca1812d55524a453

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5z5rgtf.zif.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/948-32-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/948-9-0x0000000005270000-0x00000000052A6000-memory.dmp

Filesize
216KB

Download
memory/948-16-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/948-17-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/948-18-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/948-19-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/948-12-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/948-25-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/948-30-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/948-31-0x00000000068D0000-0x000000000691C000-memory.dmp

Filesize
304KB

Download
memory/948-15-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/948-33-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/948-34-0x0000000006DF0000-0x0000000006E12000-memory.dmp

Filesize
136KB

Download
memory/948-38-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/948-11-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-6-0x0000000004F50000-0x0000000004F9C000-memory.dmp

Filesize
304KB

Download
memory/2288-3-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/2288-1-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-8-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/2288-73-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-2-0x0000000004E20000-0x0000000004E78000-memory.dmp

Filesize
352KB

Download
memory/2288-10-0x0000000006130000-0x00000000066D4000-memory.dmp

Filesize
5.6MB

Download
memory/2288-4-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/2288-5-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2288-7-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-0-0x00000000002C0000-0x00000000004E4000-memory.dmp

Filesize
2.1MB

Download
memory/4232-110-0x0000000006270000-0x000000000630C000-memory.dmp

Filesize
624KB

Download
memory/4232-109-0x0000000006180000-0x00000000061D0000-memory.dmp

Filesize
320KB

Download
memory/4232-74-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4232-72-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4232-154-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4232-164-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4232-165-0x00000000065F0000-0x0000000006682000-memory.dmp

Filesize
584KB

Download
memory/4232-166-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/4232-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download