agenttesla | 154126bbe8728f8ee8a0971e5f0d35061b99a99ca98ab65af51bac9e2449340d

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 15:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

payment status.exe
Size

1.0MB
MD5

ab759a461499b48e636a608de3ae2ab5
SHA1

f479d7f75ca2c650731cccaf4bc9f2804eae5cad
SHA256

154126bbe8728f8ee8a0971e5f0d35061b99a99ca98ab65af51bac9e2449340d
SHA512

b03ff1423c70efad1add8dbcf0a009467e8bf7f34cb881bb68e193158bc8fdf2bfc58f127523229c84e10084c6d20563e955440b3d7541ea4fcbeaafd275be62
SSDEEP

24576:XebbwpRJTD2Ab/7dbHTBbPLuPEkS7MuGxnsSqGfbzebqfg/UDqT329VH:XOlAb/7dbHTBbPLuPoDG+8fbzebd8qDq

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	payment status.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	payment status.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 448	2528	payment status.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4480	ipconfig.exe
4420	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2528	payment status.exe
4916	powershell.exe
448	payment status.exe
448	payment status.exe
4916	powershell.exe
1088	msedge.exe
1088	msedge.exe
4772	msedge.exe
4772	msedge.exe
4408	identity_helper.exe
4408	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	payment status.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	448	payment status.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4468	2528	payment status.exe	87
PID 2528 wrote to memory of 4468	2528	payment status.exe	87
PID 2528 wrote to memory of 4468	2528	payment status.exe	87
PID 4468 wrote to memory of 4480	4468	cmd.exe	89
PID 4468 wrote to memory of 4480	4468	cmd.exe	89
PID 4468 wrote to memory of 4480	4468	cmd.exe	89
PID 2528 wrote to memory of 4916	2528	payment status.exe	98
PID 2528 wrote to memory of 4916	2528	payment status.exe	98
PID 2528 wrote to memory of 4916	2528	payment status.exe	98
PID 2528 wrote to memory of 1632	2528	payment status.exe	100
PID 2528 wrote to memory of 1632	2528	payment status.exe	100
PID 2528 wrote to memory of 1632	2528	payment status.exe	100
PID 1632 wrote to memory of 4420	1632	cmd.exe	102
PID 1632 wrote to memory of 4420	1632	cmd.exe	102
PID 1632 wrote to memory of 4420	1632	cmd.exe	102
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 2528 wrote to memory of 448	2528	payment status.exe	103
PID 4916 wrote to memory of 1088	4916	powershell.exe	104
PID 4916 wrote to memory of 1088	4916	powershell.exe	104
PID 1088 wrote to memory of 4520	1088	msedge.exe	105
PID 1088 wrote to memory of 4520	1088	msedge.exe	105
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107
PID 1088 wrote to memory of 3108	1088	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\payment status.exe
"C:\Users\Admin\AppData\Local\Temp\payment status.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe5fb46f8,0x7ffbe5fb4708,0x7ffbe5fb4718
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:4076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:3396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:3844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
      4⤵
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9642738759141835640,12066797808257020202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:4420
- C:\Users\Admin\AppData\Local\Temp\payment status.exe
  "C:\Users\Admin\AppData\Local\Temp\payment status.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
7932cc2ef3e8ffa4c1dd0a4997606d07

SHA1
c84cc524f6426f30e92a9fd63dac80cafd34dac9

SHA256
dfc15268615c95abe840f4144a684157dde6aa6adf2864fb6f7f48fbda7d28c1

SHA512
a8a7891e664b9f6f57956b646c2610340e1a541d68eda014901d588fcaa23fc3e4fc63eeb82c2b807bcaf564466e227c45d1b6e534c809b717e48314e2e99cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0eca2d00ddc013e41d7b3ecb8029b0f

SHA1
e331db9243b237b2c4b116b3e76b9c58e347b9e9

SHA256
3802e3aa1dc6471a31ba1ce8971c750bbc71449e8f9432f8e6304b2e70ec43a6

SHA512
815458edc9f6eacc64590583f0092620e62b3a4caf882ad28cddd70b129723975011e2e25757d63736a1d90dd7107b2c83f1ffc1625adc250cc34f75f6612cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de1e833a2bccf54c4814b873ca4df5f9

SHA1
34626460a271a39a0985b07f592c8783ce34857b

SHA256
6648714f9a4592954262896ae66e2d5ad6247839d3e10c4b6fbe552d3b291957

SHA512
84b364888977001477b91ebf1491a15be11dbaa1715571ac7907ac36ddeb616a784a959ecd33c8cd774b405448ed82f06eeadad5d4c8be248765b0cd61204ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38d35304387f4053f2c0f73a2cc7fd1c

SHA1
e1f97365361349236409eead87c9765af7658df2

SHA256
2bd2d5e58c4298f91e2c2179b1635fd2377f257aad90e3705175726b33760513

SHA512
57cda0cd8845038914bd91d02afa441915d6687f83e8b45e21b31be7728837c264047d283a4cefd4f4ad5ece2c5df1768e7e93c6cce3bc2c21a128e2b0e05a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1wycdk2.tlb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/448-24-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/448-45-0x0000000005CF0000-0x0000000005D40000-memory.dmp

Filesize
320KB

Download
memory/448-46-0x0000000005DE0000-0x0000000005E7C000-memory.dmp

Filesize
624KB

Download
memory/448-39-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/448-153-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/448-38-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/448-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-19-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/448-154-0x0000000006370000-0x000000000637A000-memory.dmp

Filesize
40KB

Download
memory/2528-7-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download
memory/2528-6-0x00000000054C0000-0x0000000005500000-memory.dmp

Filesize
256KB

Download
memory/2528-8-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-25-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-5-0x0000000005340000-0x0000000005380000-memory.dmp

Filesize
256KB

Download
memory/2528-4-0x00000000052E0000-0x0000000005338000-memory.dmp

Filesize
352KB

Download
memory/2528-3-0x0000000005210000-0x0000000005274000-memory.dmp

Filesize
400KB

Download
memory/2528-2-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/2528-9-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/2528-13-0x00000000067D0000-0x0000000006D74000-memory.dmp

Filesize
5.6MB

Download
memory/2528-1-0x00000000007E0000-0x00000000008E8000-memory.dmp

Filesize
1.0MB

Download
memory/2528-0-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/4916-12-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/4916-43-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/4916-44-0x0000000006830000-0x0000000006852000-memory.dmp

Filesize
136KB

Download
memory/4916-42-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/4916-41-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/4916-50-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/4916-40-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/4916-37-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/4916-32-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4916-26-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4916-23-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/4916-22-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4916-21-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/4916-17-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/4916-16-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/4916-11-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4916-10-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download