agenttesla | 9f468e738ac7218f377e20302bedf378c573b15e54f46b786e4a6b5a2081fc8b

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 4500039272 Approved.exe
Size

347KB
MD5

5cef4d15bae43132b36b2db81601aa16
SHA1

58ad81c84ec579dc5e15b1b84a4939d398f97481
SHA256

9f468e738ac7218f377e20302bedf378c573b15e54f46b786e4a6b5a2081fc8b
SHA512

33ff6dbb8e0abe7af5951abcf820f162b718825f716038c22c15f552f1a83097d32ed36f616f9b9a26859e4afcefaa86508b8ffbff1b3748fb08b78ae960588f
SSDEEP

6144:p0T5IUfFhkWbNyNffNfcTyg4XQdzQ9A185RDhq+2t55VEub:ppUthk2YNiegnzJ1ADhq1/9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	Purchase Order 4500039272 Approved.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	Purchase Order 4500039272 Approved.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 5016	4008	Purchase Order 4500039272 Approved.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3376	ipconfig.exe
4292	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4008	Purchase Order 4500039272 Approved.exe
388	powershell.exe
388	powershell.exe
440	msedge.exe
440	msedge.exe
1428	msedge.exe
1428	msedge.exe
2936	identity_helper.exe
2936	identity_helper.exe
5016	Purchase Order 4500039272 Approved.exe
5016	Purchase Order 4500039272 Approved.exe
5016	Purchase Order 4500039272 Approved.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	Purchase Order 4500039272 Approved.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	5016	Purchase Order 4500039272 Approved.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2416	4008	Purchase Order 4500039272 Approved.exe	93
PID 4008 wrote to memory of 2416	4008	Purchase Order 4500039272 Approved.exe	93
PID 4008 wrote to memory of 2416	4008	Purchase Order 4500039272 Approved.exe	93
PID 2416 wrote to memory of 4292	2416	cmd.exe	92
PID 2416 wrote to memory of 4292	2416	cmd.exe	92
PID 2416 wrote to memory of 4292	2416	cmd.exe	92
PID 4008 wrote to memory of 388	4008	Purchase Order 4500039272 Approved.exe	104
PID 4008 wrote to memory of 388	4008	Purchase Order 4500039272 Approved.exe	104
PID 4008 wrote to memory of 388	4008	Purchase Order 4500039272 Approved.exe	104
PID 4008 wrote to memory of 5020	4008	Purchase Order 4500039272 Approved.exe	101
PID 4008 wrote to memory of 5020	4008	Purchase Order 4500039272 Approved.exe	101
PID 4008 wrote to memory of 5020	4008	Purchase Order 4500039272 Approved.exe	101
PID 5020 wrote to memory of 3376	5020	cmd.exe	102
PID 5020 wrote to memory of 3376	5020	cmd.exe	102
PID 5020 wrote to memory of 3376	5020	cmd.exe	102
PID 388 wrote to memory of 1428	388	powershell.exe	106
PID 388 wrote to memory of 1428	388	powershell.exe	106
PID 1428 wrote to memory of 3456	1428	msedge.exe	105
PID 1428 wrote to memory of 3456	1428	msedge.exe	105
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 4228	1428	msedge.exe	107
PID 1428 wrote to memory of 440	1428	msedge.exe	109
PID 1428 wrote to memory of 440	1428	msedge.exe	109
PID 1428 wrote to memory of 2596	1428	msedge.exe	108
PID 1428 wrote to memory of 2596	1428	msedge.exe	108
PID 1428 wrote to memory of 2596	1428	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\Purchase Order 4500039272 Approved.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 4500039272 Approved.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:4228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
      4⤵
      PID:2596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2604 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:4756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:2208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
      4⤵
      PID:1952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
      4⤵
      PID:3396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
      4⤵
      PID:1684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1655016290752615689,15751646132265624196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:3472
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 4500039272 Approved.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 4500039272 Approved.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
1⤵
- Gathers network information
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffbdd346f8,0x7fffbdd34708,0x7fffbdd34718
1⤵
PID:3456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 4500039272 Approved.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26f8219c59547d181c1f9070c2f5b050

SHA1
cbe34c1b41c0d86e1dff1a0bd82b6c803085a39f

SHA256
3f534bb6f67e07afe3baf85bf750122c2e00b86df6aa258e5752dc6c946fc2d2

SHA512
1600ed7fb809d9f4fd571b99e606ac92f0054f684b6b7a3b72ede39d5edaf458cf551c568ca1bf967326bfbdaf2f7178906fb8d15d82c52049fb6c74205c9f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
01e0a9208849e9a95d43c2604670cac5

SHA1
acc036439cbf0dfae269e740efad8bbf4c92e99d

SHA256
ce1a09a942ebc3d5c010363515b0e2d3b02088382b209e1a76efa9bd0b0146db

SHA512
26bbe6fdcb58d22daf2babcf2165aa7f1d0d17a8e4dd2d1055a6320dc0ac2748a16adf97a9386604a712efcf6a5a6ca20263eae56879f12aba5a7a2333ed9ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
657ef3b7c5c7d9cda7ed7414917faca2

SHA1
83274ddd875a64dcb860caae44d01cd2f2b20f38

SHA256
bae39f2dc16ca846b9592eb01e585d3ac17293caeb7822278db66ea283d0ead5

SHA512
f2c374a0103ee7a24a506cd3ffc9a6d12dc6b4f7502431d8ad8be8eeca9f7a345386b52f80035a5fdb314150c383282014efc8afd9d14efc755b3d974dc01ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
784fa48df115787e7b0978c849c9553a

SHA1
f512df6dfb1626d2090e75127b5dca0e1875e179

SHA256
2b8c78328aef6a7aa7ee44d3b9a8eeddd31d1ccd1908bddfc564d6bd608fe171

SHA512
fdb9639fc4fda3e2a966c7cfdcdb7ee36b972f2368873ac65df076f93cb3bae95ae72811b10f6fb91fdc558aba44bc768a186328afc8a41563cdb3ecb4fb5802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc31f9c58322cd1b8eb8a246be508c80

SHA1
a2ddff1b61ec55b2b0a0286525d56602f94ee208

SHA256
3e48d1f92eac300ee1a79ab17d281f11c0a9c41380a53a884daf73bc6de7aebd

SHA512
9c7e769a2d32855510b374e00d5ee8414db7efe547907747c8c3e2756376ad829e0f284d665b8e28df77ba58fcc84c3fae49c8af775abde3ae1c75b02883fccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c09deeb2-bd2f-4483-8f7f-9eb5a2f92da5.tmp

Filesize
6KB

MD5
2e7fcf86bfc6cd6f10f62a7b30ccbefa

SHA1
a72804c3b57422246b3bdf15c45cdd47dff37ee6

SHA256
de56bec4abc43c0e02ca8c49cb97b398fc76067b49d4f5625a242bfc113bdb77

SHA512
56fbbfb9c905909e36340981cf0193a02884637ff969cc589cfc63397097db7814b9daafccfa245e89fca55250d8c8614f9c66aab0af0d134a5eb5e5aa676011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28ac58ef4a668db2cab30f338ad08466

SHA1
26d507897f45983b6c57d48d16e546622b7ba2cd

SHA256
69a1ed3e20ae0639a55f87b20bc915e3a615db775006df0a1075981b50f6f3af

SHA512
d3c13da77ed5930b92308e5fc1cbb10717e1053449d370e10161a48ded94351c39cc5497f7f74669bdc211fc224e05159f167e21887cbfc3239a08a657207b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrkuptqm.k1f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/388-33-0x0000000006A00000-0x0000000006A22000-memory.dmp

Filesize
136KB

Download
memory/388-18-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/388-17-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/388-30-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/388-16-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/388-14-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/388-13-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/388-12-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/388-10-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/388-29-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/388-15-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/388-32-0x00000000069B0000-0x00000000069CA000-memory.dmp

Filesize
104KB

Download
memory/388-31-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/388-37-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/388-28-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/4008-8-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-5-0x00000000055B0000-0x00000000055F0000-memory.dmp

Filesize
256KB

Download
memory/4008-9-0x0000000006880000-0x0000000006E24000-memory.dmp

Filesize
5.6MB

Download
memory/4008-7-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/4008-2-0x00000000054A0000-0x00000000054FA000-memory.dmp

Filesize
360KB

Download
memory/4008-1-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/4008-105-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/4008-3-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4008-4-0x0000000002E70000-0x0000000002EB2000-memory.dmp

Filesize
264KB

Download
memory/4008-6-0x00000000055F0000-0x000000000563C000-memory.dmp

Filesize
304KB

Download
memory/4008-0-0x0000000000B30000-0x0000000000B8C000-memory.dmp

Filesize
368KB

Download
memory/5016-107-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/5016-115-0x0000000006710000-0x00000000067AC000-memory.dmp

Filesize
624KB

Download
memory/5016-114-0x0000000006620000-0x0000000006670000-memory.dmp

Filesize
320KB

Download
memory/5016-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-156-0x0000000006850000-0x00000000068E2000-memory.dmp

Filesize
584KB

Download
memory/5016-157-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/5016-158-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/5016-159-0x0000000002BF0000-0x0000000002C00000-memory.dmp

Filesize
64KB

Download
memory/5016-106-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download