agenttesla | hxxps://www[.]mediafire[.]com/file/vh3m0xwmcvye4gu/INQUIRY+PDF[.]tgz/file

Analysis

max time kernel
121s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/vh3m0xwmcvye4gu/INQUIRY+PDF.tgz/file

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6613050989:AAFzqaU0JrKNv_WqHvgGwJ2x2m8dKJc8reM/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/5068-186-0x0000000006D90000-0x0000000006DA8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
5068	JTIpTAyy1lSKDJd.exe
436	JTIpTAyy1lSKDJd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 436	5068	JTIpTAyy1lSKDJd.exe	131

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4132	msedge.exe
4132	msedge.exe
2000	msedge.exe
2000	msedge.exe
3664	identity_helper.exe
3664	identity_helper.exe
5172	msedge.exe
5172	msedge.exe
4752	7zFM.exe
4752	7zFM.exe
436	JTIpTAyy1lSKDJd.exe
436	JTIpTAyy1lSKDJd.exe
436	JTIpTAyy1lSKDJd.exe
2568	msedge.exe
2568	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5440	OpenWith.exe
4752	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4752	7zFM.exe
Token: 35	4752	7zFM.exe
Token: SeSecurityPrivilege	4752	7zFM.exe
Token: SeSecurityPrivilege	4752	7zFM.exe
Token: SeDebugPrivilege	436	JTIpTAyy1lSKDJd.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
4752	7zFM.exe
4752	7zFM.exe
4752	7zFM.exe
4752	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5440	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1292	2000	msedge.exe	87
PID 2000 wrote to memory of 1292	2000	msedge.exe	87
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4640	2000	msedge.exe	89
PID 2000 wrote to memory of 4132	2000	msedge.exe	88
PID 2000 wrote to memory of 4132	2000	msedge.exe	88
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90
PID 2000 wrote to memory of 4448	2000	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/vh3m0xwmcvye4gu/INQUIRY+PDF.tgz/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9449a46f8,0x7ff9449a4708,0x7ff9449a4718
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6064

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\INQUIRY PDF.tgz"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4752
- C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JTIpTAyy1lSKDJd.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c89e9212e22e92acc3d335fe9a44fe6

SHA1
c43c7e1b5fb58a40a01a6d8dd947c41a48e0b41f

SHA256
18c46c863404b31fcce434662806fa34daff0f9af0a9379d898f772b5c398b44

SHA512
c6961c171af63ddc7a72aaba4c9d910cc6a424794c416cd1ce51206f7c7f1100ca51c9e41d07d68489105dccded2294c1d761a8dc6be80d22c661014efd6a9ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
b69adcfb75f2916b35c51474352bb803

SHA1
c4646f34326f902dcdd824338e0e9d9ec98c1eca

SHA256
ba460330a066edf83b12d01733f71ee2e5a1d9ff657473ce6a02c1d55635d971

SHA512
6074e327f9c72839df92f70fc623773128abbe598a6af6ac65f57fdcc94b219a5718721676e5e7c982383861ae40b6cb8a9284f0fa2b0db1c05192ab89fbd36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a3e44d8e1a5e4bc4619716707429829

SHA1
47b97b1fd4e268ee5afb09d8b07687604a58448a

SHA256
5a617d4ba719386c52c9c49436f4575741e485d5ea86d17086640799f5c1526d

SHA512
268b135a1ba7822be335759011c2777ba088ed3a5ff8ebfc6d6f22ada1e96b3f30dd993ff29163b1149133b54b3449556df14ba26e8e462d88c5fa72c3bc12e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a5b03e323d99fd76506eb24139d79611

SHA1
af23e5e8d65b4fe9dbfec30d1365a941af10448c

SHA256
491dd95f593810a6f5d76001e79e661e252a556a3cede2d79943a08046d48b16

SHA512
0c594bbc87e724ee9116f8812b4dafea6a27df42a48359952c1bf79c373beb986f16c5abff818d2ced747bc775aebbcc605057ab120988e2c3276d047bf8b1f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d7b2b29ef1d9a33e61e1167984c8ca3e

SHA1
9a0da1a3cf9003ecf6aba220a8a00ca34a7ebd34

SHA256
7d4bbec0e8bf4e62f352750240a0bc0f7844d58fea590bc6a9fc972c3b752dc2

SHA512
3cc40b7e35c0749e419b035a73768c8f76bace77ed44be6a59469a032b643da15162733e5aaa94064494b055858a24e4f79326a863f31f1c28eab44cec35cbec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50f5e8432e585da5f07887d6183f7e9f

SHA1
db3f3de37807f4cb258cdc660dd58fa08205708e

SHA256
a088b9886a95364742f9d7a9b17fa2ed1c87e2e9f04290e0c530aded55a68aa2

SHA512
1aa8621e0f85f8dffb369ffdef19ffa7bd37e3347540d0728e561dcb3cda00cc2709d37d498b8987e2537bb6d9fbacc65974549fc901fce2cf8cd6b2581fe0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
67f64cc8d492e97286aa755abc16f821

SHA1
f821a6cc7e8dfdb3ecd890a94f8f19ad8bc84122

SHA256
47833cd46935647cea57ef76baaccc919572934fc351929decca78e0cb453d8e

SHA512
0999f72a41ac68497b8b74a7151822723533b7f8a5420b89f8273dcd4ddaf0095e48aaa9f0358230fe3d1a4cfc463995f7bbc241f3d306f219f7130a0e3400ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe

Filesize
9.3MB

MD5
97e57625791809040d7f1e752f521191

SHA1
e69078dcaecf9ec690b9702e4efc72ef573640ef

SHA256
bc3d8184164057c9af87626f5d060d5fb2ec4dde92600a8cb2e565796d46395b

SHA512
09a523e0564da24eecffc87afd58a892f6c521b8758d75daaa752e996d62e84b15b7a4868027a0504f2bf8b8cbf4b450f3e5adf301c59fd89ab9e251a159537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe

Filesize
5.6MB

MD5
417e4525e33a7fd6b07e296aea9fed8c

SHA1
77081eaa2ca95cbc7f8b7afd6202e9da8a6e77d8

SHA256
e308bd13c7093cc70139b9c31fd89ba897c7a0e87dd733a811716af30b19f58c

SHA512
13b15b98db00d7b688ed4ec39eba1713e6b7d51c00224205b0a8736c10e381dc3a511fa57443f8c72d97d4cdaec469212d2a5fd32d9a35e8cd1f28fadfda450c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe

Filesize
4.9MB

MD5
7b2fee2a6d3804d5cf8a02c4ac210789

SHA1
79bf25b9a09a2b03ddde4d85d037f8d1a1c5a862

SHA256
27da4daa8a3b1bd32c13a7b51a81598c1662d555b9ec9f2aa3d67f827fb641c2

SHA512
52055631eabf7af554ee89aa7e78255170b943f78039ea1c0d73ff87e2b9ddea9cefcd351b5a332aa70c6209c006f5f1d8e27cbf58ac07d67f6c82d5ca22037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe

Filesize
780KB

MD5
f1764667eb1b43477e7fb566bf83c14d

SHA1
05215d5f67f3a35de73ce67da4c5366478c71345

SHA256
8eeafa67555dc253c7c388466c07d157ef9ac21f72b9428091b76e6aff386591

SHA512
f6caf09836b67efd7af19890dd1ffd5e31b5e363557d5bed5d859ac900da1260a8c7fce678fb82ef3890e0c68ad7d121534904b561c1dab0adf53f06fc8036c4

Download Submit
C:\Users\Admin\Downloads\INQUIRY PDF.tgz

Filesize
1.5MB

MD5
88b93edb04dbfb83cfc33cb4f930e521

SHA1
9b8a4371622fc8ac62708846941c0e38bbd1b2b2

SHA256
2d1518e380ad0097d9e3b182bba0d826ffb26000e4aac79000ce3d0df6a8e270

SHA512
b5d27f0440ad26fa138c9364b99d1f8476cad450f95ec94e18d3d5e01617bdbb8fa3630392572edaf3d9b3a6a3824984c7334a922df32cede2c72f92140fd56e

Download Submit
memory/436-205-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/436-204-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/436-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/436-199-0x0000000005D00000-0x0000000005D50000-memory.dmp

Filesize
320KB

Download
memory/436-198-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/436-197-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/436-196-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/5068-182-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/5068-190-0x000000000C560000-0x000000000C5FC000-memory.dmp

Filesize
624KB

Download
memory/5068-189-0x0000000009440000-0x00000000094BC000-memory.dmp

Filesize
496KB

Download
memory/5068-188-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/5068-187-0x00000000057D0000-0x00000000057D8000-memory.dmp

Filesize
32KB

Download
memory/5068-195-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/5068-186-0x0000000006D90000-0x0000000006DA8000-memory.dmp

Filesize
96KB

Download
memory/5068-185-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/5068-184-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/5068-183-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/5068-181-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/5068-180-0x0000000000960000-0x0000000000A14000-memory.dmp

Filesize
720KB

Download