agenttesla | 53eeff9f4fa0473d90cf4abe978ff60d5898d2527924a593ef877303cab88a5b

Analysis

max time kernel
26s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Byte Guard Free.exe
Size

2.4MB
MD5

32eee970bec927fd068197918edac5a4
SHA1

8aa4820931aa228856f12fc516f886dab4d12e28
SHA256

53eeff9f4fa0473d90cf4abe978ff60d5898d2527924a593ef877303cab88a5b
SHA512

d47d2fbc9d4b9a47d0b5b1076aaa89b20ba72a9625e9fcfd57f000bc14abc11aff60123667bbb6998fa5bdff65b7207f410cc6008207fc2362db1d99c80afbe8
SSDEEP

49152:3Ls8e8SkGMITYbNbNWo4kSH3OqtwI2MrBm6w30IfRaRf:3PecGMIT4bNJFY3OqtxdmDDJef

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1200-6-0x00000000064D0000-0x00000000066E4000-memory.dmp	family_agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard Free.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Byte Guard Free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Byte Guard Free.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Byte Guard Free.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe
1200	Byte Guard Free.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	Byte Guard Free.exe
Token: SeDebugPrivilege	4584	taskmgr.exe
Token: SeSystemProfilePrivilege	4584	taskmgr.exe
Token: SeCreateGlobalPrivilege	4584	taskmgr.exe
Token: 33	4584	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4584	taskmgr.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe
4584	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4856	1200	Byte Guard Free.exe	92
PID 1200 wrote to memory of 4856	1200	Byte Guard Free.exe	92
PID 4856 wrote to memory of 3156	4856	msedge.exe	93
PID 4856 wrote to memory of 3156	4856	msedge.exe	93
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3792	4856	msedge.exe	94
PID 4856 wrote to memory of 3632	4856	msedge.exe	95
PID 4856 wrote to memory of 3632	4856	msedge.exe	95
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96
PID 4856 wrote to memory of 2068	4856	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe
"C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/g3pH5NZESD
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faf546f8,0x7ff8faf54708,0x7ff8faf54718
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17790664595701213700,10566135230130028066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
    3⤵
    PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9eb20214ae533fa98dfbfdc8128e6393

SHA1
c6b5b44c9f4fff2662968c050af58957d4649b61

SHA256
b2be14a1372115d7f53c2e179b50655e0d0b06b447a9d084b13629df7eec24ab

SHA512
58648305f6a38f477d98fcc1e525b82fc0d08fb1ab7f871d20bd2977650fa7dafa3a50d9f32e07d61bd462c294e7b651dc82b6a333752ca81682329a389ae8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d18f79790bd369cd4e40987ee28ebbe8

SHA1
01d68c57e72a6c7e512c56e9d45eb57cf439e6ba

SHA256
c286da52a17e50b6ae4126e15ecb9ff580939c51bf51ae1dda8cec3de503d48b

SHA512
82376b4550c0de80d3bf0bb4fd742a2f7b48eb1eae0796e0e822cb9b1c6044a0062163de56c8afa71364a298a39c2627325c5c69e310ca94e1f1346e429ff6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
197B

MD5
0c50329ee2f173b61c02cb28f06c4c1e

SHA1
b6b791816bc7c576303671f11dcb32bfda2f08ba

SHA256
fa8b1c2dfabaca4514e355951dd62c45dbe0e21104dad77cd6646bd219a979d6

SHA512
bb115d00c3722f29a0184e954444a92cdad77c04a1600711646757132ab420733b910b97d5cfdaf678dc534e0bcdddb869d530c0cf34594ae69b3c51913618a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
13c24e8905d838cc7c2ea834ca34c81d

SHA1
2926e5156a790d5afec952bef3d4d7bb4f982593

SHA256
223754ef223c9b619043cd10ee4b6f724ec66a5ffed4ae936d786c73b878626d

SHA512
cd4018e29e3ab94fe703b5ae24231c6b7c91ecb0919366734326deba42dda29b9c88399621e637af0ecb0867a84af743d1300535afc66aabe73e208ffb153e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1e83b5ecb47ab7e3a422176c10263a8

SHA1
e8a4f95c9888db9dd7c88d64dc31d3b16c052ce8

SHA256
b600c877bf40a9fb6068a01c958fc2a1211836504ffe401694ce9134d7f00875

SHA512
5fa7178958b38895cf1206d271224682282b7658482ed53ed858cf4d0a1a41bcc1229a6f3c07ba1f356d3cd5d5a19c2b09291adb63dcc3ce2b39818e32835331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6be217d826ff7c4aa81d39663a38dc10

SHA1
b32f46cf12fc4821f702880382f18ef3714eec66

SHA256
754dca9404f119306b757d135efbab8856521366fe9a3961c5373dda2a57becd

SHA512
306a06b11f079ad10db885200c0bbe37b56bd9687024e18fa84cfb95663f8fb00debebb381e030d5e6c4daca8eddcf180a37668745ec4972ef732dcb0bd4296d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2fd69a6fdf1777c635ba3421a0d0d829

SHA1
42dfebac94beaf3f2b3a8549f5da6bd5fe69fe24

SHA256
7ed94b92f325701d49cae7ea866c2d9c8c6365ffd5ce2160749d6b82ca16edac

SHA512
a358423af757d2f747e8644dd7e26631e59d32bbc8050b4fda660badba0003dd514824494eb5555d3a6d35c365f936c79e731ec6e89073c2296507158da4e0be

Download Submit
memory/1200-8-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1200-140-0x0000000009ED0000-0x0000000009F36000-memory.dmp

Filesize
408KB

Download
memory/1200-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/1200-7-0x0000000006740000-0x000000000674A000-memory.dmp

Filesize
40KB

Download
memory/1200-6-0x00000000064D0000-0x00000000066E4000-memory.dmp

Filesize
2.1MB

Download
memory/1200-25-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/1200-5-0x0000000006300000-0x0000000006312000-memory.dmp

Filesize
72KB

Download
memory/1200-35-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1200-4-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1200-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1200-2-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/1200-1-0x00000000002D0000-0x0000000000548000-memory.dmp

Filesize
2.5MB

Download
memory/1200-137-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1200-9-0x0000000007D20000-0x0000000007D5C000-memory.dmp

Filesize
240KB

Download
memory/1200-142-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4584-143-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-145-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-144-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-150-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-155-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-154-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-153-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-152-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-151-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download
memory/4584-149-0x000001E565FD0000-0x000001E565FD1000-memory.dmp

Filesize
4KB

Download