agenttesla | 53eeff9f4fa0473d90cf4abe978ff60d5898d2527924a593ef877303cab88a5b

Resubmissions

04-09-2024 00:20

240904-am58gssdme 10

03-09-2024 23:38

240903-3mysmazgmm 10

Analysis

max time kernel
58s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Byte Guard Free.exe
Size

2.4MB
MD5

32eee970bec927fd068197918edac5a4
SHA1

8aa4820931aa228856f12fc516f886dab4d12e28
SHA256

53eeff9f4fa0473d90cf4abe978ff60d5898d2527924a593ef877303cab88a5b
SHA512

d47d2fbc9d4b9a47d0b5b1076aaa89b20ba72a9625e9fcfd57f000bc14abc11aff60123667bbb6998fa5bdff65b7207f410cc6008207fc2362db1d99c80afbe8
SSDEEP

49152:3Ls8e8SkGMITYbNbNWo4kSH3OqtwI2MrBm6w30IfRaRf:3PecGMIT4bNJFY3OqtxdmDDJef

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3684-6-0x0000000006D70000-0x0000000006F84000-memory.dmp	family_agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
6	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard Free.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Byte Guard Free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Byte Guard Free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Byte Guard Free.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{EF47F52E-795E-4740-8027-A3EC236E0AAC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe
3684	Byte Guard Free.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	Byte Guard Free.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1724	3684	Byte Guard Free.exe	90
PID 3684 wrote to memory of 1724	3684	Byte Guard Free.exe	90
PID 1724 wrote to memory of 2512	1724	msedge.exe	91
PID 1724 wrote to memory of 2512	1724	msedge.exe	91
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 4504	1724	msedge.exe	93
PID 1724 wrote to memory of 448	1724	msedge.exe	94
PID 1724 wrote to memory of 448	1724	msedge.exe	94
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95
PID 1724 wrote to memory of 4724	1724	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe
"C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/g3pH5NZESD
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89fa946f8,0x7ff89fa94708,0x7ff89fa94718
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3352 /prefetch:8
    3⤵
    PID:508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4180 /prefetch:8
    3⤵
    - Modifies registry class
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13011649441507845508,12788144404150288616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
f079dce9aaeb06494b1c34c1cccfc3bf

SHA1
379595a13c70e33a639b59b10a07c68e06cf7a13

SHA256
67506f6e94c9bbc51c65e3ed8d8e4d7a82206c0a8f3083325a2da905823b190c

SHA512
4f288ba73ad2271ca09a52911f0d714ee15c74d6200f6e345b03c81931d19397b8fa833d78771643499c3a6e008d6a88102618f3d00db6694bdadb9623d1aef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b9e7baa99c3f110651a603a89647fa7

SHA1
e347be8d8b0bad4bd8150e9d15c87bcb509fb461

SHA256
a88803823360d6fe8939ce9d94a25f2fb39e61144f17333ebcb1398e29c9808e

SHA512
aa0adcfa3a2121d4a18362f89c9792b8cdea7e8509cae8c4396f5ccf9093376638f51348297750138fa5781054a83e26f3825606b3a6e8ec7bfe895f356d07fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f18f012403bb05f960344e0c162f2f6e

SHA1
4af2c24c92f3a76d087a69ba31a374b21b59f1bf

SHA256
8cd3d5625d860cf0b6d1eb4ca199ff30f9f3592418e40a47608ac1299faeb8f2

SHA512
a56c2bc38e1cd6dbaba70f924f7397d3146986b17378534413d84ecb95e09504bdf74d20595e6c21a7469f7cb154ea3d6f412eecc2ac16f21faa09ff570ce6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2a586fe8da6701b60e0538dbc1753e07

SHA1
71dbb82787737ff7939bffa0c73a49df74534b32

SHA256
c8014cd80159bcdc53d6ba8bf0e35dcc866e58959e0e91c0a27f632c8f458e39

SHA512
f741c95d2185feab5f6f443de0a090f64c5291284831d1e8bdcc485d849d584eb5c5f8623852e98133b9883b329cbe8b40722d4f02b6769cafd6b1a0e0527084

Download Submit
memory/3684-5-0x0000000006BA0000-0x0000000006BB2000-memory.dmp

Filesize
72KB

Download
memory/3684-41-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-8-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-7-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/3684-6-0x0000000006D70000-0x0000000006F84000-memory.dmp

Filesize
2.1MB

Download
memory/3684-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/3684-32-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/3684-9-0x00000000085B0000-0x00000000085EC000-memory.dmp

Filesize
240KB

Download
memory/3684-93-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-4-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-3-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/3684-150-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/3684-2-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/3684-167-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3684-1-0x0000000000B60000-0x0000000000DD8000-memory.dmp

Filesize
2.5MB

Download