Analysis Overview
SHA256
b42a21b6581812007376102f51d8d15177b2b7cbd84bbd5b9e52497898bed4f9
Threat Level: Known bad
The file c7e7dc7b210213bbe0988713be7d2108 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 06:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 06:21
Reported
2024-03-14 06:23
Platform
win7-20231129-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxA3E.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e534e8d775da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b64a7a4b3ffd374baa64ef6b5b5a0fa70000000002000000000010660000000100002000000068bdb1e44a62d06b5f4f16a2a22046f8a6742a42abeac240ae0f573b82964c7b000000000e8000000002000020000000a1afa81db996a1b75d1f0640def8f1010f28db34c16e823ba4d3df26bf94eb2990000000a7e4b9011a4b13b00b541d11d0a4a2d9bf8f0ae1705dc72503cd98c4b0e2b039d3827834df77b02a594d5c1f7509c1765ac84e1116ea9203c20ef451fbc86946bdbce6bb40b9d55bceef06e384be5b10a3b4e2c18af6da8e9694f707bb2464383373c4e89629e88e6c58698ab241e1b77f2378e955e4967391f6791eb5ba792fd1ea68c7b64980ca7c7b53ad67929f3740000000a10b13052a9bccb47206d7dfb7885725f82c595a7b665f54839f143b359d27926932af4e4f49c6be7fad677911bb371b6154e88339d0c1ece3510bcd17d8379a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{134137E1-E1CB-11EE-882F-5E44E0CFDD1C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416559149" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b64a7a4b3ffd374baa64ef6b5b5a0fa7000000000200000000001066000000010000200000004d1a3b70f1d92829e1a8804adbeab790ed57efb5e364de254ac6dca71e4da814000000000e80000000020000200000000a48d40b8bbd29222d2890b3a724d2e96ed271e1098ec2413e5c70f0b635e6ed20000000b3b053367559f4b9d5bf9a9130da0ad3938c5f776169dc3fe6188f0563a77a3040000000015fabcae6e7fa6b90e3b435c3b3eca02276905a45d96f20ecbb66c450802ea68abe9a48d41c2e1030bb4b2db1019fef42100987f2a547cf635a83dd6c0976e4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\c7e7dc7b210213bbe0988713be7d2108.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275467 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js.shengbowangjs.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.128.167:80 | www.bing.com | tcp |
| GB | 92.123.128.167:80 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2652-9-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2652-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2864-16-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2652-17-0x0000000000270000-0x000000000029E000-memory.dmp
memory/2864-19-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2864-18-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar237E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0184e23806c1b490ab8f2f08b08c8d8f |
| SHA1 | b36ff4f5de3057bf5884a2b5b991675299f10f0c |
| SHA256 | 50b369705b20bc06cf812944b898ed46c34b15ca05a4b1f9be0cca28e16c712d |
| SHA512 | d909082f054e7191e575998e47ba47521fcefe46861f1b03939d2248f79f50d7ca6814acd0894ed0a9d2060a8df6034c073c6fee14911de64221222fe4397faa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 877dd4aa5c4550541a56ae1852b1fb81 |
| SHA1 | 704a515cb075b29f859de626f11a5ceca64e6376 |
| SHA256 | fb05fb2f63a99a1656ef3b97edadb7fcf6dd72f14a9ec09391576e18a87d9991 |
| SHA512 | 0e9a82f29f9f510fb8d25e9a774547f32fdb138568e4423fbff328f506dcdb131dec1e80082282b56e5d0da3fc8a3ab03ac88bc53a6da17884682133ba1d8de2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 18ae67cbeb457be588da4824590d3aac |
| SHA1 | 147a378132a83cccf6fc27839b6fe65c3cee7351 |
| SHA256 | 31987d1e964a85108cbe257c882548efc9394e1ea960a83de52dcbd39431f927 |
| SHA512 | 10401175baba955371ab1f847f1b048991125d37ace06a38f971e449fa496f24d6508d8481e41a3a2c1bfe6597b8a7633dc1d5e76859fc529ca89d9297175415 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 578df400c8466410bca2cda075e292ce |
| SHA1 | 0dd1cc2a54a3540ef1fe4b8643e04a7b542d05a5 |
| SHA256 | 66c993d2e11164d3a1df4e251b0a02f468e7cf9ea3639aed363a929364c59a26 |
| SHA512 | 9fa40e3e3559d42c8288c1506f0e00cc4c2421fddbb0bf530c30007651f70617b96351ca189075ec3e3c507c0f9ebfdd04a9d7e9d28df87fd0b7f39ad3d53af9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10d09fd17f901f0d620fd2863293eab0 |
| SHA1 | aaef616b8e8d6f3f1ae1317a8802c979c5828afc |
| SHA256 | b2c3e46c4e920dbb72bfdec90dc5ade0b8f8c0ab06395a4dff1630077dd3d291 |
| SHA512 | 76d88354f0509f59050a60b24d816a45c2cbb7dec5710e1f68a8976e3430b9038a3881b17d3173feca3d8fbe9d00a85f3bc92f7c064e851623dfcd89bc6c7e1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c167b383e271d8848aace1e7d4490d8 |
| SHA1 | ce5a9ee51c6f871fa236257548a995806321827a |
| SHA256 | 22d6680b6aa783c167cf987b25ac6d3fe329325278a71b050a3af75186476bac |
| SHA512 | 8b5d94fca4421ee795191653eaf5d389f457e3c295c82c4be4044b04ff965504a2774f86666e7253692f7f6ff5219ab17f66cd464877252a7f24df8981be1fb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adf8c387c0c3e7e07319af576b96ef18 |
| SHA1 | 73185413ef8d79fd99b94696cec16c15ce4e76b3 |
| SHA256 | 4e36ead9eb64ebb7571538c3ccf8ac45b7b54d0368b829a9bf9b3e49f96fdb48 |
| SHA512 | 33c0815901a54b8cfab6c6682264e843d03bdc0f69aa6d67b26b107e96784ff15d15ffb232bb3de527e9ebeb3debd79c372d3d27f2075e509c53478092cc6f66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 40f041945de419d6395a5757f7d9c7f9 |
| SHA1 | 4b21004cb2858964b27a2090632f789108c1e627 |
| SHA256 | 5f0c169f80bf0d67bd81f841b3d1cfc0a68514db5592ce6890943b5963f6d145 |
| SHA512 | 641d3c9b5c184eb1dd481cdca6f96a6ab87c62346c6425e039f64c17caf831e7c6ff25a537717e1a7120f6e5cf316374d6facb0f20416266140f40358d03afd2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3R3LQI47\favicon[1].ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
memory/2652-604-0x0000000000270000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6347f5fa393f14eae35b5bb19045870b |
| SHA1 | 674529ef01ac8287374b2ce3bb51b8c009660e69 |
| SHA256 | bada9b5cb4eeba712f7de02d46fd8c84eff28be06257a819b5db6e9ea9856dd4 |
| SHA512 | 4ec753bfe66df284505ff963bae6f33d67e2384a9ae19db753bbb8dbb65207e7e179b74588986efc8aecf8c1a843636c2ca832e6a9887efb0ca3cbdac2c6f9cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 960b9336824ab2d41b72df652682f38b |
| SHA1 | 28aa1e469d5e6783d2ef7fef1d5a2da5b29cfb32 |
| SHA256 | dfef8a7532628dd45489cda905d98315ab0a2fdccd744da786a3e3de5e527047 |
| SHA512 | 611c84d1b42711c12adab1ea6bf60e9111db18b31d028d018246dc533682c88db7f965f8d16ef4f8c3faf0b8eca737f4a4beb17e737db7d141ace3269ef8a764 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd18ac17e5d6a5c01777a477ce84b8d8 |
| SHA1 | 83bf90c59d593a21a9d5638d809aa9c29a8e9e71 |
| SHA256 | 3561cf8a4a41b1d334902bcc779b827af40fd0b80961a6463f64afcf59682c0d |
| SHA512 | 47aac86c9a7de6d5e16d9aaa3b943c2616925eab2bf466420fb235e667e53a7586a5e1c65dbfe47aa404c6c721403f20351f830bf9078c0f13a8a396352cb0e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91ff170bfdbabe70e04627e30b33926b |
| SHA1 | f81c9cbbdc1b9d6659b7094e9b4ca6a7debabde8 |
| SHA256 | 118ac4260b44c1ff3d8178f186190bb7891688b242cc14ab239d3dd6c87d2b2b |
| SHA512 | ef42ce6a1fe512984635ca7d86274fc28828457938c142cb7d1c53d8b79e34f512517ee7c2c3a7cff534e85a32b97dac26b5b7a503e2cb3d7d086bed1de9d178 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c530571c2a44fd7f3a71aac820574bd |
| SHA1 | 76b4086fb5b17b8b8f27cd50fc76d7e9cf32ebfb |
| SHA256 | bd6ad362a1413547eba19b9fbf65f13c487c4e11b3e403922da771c699d8aa3b |
| SHA512 | d7c9f8fb7d6f4c3083972e3b71654979e2ff2ef123a4a02f291aad3cd705a814ad72f7c74764a1c4a124cca116bacf0ac0d31625a1a8873e15b9a73fd2cefa29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f3f2352729e94a79373243eaf56b35a |
| SHA1 | 9012141b0821de8788d93a55c9fc460ec9836ee4 |
| SHA256 | 5144ea9d7aecea0c8b2bbf055d7dbe1ef462fa109ac9e9609a194b41f700602c |
| SHA512 | 6f85c20b0c06459bc8ba308e0bc6d75734230f91bc09e02049b835b7fe40fb5ed30fa0de964276ee82c02a7059c363a64e6d19e523c05662a822a6824c17ae5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3a060faf030c5abe0dd2d1de4266549 |
| SHA1 | d268d1dd3026482e7b1b797702f26e42025117bd |
| SHA256 | 4e220f64dd0e09e4402ffe198de1666ad954b873f8d44c39e03985188615cbce |
| SHA512 | c6b0e13e27f3006d389186523efaa16abad45dbbb08fd3602b05b8171ee804fca83df23f0c1af7043e1cd05830f0d57f3ec99ca1862fa18ebdb5ceefb3bcd424 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e9e4e7229c67e69fae5a55af7f42f99 |
| SHA1 | aa6b29e35651b18aa68c5fe2db7c5cef591dafc6 |
| SHA256 | 889747aa6d3bc7538aabe32e50d4b6f25760863c36574ce5a762c5766d53afdb |
| SHA512 | 0293af5b493e3d5c124a9f9ac64bdaef41f2d136aee03d150168b3bf31cb26f7969a94169fc39c402d733b3b4f05d2ed4f504dcc6782949166d0bdc6494c240f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b3d7a749ba854eddf033ccc8db3c2e1 |
| SHA1 | efd7e88b07a5d137a2eaa5cbf58415bfa1dd4f50 |
| SHA256 | cb48c307ff49c43a37f54bcca9b56216f4cb5dea1f608a8d620ed2d3cfe8bf87 |
| SHA512 | c16ad8a7d8f96b34a2d10f0c570c2776f1595fa2709c880604c8d8c9279c08d08e8e4de79d09fae2ebfa27e252cef3af1c1dbd1da4fd80d151d1de30ca8d8cb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 048d43b6bc517d08fe9d651608bdf24c |
| SHA1 | 9ad5d084baf20a4babf99fb91fbfbdd922728f91 |
| SHA256 | 71eb5a861855b16377310b68c03c9c22a526c5b02ee62e26e54683504fbb9ba2 |
| SHA512 | 86349a23d3c58d935a89de3684bff6164bf8913b72c0146d20aa8467e2233e18d09dd14cc89c036f9163af00f3d26d5275f3af97149087927868fcd59a66cd25 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 06:21
Reported
2024-03-14 06:23
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\c7e7dc7b210213bbe0988713be7d2108.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb34346f8,0x7ffdb3434708,0x7ffdb3434718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13184684500585958241,17865509484308314394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5224 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js.shengbowangjs.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 182.61.201.94:445 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| CN | 182.61.244.229:445 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:445 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:445 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:445 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:445 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:445 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:445 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f44d6f922f830d04d7463189045a5a3 |
| SHA1 | 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c |
| SHA256 | 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a |
| SHA512 | 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d |
\??\pipe\LOCAL\crashpad_4684_VHWQFGDAXHQEABLA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7740a919423ddc469647f8fdd981324d |
| SHA1 | c1bc3f834507e4940a0b7594e34c4b83bbea7cda |
| SHA256 | bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221 |
| SHA512 | 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 26741a5d172e2be1713afeb26f86597c |
| SHA1 | a074a2f89537abcbec7cf1224d2ab008dac31d6f |
| SHA256 | caacb4d67db9b0957a989a08a18c3f32b0a967d2592f9a64fb6422192625413d |
| SHA512 | beb54995cbcb8f83ba545f73a977ca47a0609ef850a368732243ab39b14e09aed6a9fc8df342bbd8ceb7e87c0af4d17f3f53a04ccf7527a08e6835c453682cf3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a4dc9df9b15bdc538fe691f59a84608c |
| SHA1 | 519469fdfcc05d09af590a27369d8d6c9b9a34f7 |
| SHA256 | 0c6726cfe11e1275d47dfa3121e3119c4a972a932de22064c0ecbc0a582576d1 |
| SHA512 | ec678138d256d18d59af93b6c764b666e57efca5dcab2012e84c95cfad49ee9803f23d2b1c1f3a1771e48d87a83dca143685e9d70d5c02eacf451e9dbe1ad4fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0f4b7e28a46d7134d7ae6bc65f8d078e |
| SHA1 | 42af047e8552792c48d36c8b43e70e85e046b773 |
| SHA256 | 4e788237f4a8e84585a1ccef4fd7d30dc1a0eae5b58c653915877e14c1d44cf0 |
| SHA512 | 78c3bed76e883452fe354295c82110a470ba6ee7acccb6e1ef65012e536beb8992597379cd7c6f907d7180a19d4d1161771591439c382c788380f835c99562f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |