Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-mmag2afb9w
Target 9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345
SHA256 9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345

Threat Level: Shows suspicious behavior

The file 9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:34

Reported

2024-05-26 10:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0CE1A81-1B4B-11EF-B2DC-EA263619F6CB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e22388171d47a74c80826b28c20af64d00000000020000000000106600000001000020000000ab73892c85de9da5fc1fd21d24d7abfde1be83f860cde058040222f65aa71b4a000000000e8000000002000020000000c73fb3000d4c0a8df7ec996832872bfd1a5f3ce29d43e28c550eee613f2935f120000000edeefa4a3e35006d52ee31883852b2cdbfd3fadc0101545c0364326c503ffea8400000004535b8baf02a2c4b98887a7f9c9de9ecb84a46922d9bac238c9fa8e3b9bc869cedb412a3a74097d2af77757db75964f8eb3c19eaeedfa3107de3083e94e70de4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ea4eb258afda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e22388171d47a74c80826b28c20af64d00000000020000000000106600000001000020000000e38693fa11e4250bda7f5ee7a657054bd5377dc167340b739e961501a070f73f000000000e8000000002000020000000ea5fd29dc9d9a16a57065ce08eb1c1dc43c0b0abe8366883b5365780e3e9684890000000ff7d117ac9b3fac4cb0f41ec5a9ef434c78fcb94c9bc83182fa07313840f5a78a41618229ac734b527fcae08f817ea153ec5091c0e1582d25535552a1d9df14435124b06c63fd899137618ec642a2e7848241f93523b27fbd14d2dbe87986a6db711d42daf6fe24d5b5ffb3f3704c5b355189dad48a64d985f86bc78e1b657052781298e38ccfb51ae875307bbfc30ab4000000054f910bf24acb835f60cd96367262843501bc144b65f94afa4dc72bab060f99b4b2c2ec5e26e066a9e84583ab1a37fb0c9d4e9d6729cb669d00174a9793df0ee C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe

"C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:776 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 61.54.86.137:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1516-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/1516-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-46-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1516-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1516-2-0x0000000000250000-0x000000000025B000-memory.dmp

memory/1516-1-0x0000000000250000-0x000000000025B000-memory.dmp

memory/1516-49-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1516-52-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1516-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1516-55-0x0000000010000000-0x000000001003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 49f36aa007f23eb6c74c4a2a1a3a33b1
SHA1 24bc012bf366135ed5b87fa1fae78d5a2995536f
SHA256 2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb
SHA512 6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Temp\Cab3DFD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3F0D.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35d6e18f31121c1110ae9d461eb363a7
SHA1 81e4fb43629313aa6dcc154a62772f6b132d4120
SHA256 ae581961e679b09e5de143ce80cf5967023be101eae572d8ccc07c341a2173e4
SHA512 18a2d983543aac94f3522fc09a9946743e77e4c0629f17f0e34b301bd04f0a11c65096bb86d6c08355946171d3a283f0339f6743bc22d342aa831b714c515063

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28f828d2c0437a0fe2fdb5863e7620e7
SHA1 9e6f42c6c3fe8e4f142810927bdf68e53f856ebe
SHA256 3f320954d41bae41e8e6c7bb0a326d0ae45bdb452e1b76fd210cfbefb35ce080
SHA512 5a8af83976685c8c0bf39d0687766f713435111d4bb147fcd3132415aff47d38a2b2108f5938b6711ac1e993713914829f761e183ef8272329b403c6fa8d44fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c17e8ee7dac1b3e22ebb714bbdbe46e9
SHA1 078d3b6ef9cbca3207a51c568afaf4dd4ed0bedd
SHA256 36f5b62d64a0ae47f34e63490235c4fccb8aabf99e18a86802162cffa98a3d2a
SHA512 ae659ba0ad3e5ceff3467a124d6b0061b05a3e49998eae8698d798f34564cc9e88f42267ac46f897e37a47e52457e006c0f8488c62a7c546471b25dbce327ee9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9695b9c7cdba8b73595b51fff448aa7f
SHA1 950b55245608027021a720ecf255db8d49b01532
SHA256 d9efee3084c9f00943fb3b31771fc9f09a1db9f0822f31d4ad6b609d90eb811f
SHA512 e3471e0a8be6610a272bee35eedd8a88961dee7718bd546b90ac81b5aa63f87efc2c7fef9d034e6c421fd54cff2dc4adb06b524ab4bc841c0977c8e995351fd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dd5d8ed6b23405c7bccdbe0228ebd58
SHA1 25dde85e411b35d61882ce7b1ff595a12f65a287
SHA256 92b3f68cd4a66d6e0415b28796a650dab3746ca334fbb3ef0a48a4af1b1553bb
SHA512 8e61a8ce36db3799123cc1a31110dabcdc977f76a03d8121d6a5c0dfac1f2c5d20d0ab8d7f76c7fc74550b114cd6f9016390e2b008591d39f93c4fc5674a0039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aab3b0f15d3602e2f6db30d2265b9231
SHA1 4e674f609a07b675c1731200f666dff00ad1dc3d
SHA256 a2e2aa0bcaa085a0d58db192db04f295a0497eb9e1c1a9933e70c0e2b6dbc11f
SHA512 53b6e8e6d4228317b32ca7080fa003da0510d357e29c2669310cc2de0d08749d9906d3347401560666bc2271bba9b6dbbd45f217574b329fdfd7bd58e21c09e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc0e6b29977861b37440ba659851456f
SHA1 68372be0251fef77fa2faa8e528f9814d66c49a4
SHA256 b0b824e7a4b877aa52e998bbaba9a86e8cb65029f618d192b66af7fd12b09281
SHA512 bbb9a3b7cd8a481c2fda3d9cceb7b639749d2f707318547e8fa9311b1c7bf131adb90ad54830bfe0723ed672378a1989af1c1d0400f6410f33ee386fd303d492

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aa552053b3a4401cde3da51a52ff8a4
SHA1 965de8e83795a0888043182f2c43d29659c74b2c
SHA256 7ca0893e881539a98f6aa03677f951180850d021af044d0c836d93a65535c47b
SHA512 0b32ccc5a66cb146ada78e7f2311f099d4ac1a4c6cb208f9b042f3893727bf3f097d87028e218b7148aeeab021f9c3a075688424a6f49b196516576f9449cf13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39bc39d0fa68e633529982f8c9a11dea
SHA1 f32eca2ee24d87c597f693f736a2a5c42d0bbd21
SHA256 adf3e573a4aac89b3f480460297e3d92e686881f59ff3193dddab6bde3203119
SHA512 3ca5481d6e2ffbdfde9139ec8db73f2a660ead1cd0570f231cca1f33b1c60c6bdac98bcfa2722b8d33bec4437074a8ad2a8f35f83ef1a419e8a7dc676cf2477f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4726163d97e368fde4c19bc372e46e83
SHA1 967011cb3f676138193538fc9ec4b0492bf7633c
SHA256 050c254fe2c5aca792df2a4316214b562244c5f3f176d2d2c263e1e30b524fec
SHA512 3807b49a2ae3dd00b7c3fb59d7530810999e6fd1012d12768068608c2b70b6c4c6559f0f8cf1113a8e233ff7f5d9a0122ec7153ddf8b193aee46d7b240ba9368

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa9eab9b11fd4fa63f972ba46623b9e9
SHA1 2d29d84751b24a889ee9e0de3d38bdef527e3e56
SHA256 a51cf0781d9153f611fcca52e158cf5187109a294989f48ca19be80450622f50
SHA512 020818d26c2667b3f5c7ff38af5e48a556ac09164f807d1409874856082c6e79dc4d8805856beca5b7c14b73a24f1d8b3353ed9f5488b37c3b55124029c42f89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9528735ffc76228175a880e850325260
SHA1 d2e1abc6402fb9acc92cde081f5f203c4319ff08
SHA256 755ece890fb2e70ace152ba206f43c1273042bfce7ab49815deadb1352127be2
SHA512 d4495fa2cacb50c49ac49546560046f318527e736d268ff1274dbde2fdb34952833a2e8c20945867c7d37fca4f4683d94b95573170f9186f2642fa71d8b4c830

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7faf03674cc00aeef14bbba4a4f9af3
SHA1 bfd4d420c8d7cabfca5bbbc0246df4e00e602fd5
SHA256 69cec10d855057d5a1300e46b3590bb43993baf145ba99c56d835f4994edeecb
SHA512 d5c4c4e7a797ee40e013a5562405b7b1a7052bf278b8112f9014f8f28d3e7de733b54e26ef00a4ca08fea3f602fa2ac33337c4dace719d0be307d1ec2ef8f4a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aabc40d7569ae46b15e8c73da6259a1e
SHA1 83ab50bfe42ccf405023b9d700070a4997e5cc22
SHA256 20d50e2b6b29ed8cd58f377c8361ebbf654c6525924053453e840f0fb7525ca1
SHA512 f45cf443815aea2cbfc142efa959401aec0f96727b9d5cfbb8e2b449c4a9282ca69650c4369c9a560f73259cf3e95c11959e2ccec4a997c8f46f17a6959c1b8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b3aaf73103c742563a1b416faba8162
SHA1 16e8e332a950b6ec9f7141f9a8f65f7a18b9f64e
SHA256 4eb193a43679a34e8461452ec10a0e9eca8cb15d3e631d08e75fe8b752bdbb7b
SHA512 2fd5db397f3a73c576bedc4ed4f84118ce4849ed9b760197c9dc72f6101ad701e2d67ce43a5b3930c08edaa3aee15bfd77ba12498bacfa8585a52544e58245d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53ec548d3d6cbf83d6f1d90a751e302c
SHA1 79d08360ce835f70cf424f87dd0c4d9450f1aab6
SHA256 2109f7d3e82516ddcd24f3a436565758f87d656c471b2aff43f952466b5f16c4
SHA512 99b86984ef19d6c482b96b37eb12f73124204beb329ab8530c843481930ace33a95650a0acdc053981e80b114d92301f8aaa9aa4a64ca6898ff65cda5816233c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e486c50018b8fe4da916a0b0c27ef10c
SHA1 575ba7bd754240774f27288b4896d5080713fda3
SHA256 a92993297c392a4c5876a0d844b2deac35fffbd8436f91ec1cf0083298a4e224
SHA512 3790527f4a47b5d25061595ab5bd034dc43cc5b87e7ee7ffaa158751e55bece74c3ab41ac4e0d82c8da8b3171dc7b54f3537898dd27b8796a5d778a95e141aa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffcfe2442600eb5aa4f9aa6c14f81fae
SHA1 5ef369e8ad5cd948290bba2b758061ebe7d37b1b
SHA256 7a8f2140ce5dda4117dbef2b6034b9714543cbda76f975f1e2aca49009457166
SHA512 4694bf58b28233e3695ac20dd470c93fba0e9389b85637186f1f0906b29b459511a8fb8d95e55560e4c83e462f576e2cdd50fae919e8bab1d0704d8ee5b326ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d031cd383d781a2ea78fd7b45119c296
SHA1 9a6645438ef9e0655aa3d62f5de9317e11a236da
SHA256 32f690482e7afd92c62f4b3ea2ea6a0bfcef803d6da0fe9bf520ae6ed047256f
SHA512 5e1bf95b06611ed8f787739f3531bf0799f34c32b17a0f701ba3639ad77f9e53b778f84d53c2e9bfa44cd649d29338137c449c8f5c3996a7aedd4eb1a6419626

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:34

Reported

2024-05-26 10:37

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3572 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 1508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4892 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe

"C:\Users\Admin\AppData\Local\Temp\9848dff7b9df55e077c88ca7a04fc31ac36169b220cb78d74f0eb30b905e5345.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff98e246f8,0x7fff98e24708,0x7fff98e24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1284509832469045738,9421029819298321401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 61.54.86.137:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/3572-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-50-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/3572-49-0x00000000028F0000-0x00000000028FB000-memory.dmp

memory/3572-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3572-0-0x00000000028F0000-0x00000000028FB000-memory.dmp

memory/3572-1-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/3572-53-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/3572-55-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/3572-54-0x0000000002E10000-0x0000000002E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

memory/3572-104-0x0000000006070000-0x0000000006071000-memory.dmp

memory/3572-103-0x0000000006080000-0x0000000006081000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

\??\pipe\LOCAL\crashpad_4892_FXSXRLTRNGPQLHXH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 746291318e9691bff857c18e4e2bdc03
SHA1 f0bf8daef7ea9199620c579e5f64966c885b668f
SHA256 b1daa1395c8079efc7039a02ff796e72101eb4650e51d11cdd2048fa4a04bd77
SHA512 1828dffd78462197e9d5c45f3b2e9faac0cd13a7f86e19ce6e6c0605b845eb87d9cf14855a1117b8ea9fcd70899d7a72f44fdd41728cfa7dfa1a6f20bc58ca2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 244c2ce128e9c0c190ff1d2069159e9e
SHA1 b188a7348da2eea27f6130acad717339c2f45a61
SHA256 5740c124a1360c63413d6933f46e9be1ae5b88d630c17d4dd1f4555ee99b3184
SHA512 12f79898ccb38e80f92c507b354ac2274cd515dd7bbcb2c4dedee960173d9384df995a88b4f01bac975eb295df4c0831dbd4d647fc6165843e68554de57649d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 13204ec2f2164d40ef79ac0521e469d5
SHA1 389684d7e91524b3e8c3d38b21998d484d5c6890
SHA256 3b11c6450e82b78caad5ae80d7f661f005db43d306d5524a74decd917fe12d81
SHA512 ae7ab0e0764c0387365f08dcd941bc0a87db10962e5b3d0dfb70e3fad576507c43e79ea94d0fe991bedd9d3039fd7f47647cdf1692a118dbb89a6ceacf98163c