Malware Analysis Report

2024-09-23 04:02

Sample ID 240616-y4r9yswdle
Target e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f
SHA256 e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f
Tags
metasploit backdoor discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f

Threat Level: Known bad

The file e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery spyware stealer trojan

MetaSploit

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:20

Reported

2024-06-16 20:23

Platform

win7-20240220-en

Max time kernel

118s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424731129" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108cf7e02ac0da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007177e7a9f8b6a34faac94b379e4708f200000000020000000000106600000001000020000000e5ae65a3dcbef42b45503f31958116aefe6021c4466025d92cbfd5f591d19272000000000e80000000020000200000009df98420596674f843e5afdfca132504a673d34b80b1a594b8d58c95bf4809a320000000d96aec3ed3bd16b242ee3caee45483140b3952ed8c7d10d5cf688e3233b045ff40000000511c76f37e660e625703150cdca2a61be6c964585dc57eed71862d44d1729cc966a4744d2709f51131f4c55550995cb17af063f2e9fd7b9996270a4d58e7c7ba C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007177e7a9f8b6a34faac94b379e4708f20000000002000000000010660000000100002000000064bce38793e4bdfbd34297b9b668dc0a65d2bbb6f4014836c391050b0e2df0d9000000000e800000000200002000000071a7ce429bc21b75882d07470be0d9e4709d873a826a43f27c78f908c883053f90000000944ea0ed4692b5fb9c2bec2b25a6654cb92df0c5263d28dcfa0bf4478d130385726f4c688b8cb7a5bdde0e4263b4faff8950f66e9df0eb41db932e1aaff2e779e12522e2320dd726e7c228fe6b273b292f64c6418868f83029355931298408961c794b19ecba8bd415933fdadff30900b7f39db28023aec10f471ce5a1d448d792c7e4ac0572f0f8e520d812d61d826d400000006f5d9317f6f417bd7112a61d2c4eed248aef2e2bc7fe7af66d678a2985f3cdcd792db804f84f283c24fb96e4dd50a4c29b4e8a6e7fa60522de475bc95ca9aae6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F337D921-2C1D-11EF-8547-E6D98B7EB028} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 1992 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 1992 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 1992 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 2976 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2976 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2976 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2976 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2448 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2448 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2448 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe"

C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe" Admin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1992-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1992-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1992-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1992-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2976-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2976-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2976-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabACD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarBAE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7c47e617148a045948e2707de70b162
SHA1 5efed49b48a9fa90553f9ff8c12c5ba4d7f3b627
SHA256 7184d4bc4bcab65afb29296aafc5975bb57cb210f17799f0f126fed94bce4599
SHA512 9e07ad5f48bca88a382c1a5aa676bff47bac900a4ad4583121dab56e130540a11e72aee720e879f5c07dce30f56fb5123925cf8495b5144ae061fce870de795e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d77c4634ec9bca27109c7c7c7d01ebc
SHA1 1052e7a5b8b17dcf9f963724c7cf7a37d9ce3ee7
SHA256 3b1d24af027f4a5ab8baa21722bfbf101618eb17189a2d57a9c8364f2aef6530
SHA512 a7fe49c9eff959b74aba3824b9dc2543317908cd1c0c548585ce97a3d4e4b3af310536abb86963901c5fe062025ec65046fb22ac4ea35872fe7612332f6325c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67ffceca3ffab67880564c993edaf5f8
SHA1 a4ca5c751930373abc0845a5f99f61b9cfe8790e
SHA256 d66431f558674c35c9e22503ad12d09d107700ce9b3db3df19070475e3ed8f0b
SHA512 d8d349082c0905deaf1c572ff62121ebc794224fa756d6238c5b4f0e4db79f9943799c0dde44d5abbf285e1446a6410cc60789109a6a40b3130699c8f986791d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 474ddeb3aa303b424bbf434324513d80
SHA1 a1e5a8d4f9980e8f153e8857dd5d344338fd60e5
SHA256 4be1e6bd84b33f0773ebc0c0bff618e652f195009d343711acec64eafb05cf69
SHA512 b049c2c9303ccf70d227d92af29c5669d1e49ea29c89bc2ced3b99e824924f83f3c2e601a3ff1c6fa85a0c9fe87c9023dde1709319f52829b61a0b514abda5c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 174ed0f746770c75261961d9f6d4a0d4
SHA1 2379a830256a0421614210de0f90f6ab3df14f3e
SHA256 b47ec8380af7f6861f559588d500949675a883d6ca2ade2c3faea9dce692aab0
SHA512 372472a6b15260c3daf5496125fd7ac4d96f6b59bd5f94db1aec5eb4d48f0a598cc39b2cb690598ae5676bf5be5a05101bca7819ae950c2fb1516f9f14a80be9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44a35866fa4376740ecf0b2098a4f7a9
SHA1 024ef53e3224a4d523551a7ff4a2013c89133dcf
SHA256 3b75c8bfcf220c40b9c9e3e78dfae1babcddee9932c12ad750895f6647e54c92
SHA512 2bec781509804eb793e79fe12219d512a9f45228ab2d1b2f08f5578246820acffab11bd8e3821eaa7b00df2a626be77ef687ee6aef21bcc2a8f0c3c1acafde8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 821d48b3937ab7ab30f8c84a2caea170
SHA1 2345dc51c6537b89f166b8082475b61e684ad54a
SHA256 ff40e333cefdba97d6ac274749299d208c91ef127c62f77b396eb56d920335c5
SHA512 61d944b1c030b0d0035ede170a27b34b2b4b633f1e52d0c14c138649aa5c37ac051464e4fd4e7a97f34f77339ae6907bc9977cfd0397d69b93776d95279aa98c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ce3fe1e8d89208029c6c24e05ba3971
SHA1 3c98f7b5a97c49597e7d37579504a284f0e46b53
SHA256 1cdaa1888c9941317aed41145e69aab10b62d5c11e24467d92c38d5405a11f39
SHA512 fa05c2f442230be267f82d8a2dc1814bec47c546c330bb93eeb60fa48f4e34d3afd756759154be674bc1b22a0528d5c4936a7b5de876ad4fc5fa0209d9b1574a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a210802a0f2183b988dcb4a73993be3
SHA1 d7166b2dab779577eeeada0bd034a9d0e4119a59
SHA256 5c1bed1644ce0ef83bb600c21c1bb96b2d59692db3277501102b18a17bd5d275
SHA512 61256905ced26103bdc79a82b79cf2a30d4bf48b4df1bcdf66df11fcc41719ad116200d686f6af0e5e42f827300573e95e092db618e46dbf87cf0b8696ff1055

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaa46b5a624b5a3e1162864d60f2f3fe
SHA1 e8562dce8e432be4657e99453bb918150a8cb526
SHA256 85e7c1c5b2e056107b87bb0ae6a8c0f3269385250ab34d0736b76493bf68a5c0
SHA512 be8336ceaa21bef58c206982289bc87b6cc8151c0d8db456bf760d5d7244cebbee3f373c5da8655f69752cba7dbddda8c9c44fa42fcb30902a90ea4085281c9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8592675303b18c329418ded2a34e918f
SHA1 0f782a620a499ff46f1ae8e91b8810a55967647a
SHA256 85beebf40d46cccbc6714c77320aae4acfd1d2fa1bf016a989fa81e84accd88e
SHA512 41a4c10d25a593f719d2b1d58b25d4786ae8531c35f482f1b7c96a753ca754ac2b73379e0777f4e5510f8215268ed7475709f1872be25e6cab9980136c0f2891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adb72c8de66f54106c21f65925289234
SHA1 243a7e617d16b396a8c7160059b25f0c1117ec20
SHA256 1c6385160a4f855ced396a4e7815486b83f867414e63b0412ca26e055af6670a
SHA512 52aa080bbb8f3e92bdc3fe92dddcc971afab1f85da19e46c3b46c88157a70c727b1e07ea9abef0642ffcc2e1c8fa22ac6a92ac2c2ef8820d8fb990c903ad6559

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26702a2131fc97a6226b760bf12c6597
SHA1 8a84d64ac03015fec530fe657e079c5f52944426
SHA256 f8584108c14aa6ca5a21ef0edbfbb383028a07aa6142d3e9bd03bba64d6865f4
SHA512 70e5d2741e380366cd8135b449c1028eebb42e769e975f9ae1280800ecae24690966934a2026877d27c3561ea7d758b47b5a0b8c3045a0f80afaf1db73dd9f6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8942c398607389418097d94a1676e789
SHA1 e9d293c42e49a4cfac917261cd9b2e4503c83426
SHA256 e6b21d21fdf0eda93a66eab0512cb48794ca18d3ed588c97372888ac25053889
SHA512 912e1ba54a790a2065d8f60f49cb49326360a528e56719806485824a7bf0787ccca66e54f57c7ed37d6ba0340bdd6eeac74d4c57c5f2aacf1bf3dfeee9bbc707

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 772c9e153db42d889caff62ed66b4ae7
SHA1 e392da455bf0573f2c02b2bdb095e129cadd819f
SHA256 f60a93b61a1397b92d68549aeccfc21362ec17eacd534d55cd588d60c40d6769
SHA512 46222bd04e9d6ef78dc31b50bdb6414600a7a73f65a388636631aba7d67519779c603e57664973c235ba683afb30772d6360e1b859243dbf3c37814992fbb56b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f4efa7b6d268259c4e9a5f1acadd7f6
SHA1 2cc0b0f062bcd36eb0c8d6c5c79e370e9bd7e83d
SHA256 eb89b72a0ee5a0952371dd2443729dbf81e08655f6cf81160cd248e4a22a1af8
SHA512 93a0d54486c494aacab36bd02e626b59e42e0a4f274d11600a04c18c6b0d44b73f7fdfc179b297b6e5dfc348c8b27f3b25a232d80269a9abfd2b503dd2c9f559

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b44b6fe62361e71df4b7a10aa89cbf8a
SHA1 1a5c73a34f272d124800860cd2c4d990655b362a
SHA256 e67253a0172cc3f7afe6985eb1acf4452925190ed3e26eaa88d35e6568bd833e
SHA512 2e507a1049f1252730d32fb7d64b30bb2976554bd1b1f13de14a2c3039026f5e69db427f8fdbf60f85f748ed39698d239b448c8b179022a138e4bdc754650e13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c5770324fa23352c3359b7dc75e46f2
SHA1 e2868245c3a3ada4f3ec7d1a20b482f2ee03c3ea
SHA256 5ea8bdb91a0313090e18aaaf3bb518f38d6253aa1e6d037efd3b65cb8b9b6dbf
SHA512 48fec08030b6de4f31c6d32d3d5dc520889b876ec36b4298f1882374360ac5ae6f3f834f46acffad5027e50a24e4cb73f3739d159d4078c4b8ccc7fd8e3c00dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b86a6147bc5d1b6fb9b5580f811385bb
SHA1 5f46d4e1afedd49489d1caa26e6d6d04ad6e292b
SHA256 651a1f98cd2fef7774f4953d946dbc93f7680ce0e569fb469908d5f9d3ee51bb
SHA512 14a96a8729ed6fc806820bb48fc67cfc667662a743274a54d5b778c223623a86aeb2327705ba66a4adbfb2631df47a3573508d3581d5ade722db5f619fba4863

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:20

Reported

2024-06-16 20:23

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 4564 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 4564 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe
PID 3176 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3176 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe"

C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe

"C:\Users\Admin\AppData\Local\Temp\e820bfb981d7c546552e684d1f4415837218c27209b5d83a71ba81356109fd0f.exe" Admin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b5846f8,0x7ffd6b584708,0x7ffd6b584718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7737963700026238755,10651949344782547784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp

Files

memory/4564-0-0x0000000000670000-0x0000000000671000-memory.dmp

memory/4564-1-0x0000000000670000-0x0000000000671000-memory.dmp

memory/4564-2-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4564-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/3176-6-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3176-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/3176-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 612a6c4247ef652299b376221c984213
SHA1 d306f3b16bde39708aa862aee372345feb559750
SHA256 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA512 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

\??\pipe\LOCAL\crashpad_1360_ZLZMLINYBDAXYDYP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56641592f6e69f5f5fb06f2319384490
SHA1 6a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA256 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512 c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 63ee457b7f8b2a1489dd2d795b0931d6
SHA1 28a1557e662a8d25108412896a2dd3188b168e9a
SHA256 17c613334dfd684c37833e14b434da8956b6142c379193fc5e4f0af7ab8ac6c8
SHA512 a87d4159e5893ac6b8f105f05fb4756a2d87ffa4072bc171f95df27f312c213aa2f0b133a4fef2d1bfea46c656d1d7ff2080cc904901008a1c000c80e5f06a00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41c8934d2382907ad7a9a0846d51d2b3
SHA1 97e832275eac8657840c90b62d6b1bdb0d7feb1f
SHA256 f233359cc4719c036dec36080ba54b2deb0c49e34117e62c1f8051ad1cc039e8
SHA512 8ab5bac6a62d2eebeaf9a280710c4d6b05193a1cb5c9379895566bac4b62012f4854d0a390c31f33ce0e3e118706b05ee61aefcc3870b7736a95f939e8899a4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8c7cd46d9ae8a16e73aae1e5aa8063fa
SHA1 0ee96bbf36bba9de4c72eb1927e2c1b8df77c916
SHA256 ab5c2888d7192320040f04b9a67733393473b093d69d071c04db3c0552f2015c
SHA512 8210162033aa863a2eef67125dc77752bfa31571ec8665a3808e77284eede99d66b1a845667e8dbef967d4d596c1a13704013cead84bb0a787552468f0eb5221