Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-a3eqgaweqn
Target e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696
SHA256 e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696
Tags
metasploit backdoor discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696

Threat Level: Known bad

The file e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery spyware stealer trojan

MetaSploit

Drops file in Drivers directory

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 00:43

Reported

2024-06-23 00:46

Platform

win7-20240611-en

Max time kernel

119s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425265318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000008af44063fb3edf6e2c2ad9773a5ef866f013ec8d03a0e9f72bfe65350e70c7ce000000000e800000000200002000000082ad0cd93b4e58f374ef8e8e56f20baf317f06ed263d1be390842e455d44113c900000006f0db2a7eadd05215aa60814b05b59cf303a5c12fb91d0386611ce3751e6868160bbebd987a799a3dc6b8ff7fdd7cb5916939327cde38c7b455a9e685ece91b6c7c4de3c36ff8b5dd3e4d69f9914cd09df91e04c8fc3842c163ea7b0aa9e66c00c7ce09e7544a34fa39d28f0309b45373815be5078f48b032e1b4a044a4e4d7d454f83f3c7cad9404ae96a19ba95680d4000000068e3aa148080c2268213bca66d662664e63b94f34b0aab1c9323b61327db37c4fde007974af1a3f3742cc5fbd48cd7201f189794d5dece896b7daf74675ee1b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B49EAAF1-30F9-11EF-A550-7E1039193522} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a259a206c5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000de6325be596f077657df0ce76cfd090ed0884ce40b9915ba3bed9dceda1fe6c6000000000e800000000200002000000056a07874f48611d6be87eddba27484fcf9fba1807ed7ee39a7871a1b25190cfe20000000bdfc36d674c5618f08686fc8a32d75503816eb1c0eb576a2e48760c965af9b5340000000e29bcfc4452c205c8cec8639c75bb34b15af68e4dd53cbf8a4e766f094b6b27696b2400cb73b9d94d8fa91c6990f7db8fcb73ef3b4a29fc6b580205e80fac0f1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 2464 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 2464 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 2464 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 1912 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1912 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1912 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1912 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2828 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2828 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2828 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2828 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe"

C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe" Admin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2464-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2464-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2464-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/1912-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1912-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/1912-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab40.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 494c6cd912f522a08f7fab3d3f86968d
SHA1 dd5c465d905b8703f97fd7388e5ce053d6e9a5f7
SHA256 0203ba70520352e31038d394b9415a4f0f4235189a4f6138444547400b0249de
SHA512 0c0cf355fe30fb9a24ae7bb8310d9ac40d7b7bebcc6c7ffeb58f11e51f282367f36ae57f94f8b7b2955717b68eba3f7d13e70e295f1a13443535b7ba3ae4f178

C:\Users\Admin\AppData\Local\Temp\Tar105.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 784deb8b83478cf36e84530120c8f126
SHA1 e61102be356e7b8f2226143e0c2037a2dd99fd16
SHA256 c6b64727c74eaa94c2506b5498b17038f0b057bfd0be70f2c321f25c70b22575
SHA512 481d42aed64ae4624bebcefb48a0a6db98a384669d827496c798a09bc1bd76747aacaf158363164d3f709923822585b6694b56abc1918a56dfff4c636567ef13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e321d5eeff79770733b7bb6e9506a6bc
SHA1 f9c0eaaadfe373a784a0bd4f0ab3168ac44b9381
SHA256 e47c5d867303cfec1a02b3db5593d2f12c95664a66ca72554524c207ad5c8955
SHA512 52919e83b7035582d720e8573cf872d46128c3536c44e39fc99c3621874829bd51fb128fa5fbf37411a74ffd6fb9c7a8d1d0ebcb3bd1715d68151fe6bd8d8e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67aa9fd7ca95ccea20fe1a0fb826fefd
SHA1 17f9db8f2aeeec168423e4f18247bc863d128775
SHA256 202ca2f59cfe45834e1dfbf86a23cc384df9d48892d67578e1c8f2c14ca5ca7c
SHA512 b08680f536d11fd2b36358471d5c022e9197614996a1dea85e7bc6e17535baf5d806d7eb0f57c49eb72aa0a1bdefad4cbf75a51cafe65a0d424394530ff3412e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb39ab0bbc8a5893bab0409fb5aefa2a
SHA1 a0e743f6bd32d057b4e51fdd508568cf068e9d54
SHA256 1e9bc5bbc1b6e70f79efc9906406f1e51554c8735fb3b3d5f56b00478f79a846
SHA512 4683eddb0b624031487758d62f086492719ce8b5f91a75e313c4f7f7f32c75ffe43a56f417f21f8fb31b8f04c8f77a5050537022417ecb46825901de7a5fa3c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 375480c9f46b18c0e76073c4733754a0
SHA1 e5d11cfb8dab460ce128c1b3f1a88e090688ff58
SHA256 474fbee630dbb9069a7a95e63627bc405e4faff38714bcd4fe087a9edaed4bee
SHA512 e1ab11c19bb5e179f48df63172b4142672488afa0c6e28b7b83f8d31664e906f691dd0f5a3d8ba3db67e8bcf2273a33ba353ad2a9251cec69d0267b639f95950

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84c6050054db1f8596b0e9037cf541c6
SHA1 f180b7805b84d72c016e3301f5abf8ce89e56ee6
SHA256 cbd72ff878fb197f76e5f83f19c776eeb14c2fd8303ccfe2f5f61d78581cfa63
SHA512 223a561b4cd45a2c10ea254e991609b7948e7b6021c9b089b79eab70a4baa06a8e9ca45f53391035fd858a1db4a7f36895fe9ec164c5fdd54f9cdcb8a757d3d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d8c6475b593576476cc07f90b7d5e59
SHA1 38f3d66eac33fe8a33e286eb70aa78063a07bc36
SHA256 de1de33bad49d7baa25bacf965068943ba0cd8194b16b034702782a3cece213a
SHA512 f1325620e85d9a3e598aa3e770064e1bc37c1dc8845fc83379301006559f2368bea218f3d724d48b96c247f5122535e44dcc97a2d9d218717685926092f76e26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc9d53b00d4db394d98c5b9caf3516a8
SHA1 1cb7561f57f77f7685d81a9ff451c7198f120e11
SHA256 42635570f5281eb804cd540b029f06437bf0683d68ce865b701b2cddd79d0712
SHA512 d5aa1675e63988718a3fe85ea1ca1a7f12f7693ac47390ec3dde3044466dd474ce449758f28c68d5c53ae1ed9f49a5d0bc2845405fda64e3c7e22d2572269900

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5437495251d61d05fb364f003de5d9a
SHA1 2c60ae70f1280e640f78686a1e718fa930f766e5
SHA256 cacb414dfbda0493613c86daa2413a3be97f25e40b4046e17b579f0a68684c58
SHA512 f85fc03d848cf7f751d3925984dcf30e6ae1cb3afc4effdec5c2e633e273f8edef9b21b4a43c40257a7a3b8fc6e57c401f25a6c9b9a21a556deb9fe147734f40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d8e7722c1b7a0b6bde3adf0434f1eef
SHA1 fcacdb0f0a70154c45f19bd7f456ed8785e24201
SHA256 22a3c211bdaad9d07754b774c1ba8c998c1e76cd2dcfc1f5904a1a686c6c9162
SHA512 9b897ca5ed65b925e7cc8539799112be408fd8d080239305464dc6fb71710829bddb293f2a851df890989a5b5e653684e432eaaf0c5b2057ce448417f1eef97c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c299d11f4ccaea5eaf78b3db4e5fb150
SHA1 2405a889dc4e60961884ce49aea667270b07659f
SHA256 1a2963264ac7acf36f924c0119b03ceb65cebb0ba8857b9a2deb739c5318ff22
SHA512 dfaf198a8cc0b1c00b379edeb616189d78106bbecc7972d08cd5e4280374a051f819a81f48fcf91bd48f8f741c24d14ec10843e6c20f423f0a74f87e1ee8f0a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b22c527d93bf8b2854be4b8117e5bdd
SHA1 8e0567f529e7098e851b26e65340a8828c74ccba
SHA256 86cf8e0e03688c8c016f3fdcdde76011badefba00f6763cb34535de19d901a78
SHA512 b6af97462f97153c69eb071cff3e4e7cb83c77cd001f736d6d56120fbee18d5679407af344edf6c21e209e8b58da819e168550f868fdae76aeeed9e7abb66861

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb81778215678dae8092d043abdf71cd
SHA1 477abe19b7503b17a718e72072ad6e089d6efac8
SHA256 b451306e5d590a3feb5835586ba9c83d9bdf61780da95a95eabbbd8098a973a5
SHA512 8963b4f276fd3b3adaca6fdb515c8f6e0fb1b8ec273ec86117d35df98877a2b5b54d019860bde80bcb863c128cbd982df64fb5c6bd774710da92568fe27a2851

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59067e11446d2845cadff2ee44e38b6a
SHA1 ae6948b35ded86f2cab9b05567192e9730c9b131
SHA256 0fec158016a87375b560e47484030ba26e4a8edcf4867fae2da47c9eed27587d
SHA512 f15f503dcaa65d829d9b8f1ff76b2602f2da56aafb0437378cc9d12790a0af8a10e36157fe134f997169c38765c6e245b2f3c7ef9ac7fd7b6a8b314d798de575

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 341d24e24c5e3000cebb23d3866399c3
SHA1 6b505cbfa1cda2289fcd1c3e38099d0dca563496
SHA256 bbf87f1fdca33808620d8fe9f9b0478d617049971fd42f1caba677cc8b631cc5
SHA512 8665e5cc6b40d97afa4dbb2f1bfec26094cb78ab85fd44082af7472afe7743525ce0b124baa2d3a9414c0a5229074b164f3b5497979b86b5fbf128199a92d5bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f79f861d98b3f67bd458ec2b04ca02c5
SHA1 6ad100d625bf535fe6429d36210ce2b6ea51259c
SHA256 c1d2aef9556749811fafde04e03a02c1da9bc6023bb2005aba601bc2096326fb
SHA512 b8908aad81ef72051597bc165fde48f8c48133457b8ce0e823108a083498b1296cc7ded80695e99732a179a8d2cf999e80aa4e129677a0634a296f14b621d6e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0923978c6c8cda19d01db73f3f932f40
SHA1 5a9abda7b8ae467ac1fc40b4c7d512b6803ba809
SHA256 b6519fcb832debfccc7ef601d40a1854e0d5099b761e77038c6d58ee5ae2bae2
SHA512 0fd03922d480df46aa8ebd4a4b38edcaa108e35b8623230b1c646fab0e1df9b8ff54cfb0050a2f08ecc07ae5e98bb6d1097c95d04d7a4f2fa08ec1d9909d2f35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3670e6434f8e557d1917261c927260e7
SHA1 6ce20157a71b221e780824b750ed5930a2182f9e
SHA256 ada3fe3a22139dfc11bb85ee72cf64ffd50ccf35d2bf5cee1e06bb36141e3d3d
SHA512 0600109c74ca4e019ea41161501477188c365bb6cfcaf227e658d88d9bc2620c7454978cd90c5b4c6c3a1fa4954236aef2f0dc44fed6f9de18d59ee70a30b4c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 00:43

Reported

2024-06-23 00:46

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 4620 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 4620 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
PID 4872 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 4564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 4564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3204 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe"

C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe

"C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe" Admin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb530f46f8,0x7ffb530f4708,0x7ffb530f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5202947507304137129,7561274340257002311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5308 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp

Files

memory/4620-0-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4620-2-0x0000000002770000-0x0000000002771000-memory.dmp

memory/4620-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4620-3-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4872-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/4872-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4872-10-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4872-12-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 87f7abeb82600e1e640b843ad50fe0a1
SHA1 045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256 b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512 ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

C:\Windows\system32\drivers\etc\hosts

MD5 03450e8ddb20859f242195450c19b8f1
SHA1 9698f8caf67c8853e14c8bf4933949f458c3044a
SHA256 1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA512 87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

\??\pipe\LOCAL\crashpad_3204_GGHWGBLXJGFZAOVY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5fdef71d2a8ab26182cd976504a77a65
SHA1 8902053abba7733a89866f03924e01f45dc91e3a
SHA256 0ceb215eb3112734a5a1582e2921b32a862856bb81a60c4bbcaaf0dbf909f9ea
SHA512 78ca3462e74731284e2b744b5826e72d8e48d59c68fe469ea276c5a72836f21f993f9dfd45ff637e5c895f3bba90032067c2b2f42e1e30de2ece5c669d4c8085

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2fe143fe4aa25e0ab8141551bffe268a
SHA1 7415c7af6306565b649eab0777a25653e392b73a
SHA256 905ba8f03ae1c3d78c57dca13e0e0d8d63ec68f72e7492f03504903092450733
SHA512 536658a9359468a4a1a2718d656fbcc6b9568f57c75570c4f023abe8dda0fa3c9b8b2af9a4c573e010880ef5b910c53579ec834f1870238b13183c6263e5d995

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b739a0c394f8c0c4991aa3826754b064
SHA1 fba1073a1e880ca97895aaec4f2b278137af243f
SHA256 465533018a0baeedbfb2a0491b71edd5373daa4ca253ac03582cde3ff343e4cd
SHA512 3a565aaaedd2c8c561b39bd092f26c336d1ec4857d6fff89efee9bc0de73caebbf319e5b1c449b902d4df12c241ec47d251d8f60609d34e184ce0c10ed2bd982