Malware Analysis Report

2024-12-07 03:09

Sample ID 241113-rwvxjsxjeq
Target file.exe
SHA256 1f38d19213588d5c202cb33491175a72f403936ec55b9c88e2a6b48d8a3e122b
Tags
discovery evasion spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1f38d19213588d5c202cb33491175a72f403936ec55b9c88e2a6b48d8a3e122b

Threat Level: Likely malicious

The file file.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion spyware stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:33

Reported

2024-11-13 14:35

Platform

win7-20240903-en

Max time kernel

121s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437670265" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000073e51fac0e727912a86e70ce60d3e7c585783a63182e22ee9e21343181f7a626000000000e8000000002000020000000484207810debabb366857f85bf0ae234093eaf99a5161176e5e30b418f64156b200000006e141868a64f5e599a95fd80b513a8fa589d25ab2c4e09d68b6ae3c885462e15400000004433aa8c9384ac0b63f9f17a99b20ea9a564d03ee028313f9d3437b352a220d943d29af45041bef35ab4a4a5693084a1a56a7438b0f7dc51d9a46da7c7c7ab23 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05c3b11d935db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39212AD1-A1CC-11EF-A0FF-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000084e9ea1ff911c00f7a5872fe71caa0e0a19542d79c48b5a6eab2633c4e3b1a7a000000000e800000000200002000000082104e3081f1451a795aa992f89fc360d4f2c73bef613ada58f58fb14bc89b0a90000000636b8a2bcc99dfd130406c50f13036386d4cc106c94a094c81999ea8169d3561755141340e874dd334974d83ea1399b37817e7c8c22c4d732b0292a6ff7087ee9b85301ae8dc2e8b5ce3dea55933dfc6e0098718c578886780fb13669b342359c4fb8f5896e5c2ffa64a6b0c7aa2df66fe48ec987035239e62ad31825e1c0286d8b4dac7d5307e3db413028b287ac98b4000000075fb13802fe9b95827300308300adfd5e84f47b7b8b070c9ed8c3500055687c67f0256e6d0b34882455ee2f5a36376e19149e6d1d8e76ec73d7963b8600d0c9a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 fleez-inc.sbs udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2648-0-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-1-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/2648-3-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-2-0x0000000000071000-0x00000000000C4000-memory.dmp

memory/2648-4-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-5-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-6-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-7-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-14-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-13-0x0000000000071000-0x00000000000C4000-memory.dmp

memory/2648-15-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-26-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-38-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-37-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-36-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-35-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-34-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-33-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-32-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-31-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-30-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-29-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-28-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-27-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-25-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-23-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-22-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-21-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-20-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-19-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-18-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-17-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-24-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-16-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-39-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-41-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-43-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-44-0x0000000000070000-0x0000000000378000-memory.dmp

memory/2648-42-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-40-0x00000000060D0000-0x000000000638C000-memory.dmp

memory/2648-45-0x00000000060D0000-0x000000000638C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBAB9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBADC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 3427a2fac267d3ba6c8925a0386e7617
SHA1 d71b09b051a01cab59eb2568a881c0267bccae3a
SHA256 156f55fc6a1a2499a40dcaca231d231e624b16720caae5b7252a24f1b1158f45
SHA512 d2dcc2d8927ff7b8038fc3b8898dc5bb5fa0449d175eed90ac5133a60d2c7a72d5a73f56788e4984bc21e9281fc58f058f6672f74ae6cecd868c74c3778eece0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8896904a1ab14cf4aa0490a43540af7
SHA1 39e2a39061b585e5877f1e3b7a30eab41dbb39d2
SHA256 b0573f7a240e5d1697d070f65ee375e1c36983a7f19d4ba4a53ee501b3d2b790
SHA512 4ec8dacd0c39ebba1392785a4dfd445a78cab183818a367f838e7ec1c79a3f76b06f17a667c3222b2901ffa0dcf8407b46d7aedede3f6ce978d1b3dd601eeb67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df83728d8de66af60d8ed44dc49a1035
SHA1 1de5d08d290d7adddf53e496ec85a788ed753704
SHA256 21c13362a9fab466c47798438a4a8ff360620b06a146abb2effc10cf9f265c0b
SHA512 8d4b4eb11568ae945c6736743afaa70f62591037b12b133116ab8da631546800b2be1b4c43479cedbcb6e008abc31b013423ff63e5eb94f5e2905268d162f334

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d19c24031b1ea601591e39fc7125ca38
SHA1 14c91c7c400c4ce8d18899cbdc2916ebdbd071f0
SHA256 bf1068bdfa0a88184848d268e97afcdb3d7f0364257704b307d69ac20145370d
SHA512 a3465e905b7b31beacc0c198f12469a93390f51907b5f57a66e193fbf7d3928f877bb81acdc53cca8db7b98a6e99e25aeff3e167091bcd5659ee91290abaff87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62bbd39d6f12fa532f90aace9bdd7c36
SHA1 5c38cf3665199427d0d2e08fc1454fad0b3fde4f
SHA256 d735056718fb545891a0d9b705c4965092ea15704bfd23c3bd8ae5dbf600476a
SHA512 516cd262cba0cddb4c745f503ad96318b102db01244739723f49c0436808bf465214634feb8725100ae2f1ff3f362c390fb628c86859c4926ef091b07702bf82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d671c240f0f7fb8185a8d2b4e631a2
SHA1 5c47abd975433a8c68c116a378ddc7e35fb85e0c
SHA256 46dc87a04f7faa6c2a501e601a395c4cf2fd2dade8000f7f9d10b623a250d346
SHA512 169309616c9e798db99be1f152ce43062fefa56e2d3e82843ac8ba5217cc62859e37b3adc9d3ed709d96067851729212b2edb1ccdceb09433053912e00617116

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d6608b1badf7bb8e104fc54f19a7ab3
SHA1 7c62f97971bb4aaa2b4247912c0a99b3d54f18d1
SHA256 2135f227cc32f23b082ae30dfe106ac88273895ac174eba1e0c1a99df32deb03
SHA512 5dfa7ba6c244bdc37f20ae0a7984c21a763bd67832e8363a0f29a8f16a0302b7c0c391ee821f4ad30b46eaa015d100a8680f8e493829baad400e1c307d411503

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afb67f4fac06b07d94185c7bda55bff4
SHA1 69b328e061c826347432d528966296b4e43241ee
SHA256 7e00137a61e5ec8ae60267dd79cd3f1c9f7a8e73b11630b283b1f0e4e790e1ba
SHA512 713202d55d82f7bfa5903220adf7b6a50e404e659abef1ddbc3e0b7ff0cfa5b87dc5f26e2fe8cc144788134f882645f20b3fc1c0274e2301b3d77a9c45f3bc0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb9b29cd734302fd6ee6ecaa74d2c9dd
SHA1 f182690cb8d86369a66836c22f9bb3ef89bf30ba
SHA256 0a50e65cc067ae3709c4967469b7fde9ca50ff0db43618b58a2fbd34cd148cee
SHA512 97b9ddb46518976fc16843b870d2611b6c612887b3657f0e8409923da91a045aad399f561d8c6595eb8a609ed62f7048a4051871e23b669b21ac5036ba83ba29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8ebee5280f39ebd6ca6d04216fe1461
SHA1 8f451d5e05b8d9cec780915f33af4cc468b6cf7c
SHA256 8805b4427f286ee320a1a44505c799510a17f90a4445369b9971b7618d18ce27
SHA512 f633ff12506ab12f216d395a5ef1475f379efd136efb8f89124b978787f6704fa3279baecd2b212c4d1a418219a1e507614aa03cf49f2e92e0fdcf5af47c052b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acc18b94c9e69126d9203071fc9ad8cf
SHA1 c9f1e585de448f3fb66f4da0cf2d1ba1c4086b96
SHA256 bf5bc27f6735d6a0e36e84326f858d23c37bd5c984f440070066b10dbd00a903
SHA512 946e2ba43bb1efe5fa209c3a9af3fa7f6dc44d4708e8cbc4921af80ba076f1e041ce308ec9cd625aeb9ea35a46b2dd1dcab8894febda33271d860c80af435677

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2a4f711ec1e5a21bab3b04edb7f13f7
SHA1 790facc4dd04fca6510008bea76a19d6f529e9fb
SHA256 2cd77c7a19284bedbdd32d615f1723d4fb4ef14f1db8a495fbcea73bf3b81240
SHA512 40e18db2177d74f485b236b88c69400bf8ad0672a5c4c24612f9872461b29151f62f8f2aa6ffe0bccd7b9af37739b8aa5053390c4db5cab1d31791efde4def2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ab42b30fb293b7112ed02a106c5f842
SHA1 980c56b63d2ddf44d3f4f952ac72d6c3efcef111
SHA256 d0e3a57d6e992fe2611c680e7602115c1d30d8db4f75a1d54a7aa8d1aa11849b
SHA512 e30d1d91e6626d6ef989adfd2b65e49abb93924d3ae18f1837f2f790e05122d56a0c44b7471a7a616d3299332378aa2cebf1d22164a69e0906243fa0f0e9b42f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5170c9816bdf1a1e24c3d32b58619307
SHA1 4b8dc04b97b684bad3282f5cd6eaf7842f24f7c2
SHA256 bcad39c2bde0851f6480193571c0c777428ec3316ed6b6573c2d11962803d0d7
SHA512 4ab9f4fc307c337447033da4851d8b7b1a9b4a25601c449f1b7def99bd41fdbb1479f60a00e48116f11881dec43466ae8ee3f62946f751c1ac4c45d03f686092

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6507f97e7d44dadec632c65183e526ad
SHA1 dffa44d7afd76d944306553fdcfeddb814303d83
SHA256 5e886361094e0d9b8894b57c09775cfc09de289e3efded94cd574bef3718e996
SHA512 3ec3234737b3b2184848c25e2100c1a80d2086a1377399b3af8cfef366f7bdc5d0d214f3f5799ddc600a2b25f3246816e8c891cd50a0b4120eedd89dcd18276b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4583a5d2ab43b823dff079c25dec5077
SHA1 f872d0395a6642a3d375e97353c4130fe7baa285
SHA256 f7727090df4e923c0d0476a45818077048ec4134de778805e78a7c9f327e7455
SHA512 837a3644d221d8d5e64c8ea573209d257c2ae2eda0d202aabcb9aabc3335d53b99ae25f7813949c1854842369735a3da92938432e77be5a930f4592a9d0dabe9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65c2acd4c849ddc22045216bf9de31a6
SHA1 579078f18a72decfc6cb328cfcba847269894206
SHA256 146fe9f7ed29914a2e3c73e06e0deba57fde6ea911a134dfaf5fa03572f64c5b
SHA512 81bec35eb2bd481d9615b6249cf9f7f803e30e9a30d4ab27565005da20addb83533574ee06c8c99363326975cd16bfffee47e17eaed7fadd2b79d5e0c3eacbd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0151377617828b56a00176eef0d59df
SHA1 8e2133e5c9d127f521e17ef5ef7f12a2fb4f92f3
SHA256 fbce434ea7a93cc1f009d7c44479fb46992a924bf29cf505a227f9200d83128c
SHA512 4c2a6ba11d103d7de8ef2a46fc571155f7708dcc88f4a1b37ec6d3e65cf0ee463b5628a6491547625487802d3d2a5983e570c20b48505e71f92b9e4d33feb090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c90c821bd733e7e4c03ee4127a82784c
SHA1 2a4bad599d48ff9e420f27e99b70f49cde759f24
SHA256 90d2bf952e61b2109dd35d9681be3c2ded48aeffd21da58c750aadded7831609
SHA512 f0cab72d1e8d5d08929f5191aa8889163cae7a95e31987140e100e34e6d9712f6a72a88b8710f80c46030c4739cf419926d57cd1f59c875cc73054d801fed422

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4045109f2fe24cf5474c08036f33edc
SHA1 98fcbf7c11a5fd26855c0a066c571b0f1d56e926
SHA256 656984e34a13f3239f5152c7e5f5b3cf0981e953da01a34997353c1d7ae4a815
SHA512 77621141a46725a3a97fd5e70d512962bb1358a40a9993ffbe2480eb4817757f2a545d929978ef4206d62b613ee842d2006f3158a6cef0411f037d5db436c06b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5683f408120f078741068eb4aa414f92
SHA1 8e1f0f30ff20027d5a1cf290cb3a7a1f4664d6a1
SHA256 916852d68b96067c480b7a109a292aa59fe3e896ed104d8be413fc9b42f3497b
SHA512 f2ab62521b53f050b0f55ed149642be13c76d180491bdd8c9c754f837f2f2ec7ca41f64d4db3f4beabacf7e96128707848f454a1242bd3502579906dcc3b4b88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19ae30d29c9a3490bfcc1b0311d99e44
SHA1 d9c542c7d4bf8bde0dd274ca6be1c80a056020de
SHA256 b8119f8ad24988bc0ddb75eaac772334536e62a39b37d62aed6eb1ad6ac5c1bb
SHA512 931855f9cc9ce134b2a537107f7a302f2d8c8cb9039547f34d44d590b918c8f69180ec821d40d490507d6b9954da51f4d46bce8198d497f3ab276cd29edeb11f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 14:33

Reported

2024-11-13 14:35

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 764 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2692 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94b6646f8,0x7ff94b664708,0x7ff94b664718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94b6646f8,0x7ff94b664708,0x7ff94b664718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3100 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 fleez-inc.sbs udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 243.150.67.172.in-addr.arpa udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 172.67.150.243:443 fleez-inc.sbs tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 3.26.192.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 21.246.100.95.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 20.189.173.7:443 browser.events.data.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/764-0-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-1-0x0000000077704000-0x0000000077706000-memory.dmp

memory/764-2-0x00000000005A1000-0x00000000005F4000-memory.dmp

memory/764-3-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-4-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-5-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-7-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-6-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-15-0x00000000005A1000-0x00000000005F4000-memory.dmp

memory/764-14-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-13-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-22-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-24-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-34-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-39-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-38-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-37-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-36-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-41-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-42-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-43-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-40-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-35-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-33-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-32-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-31-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-30-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-29-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-28-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-26-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-25-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-23-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-20-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-19-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-18-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-17-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-27-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-16-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-21-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-44-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-45-0x00000000005A0000-0x00000000008A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

\??\pipe\LOCAL\crashpad_2692_KPGNUVKCLBZBCNSJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 340977ec2d8d5eb949506ed2990beb10
SHA1 1f2e17093505ac286631cf7f368f0e1c012fc979
SHA256 eac06ea7ae19a21f20031df3ad303f314c4ebba0c982a8638149515473b4a1a5
SHA512 097ca9a501de4b15041ee61e0019304b764f505a4314b355c99cf8092709ed7f0cd8684a33e8095dbbeea9e365b284227a2f68930ba1e2d5e87affad45870e15

memory/764-95-0x00000000005A0000-0x00000000008A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/764-104-0x00000000005A0000-0x00000000008A8000-memory.dmp

memory/764-107-0x00000000005A0000-0x00000000008A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 150c7d5f895f346e362217afa825bc60
SHA1 89675199f00b602aa4992e9a537624405c5c0423
SHA256 fe67986295b3e8139a58d6b4a60419a4c84a3a91cd02f4208df7bed04e4296ad
SHA512 88c2170108e3562769c466ca5b70e0db12758efecc898b69d2c61324b75ceda5588be6aa2533994d6fc0cd6b392fdf92d67b761a587f646f6cb93001f04e0297

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fb15e557b5ca89e6216bb47b68955cc
SHA1 e673e3937b2dbce1c9170d9f042dd26152a0436c
SHA256 c9340049ecf80342e370cedc0517ec43233c49717bfea451337f7201dc821998
SHA512 72714cc3d5dd4aea2f917786f8f717ba08250a60101c459617a9a2a789c80274751d8973d09f2282c4ca1c3593a13b20593928fc48aca6ba45c7a4079f373e55

memory/764-132-0x0000000005FC0000-0x000000000627C000-memory.dmp

memory/764-158-0x00000000005A0000-0x00000000008A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3648c09e81b13a017dc2e40de57fa1c3
SHA1 ad2fae924c5de12f852c5e569def2e86548cb357
SHA256 4f42442d740aade582c08eff5bd488fd3a77be8b978462b44e9b3e53f4c1731d
SHA512 07b2d8dd5106be923b80c7dcf7422a43effe341f1091ebf3620561a61f73c194d52280e8f8f31a348ad33b35be43f83eeee05ad559af85ed727b6735c2f53003

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5808e4.TMP

MD5 033161ccc3ea4c3d8767fe55cf9dcad7
SHA1 afc97bf5f4e62c803f23f5139e99c67f93e5f7ef
SHA256 802499de601775b22df5d09db20a85dd6515478750ca780890078544bb1dcf9c
SHA512 28541ed96b4998e352624880a9f961063aef34b6128fc1e86dd5b2705a8337159f1accf09545d6996a761bd2ff5d697212e51b55520f9f2f11d7c20ac71ba609

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e8a6e3d297e5c45b094bbc7e208d1a9b
SHA1 e054cb395425435e55df38d3e6fc2d9b5ef5bd41
SHA256 47909c34aab3c55b634c907dba5813cb74228d6eb42050edc3d3d64e88c2b841
SHA512 401f62d3278d302c33f440a06c934fda3bb4b9645513d4e80a662070f0587e3fd6957455eec46a8f50f4ac305e7cc267532904203eb9195f91c2ab017f316c10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c04214c19f8c05d2352ebd97386f90c3
SHA1 1ad7e97fa42249b3e42a9bacab049253c2ad3793
SHA256 d4edbe9fc7de7c31bb6193a47cff17ffae84933141ffaa57a8c86b71ac389efc
SHA512 359ec2ced9960e25f35e409e45994eec32e97004fc9a5c5a5ed9c0556c2305f7fbd0c0189b1036bc35fd91a6dbc4f42fc901ae3646c63a6d45815beee4b2a70e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa