metasploit | d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
Size

1.8MB
MD5

8bf2ca375bbec8986b7f5e08839bf130
SHA1

c9c62acc22354b939da39a23f70cefe2be63f9fa
SHA256

d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b
SHA512

594b237711eac3953b4f836fa8c1b5cb2e51326860984c8839131827a1e6d1b5cb255dd1cf0b94d3166b07b2a4a30c4f4355203ee17ff41510adc2b528c50e20
SSDEEP

24576:/3vLRdVhZBK8NogWYO09+OGi9J8CrxzzEB+2iLhUi26e6N5NjQO7EPWdLjwC/hR:/3d5ZQ1OxJgBILj26RMO7aWd3

Score

10^/10

metasploit backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

1.15.12.73:4567

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\G:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\L:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\P:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\Z:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\B:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\J:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\O:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\Q:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\R:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\S:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\U:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\X:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\H:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\I:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\M:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\N:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\T:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\W:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\Y:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\E:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\K:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
File opened (read-only)	\??\V:	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_510211195\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_2052467408\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_510211195\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_2052467408\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_661104508\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5012_2052467408\_metadata\verified_contents.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878212917133717"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{A04046AD-AFDB-4CEB-9DC3-574F0046B89A}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4196	msedge.exe
4196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
Token: SeDebugPrivilege	4332	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
Token: SeDebugPrivilege	1360	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
Token: SeDebugPrivilege	1360	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1360	4332	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe	88
PID 4332 wrote to memory of 1360	4332	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe	88
PID 4332 wrote to memory of 1360	4332	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe	88
PID 1360 wrote to memory of 5012	1360	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe	93
PID 1360 wrote to memory of 5012	1360	d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe	93
PID 5012 wrote to memory of 5036	5012	msedge.exe	94
PID 5012 wrote to memory of 5036	5012	msedge.exe	94
PID 5012 wrote to memory of 2600	5012	msedge.exe	95
PID 5012 wrote to memory of 2600	5012	msedge.exe	95
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 548	5012	msedge.exe	96
PID 5012 wrote to memory of 1896	5012	msedge.exe	97
PID 5012 wrote to memory of 1896	5012	msedge.exe	97
PID 5012 wrote to memory of 1896	5012	msedge.exe	97
PID 5012 wrote to memory of 1896	5012	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
"C:\Users\Admin\AppData\Local\Temp\d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe
  "C:\Users\Admin\AppData\Local\Temp\d180fb9deeb0fadf992e7ac57fb5cb204e3f527bcca1f04e6507b01f8dc45a0b.exe" Admin
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7fff7b8ef208,0x7fff7b8ef214,0x7fff7b8ef220
      4⤵
      PID:5036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1960,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      PID:2600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2224,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2064,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:1896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
      4⤵
      PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4912,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4984,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
      4⤵
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
      4⤵
      PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
      4⤵
      PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6036,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:8
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6280,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:8
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=2692,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:1
      4⤵
      PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=3556,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6068,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:8
      4⤵
      PID:6104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6008,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:8
      4⤵
      PID:2876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3536,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4312,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:2140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6688,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:8
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:8
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=128,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=872 /prefetch:1
      4⤵
      PID:1188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=2772 /prefetch:8
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5020,i,15750997971896842391,15645082814384583796,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5012_1836120943\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5012_510211195\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5012_510211195\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1c8dfad19aa9dcdfc14eb31af886208e

SHA1
612eefdc689c4166ff8add45fc79ccf6cc4fa8ba

SHA256
1271218d95f5859800ff40ae2dbacabb76608cb97605c9c573c27bee3efb1190

SHA512
1c048dbd49e613c6d3b38481cb9d47b0036bbaf4d5560d784af3562f876cbc929c21513a745933a6d17347678d1794777ff4348a41b472d6e13e1d11ad3b363f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
2737b47df372b0d8595dc59177aa5682

SHA1
1ba3cba9aac9ccdceb1e564f2a101e9ac4f636e3

SHA256
a4ce3a385a0cff2a19df422fa98c1138edcda6b757f4d4d41601f571a2bab715

SHA512
99ce00097b314a8c0de61caee68961c46866469d8927517bc848e494101c27e16cce598a4f7493593f099dc99fa5d031448c12ea4cfb4806838de4734189f95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
54dcf254a4c9b06f7432c5ba4325196a

SHA1
dbbaa095353758ae92c9f75b9d7aa67e1c002e53

SHA256
8571b4520de32551f86a2e969a460d2fca09dd34759768023bf2e2f3eaefd6f0

SHA512
2adb435177b59cb3dc118a697d47981cbec9f35a44bae76524578d602fb2f9fd3d032aca31978f27ed506a658094d3aaf226a3dbfee5b36f935ace7495fafcf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
6013201a7e72f72ab1553a590d5dec54

SHA1
6e8ac05676ebb3155b2d6c99443c8432ee92ec41

SHA256
c71b07698c2e1482a9e5c11a1e6e5cf6241fdd49a485422e7b0ec815f905d17e

SHA512
49eff08307fca8d16ebd4ceb43f56ab19113290edff98a6092110b9b69e5a8d2dbb07d956aca235a3e0b5edc140a1c12376b70da94daf89cc7e47cc5df17e7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
e37a0e29f953f102d4cd53784850f8fa

SHA1
7cab12bdec13fcce49e8c8b636396541f004f57d

SHA256
783695277982c93909a76ab6ad2f111ff23e0d3131e70fde057c56f009e2183c

SHA512
f47aa861fc4bbf85fb4d0be7fdf548dc76272ed2868a5eede791d33d7d3b80d4d1d084d8167c6249cbc36df0b1ca47302c49cc407d6df7e94d9145cc07893f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
2da70f02b95a7c7c176bd0c52471deb7

SHA1
02fb534de64744b149de96500920364aff2d496d

SHA256
e4d47ca813570a26864d594c54ebac1f4de701fed115f5a96938d73eb1571729

SHA512
1fc81693c99464d3ee50e1973f0d3a4543d04b6a4eabad91529f0f5485675abb72682fca19341572aa527e9f2ac9da948df1f32b6abdd4eca3859a8cf638fd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
99a583f436de9881973099e01653950c

SHA1
3273c5b6e7d08378e401c079efb49848084805f4

SHA256
a48aa283d580717967f09a71e563d76650d90b66937f774d26efd89fc58bac45

SHA512
5be60ac16d4f93061c901c2b5bcbc9b4bc8bfc5226cc610ab6f32c497ed165c45a7a0e0fbcfdd0647f2fd2a84a8fdaef9aa64f40d565bd56efadf235945e85f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
0d4c180c457f6972ec7c88bc59659e91

SHA1
5a72aed380605f6f111b9717e2a6b3c3cc986454

SHA256
2360ffc55438a201dae0ee07ea0106af7efc61cd63cb7b49ed304da6b0ea3d73

SHA512
56b8c534249c0af6bc4017f4d6b8f6fa856e1c43ac2562c5c790429255aa7c8997865eb978285edf5b994005adbd634773b9fe5b4326810757f41513f79305ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
f36c805cf256625c03014cc738d81a33

SHA1
5f8fa7f542b28fd26304ff6dcd945f38af061f1e

SHA256
0eb6fcb30eee1482e382e03df3e3ee43def455e75ed13560b14682f3518b67c6

SHA512
155da0007ef950a91e042eb23bdb1562f1e63a102b87791893fc5bd6c4ebb62bf97c21e552e5bebcdbd4aa5ac99eef17a21c29c9ae195738adb09e2b786ef7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
39891b0ee1a2e0de57230fe8b3d58919

SHA1
f618c0220e0beba578b003896d703c8fb2d3f145

SHA256
a0423046439627799259c62f628eae71fe95a8409c4714546084c9cc583c1445

SHA512
4e30398d0a31ecaa93f0e5016bc441a7d33c6c9d39ed8bf29471dd37bc73ff30f1ef13fc8851cb6820c6b01617b507a02d3a1cbb1fb84685fe9ec5112bb6fd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
647b9c05d2916bec2b6fa727cdb0cbed

SHA1
5d1978823cdf3417908c54fdfc38ec6609c47460

SHA256
f706cee8977c146aad7a2766d2bcdf56deaa24373793ffaed119c01799eab3f7

SHA512
0bbe23cd7bc322cf47b93640f5c6862075697b0aa5d68421c7efdcc752f1ef92a540c8023c80150952bbd5319ac5181dfcb7430581284c6e8763a13e1cb1251b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
5c032901d80def4b3606170299f9e3f3

SHA1
4e233b542fbb691827c94e892d8e1e1cecda190b

SHA256
a36a4c83f1f41ff06b2e10a8a5d812a9029d9400879c8c5cccc623cca1fce348

SHA512
3c033cf0a8a1f700deca90a14f795a584099848f54ed7998bd1cc13f1f363a12ef04a75667c7385b65a23ed9cf51be7f5e21a3a22a9adf47dd1c4aea24e39da8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
memory/1360-12-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1360-10-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1360-9-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1360-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4332-4-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4332-3-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4332-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4332-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download