Malware Analysis Report

2024-09-23 04:01

Sample ID 240601-nmp36abb8w
Target d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c
SHA256 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c
Tags
metasploit backdoor discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c

Threat Level: Known bad

The file d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery spyware stealer trojan

MetaSploit

Drops file in Drivers directory

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:31

Reported

2024-06-01 11:33

Platform

win7-20240508-en

Max time kernel

118s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423403346" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e038b26417b4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{76D37CA1-200A-11EF-99EB-F2F7F00EEB0D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000f3234de43445c9c241907d8a1dadafe6d9978a39b55fda136dff964472c9025c000000000e8000000002000020000000e2729ce73ed935eabe01012cbb4297d874cf64b16284312f6b5b7030eec3bc45200000009e748059de633bc1e6865eb1c426eaff052a776371bde57d3a08e55d1d364417400000004d2cef0a72c11b3e55aaa66499d6972d4622c7b6bde8e34a6a153fabcd58ef6ad5261c05940bdf5cca9f19a4bc8b27a99d0c7d1fa74120e0d1418ba7a7f2ba46 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000199dc234f9e0e0a775d71741ee0012ad37c81372c49c0083cd0fe25191bf4c80000000000e800000000200002000000062daf9433c0ef321babfb574bf47d182554c509c28c6b33c6746705cf488055d90000000ec091b6c43219e327aac4098cfc63da638e729029100828dfc84605dd733b764d84d851c944b17086278b868340c202c7db6d633ddd3a06f8c81cb1a801331fa45d6aa56439bcc328ec829f6b71f0b0b0c756b734ad2d53498af71bdd35395824171c2da650526ac84d13bee2f7bea9c617929d41d7065b61cc3f688ecea947f0976cee8a1a0a1b9b7b7ebc0b481b4eb40000000b127bb0e7cc52b2512ccfbc47fdc8f2930359c68139da8551e64392024009091f0e742c4578125c9aad41a4580c6cd3e9da26a323896fc2f4de337350649d102 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 3056 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 3056 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 3056 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"

C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe" Admin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3056-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3056-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3056-2-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3056-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2452-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2452-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2452-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1565.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar15FB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bfa4b1f6b496c79e0230daff0810d5b
SHA1 d5a83d86131927a62a8e259d3b1e7fd1ffbfe9f6
SHA256 3c78116155782d9b78e0b4523dad82b5866bff0eabd9b4c4de4c94554cce93ff
SHA512 38c70a6af97b7949ec882a4c5a134ff7473e87fdd3dbcffa08bc798169f8bd2c2bead8f3c35bd35743be0bb289f88950d35d6e932b00a70253491a83f39dd02b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7c703efeda2759ed7ded0c650b4900c
SHA1 3440713f447325f41cb7b6aac8f39cb03c3e30cc
SHA256 40f5acac5a561c1bbbaf226f54a83aab5e0c8f87202c4c628f54b01fe0c59c1d
SHA512 5226b78bb00ac7e16818ca763ab239dfa9757ca9c5e4d7ad39546279050a60ddb744e89a7ad27e96998f4cf2588a3860bb325386b316647baa69d584ea1182f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06ad48383e3c14f7cd79356cb16aaa87
SHA1 0e137e4a6cd8b1eb2deeac298365e344fa489ff2
SHA256 497d639f8fc97940be183f7bc75362d1fb55828cc40f8eb80c57df36650f3031
SHA512 db1f29ddb57d86b4f3903397270debc3e460ee3573357c4b5589cdf9c360b744546e49c9a93f665f9aa02e1cd9f5726a15901bdd37a9890c5c9996ea56fd4d56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da4fed3cf49216a1d5c2892427e6c5d4
SHA1 22ebf34c091c4da1558297d6cb4fd418b38cc801
SHA256 7a985728d53c02bf93d256461eb9522c1fe3e86747d039ad0c362cf40024dcc7
SHA512 7028646df20807f20a62d7c526326d42665f04834e4c067eb33fa08af81a462f1fe1ba8f6bf097d5f27ebe24b35a55acf07c792d64b0cd87754456f4882fbcad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a44450c561da5a73e4b830d4cb9a4a3
SHA1 14eef298a9706e5cdd3d53b48bf464cc9403189c
SHA256 fd8e3fef15a355338da51b0093c6608f7d801d8c5644fcda3ab0114f860dcce2
SHA512 b6f9f4c43c1821f742bc02bf801c30e57d9f649c0979f6fd5e41dc6d9a5c2745e90e4fa2f8be08812857ed927cefef90ba2b935848b96265bc513c98da6b853c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c799cd3a28ef1eb21decd8a2d2cd74fe
SHA1 f88fbf76032ea034a3508f87a600b1cdfc329d42
SHA256 50cc998a25b7d49bec8635a30c1aa5c74dc69a08bca664393e88e548a5273ca9
SHA512 e99e32a9e6b342457e38d2e36fb0d8e6d9bcc69126bb44c6e7001b1e108c9b37c3db0e44137912d7926a72809bed00d2d66c2a9ec5523c23e6ddf3bf309a851a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58148fb4c0431d6720cc73ec291cd174
SHA1 5dbe806073338d01240efbdb3973a8c9db0713a5
SHA256 4e5f4684bc26d61ed142427ca7560fd97228f632042fba81338abe3301914c6c
SHA512 1061e5a0841720e623a5f32f3759ac90848ddb7c01fe35a6f98656f19de5540c874089461ecb578d678c10ce44a4275ed56a57ccd8b5f80dc0bfe58919bcdf6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c8578cb4877d5e49b421281a332f6bd
SHA1 e5b955bfe1f6bf2bc31a3d3a147ec3b1dffa32cf
SHA256 d2b66bed9995ff5c8d7e7e54fce6ccb4bc00a4dfac5324b27e89ac5244e15c91
SHA512 1315c548e43e38930af819b55e31f8802bacb8fcc5da7d80834f44f5393ab5ec95b3fb4e2969e88129846b25bb0626582018421ff9e3ad30f35fc3057c007c85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be257f019c7625bcfd96711b1d03214b
SHA1 f8c3c51281c00efc21940a6a0392f0240b565442
SHA256 e33816662fac8064c29d4b6120627f2935bcee396822c0b3502914de799024ed
SHA512 bc1e1d46e56cfd833e058688ee209b47a5f6956a712be01d87787d39aa0164a220d79f4d49c3aace2dd000baed7a937491f591a1a06aec2b3bd1f289a872846e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aed1c57e21698bfc3bb0c97214d8877
SHA1 df69bbcbd668533e81e87a9e3cfbd651b2b3a8f4
SHA256 3cc0bc395d50780a2226361d2c0f206088d155e4c83f78851501df475cd1b36a
SHA512 9d3397e5d64884a10e17a21ba00259111ac78cf27311dcb99cd16b0fa42e79514b859283eb475386c4017e9f326e07e543f731ecd4296dcb3b828397953c11d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dbf087650405beca8bdf460b5f96786
SHA1 98cbcca88eab50ad2ec64bd80d749294ab8c0254
SHA256 6e9323e8404e5965fcfeac3ebc5fe8118fddd42487b3eff15eb276da2f77baea
SHA512 eb0375979fcbfdc488cccf0eb8146d38ca8804e6a310accc8c4ca8b4790d948a1bd9f1797260184fa05fc5c0358308f30301de175ad7a3de356589144e55e4f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 120dc8cc4ec1647e225fc870ad2b1591
SHA1 e4bb5cac84cfa697a8d8d06788d68f9b027e466e
SHA256 5a9645131b39a61b082db8d4183905aaa8274cef555169a59539cff5b7544e51
SHA512 6aac783929840f2dd8c7544765ff16aaa24646dcc1141273b42843e3445873fe80f3cfd4222fb4719e7d4d4ba6e823815e56bda0ce5dc5305145576d80d294f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3006a8eaf0a98597ffa5757b486bdaa0
SHA1 8e1bbf3f1f68672544479ceaefefdda82090b24d
SHA256 467158ab94b20cf039b3020bababdbe31d87fdabda98969fb7f38454e63c1a62
SHA512 32e3466d85842dc3ca52a810b56e6e9678b117de65f6214b6ceb18127c5f4a30057e60755172df36d43ee2545ce32fd0da1e0ca6910ea91ea257cea5ec332bd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb52260c43fd566c98ee235d54c1942f
SHA1 3609f43741f313d1c99a3f0efa6fc04160798de4
SHA256 ac1f2d66d273eee8364cd8dde24b9df2efd036eccc96f6c9559d18ac98fa3a92
SHA512 0024f7b452b2ef5b5f6d6268dd0e52ded6342fb16e70b32491f01c88b620ee4c1aadf13a917e788acc5865172b4232e8f4a2702cec700b4259bcb59c7d6ac810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afc9fee236c0ee62fc83b53243919ca8
SHA1 ae476eed96ca1fc7e2688ef93492d52b49d99a53
SHA256 271315203272199a16e2ced44a55fc2752f8aade8d2bd2126f27b115438e8ebc
SHA512 499be70d205d2f582333e86e475e6c4f17fe96f104bd957a819e7c27f35befaf1781b2715741c08bd02fb115c8dfa5c2eb2f2456b7f37f1ec7aaa3022db37375

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de77e6a440fa53c98c256b2f2de9b494
SHA1 930b1cca67c63a4770955d822c1d880a9a6f987b
SHA256 8571d079c68b68efb8642aaee9cc3a68ff67cd20dad1a7542dea71688c865a56
SHA512 ce51b97956bbb5b16973eefa203d068c0250d9c0c399ac65fb291c793cf2df6ab769acca06fcb89bd01fc90a2faafc1fa93c8927075d46c2cb74e2b4fb4dc8bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2c5612bca323967f7d9b7765ae064cb
SHA1 ffd2c3bc89d38eedb95748995741bb4d55ecdfab
SHA256 3f110d29f4e799e2465914cd23869395687ee7a5507c7b45887d52f06fbdf0c0
SHA512 c44644378f8d598b525a62c9197ae81b219c7c4d04276babacaa6ba81bcfbc66052a6114958499a423cfab775a9d5c791b4f7790fe624aededf634e1420295b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdc991270094a98e8e1347215d1e873f
SHA1 230b4aee9fda96e1aef65e46f91a485c254fdc6f
SHA256 f3f2f8c954faa1f45c4a906c185a16ff8ed84fc2fdae9c4a52c5e81119fa44f8
SHA512 c9d0c27de62274c2dc0f2f91a63ef00fafe65340a63336b636698ff841481ffa32c1550ea9dd18cffb728dcda3442f46c6d4dd6a86c73097702040874ae1c89c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1f08dcbe1bcf5c3c86151ec102d994e
SHA1 20b241aafad93801be7c46864859631a6f424699
SHA256 ef6affde92dbaf8223e1a7a02e9df0db0361ae1ecf0896b41aa9f19d14831969
SHA512 75649e0d181818dab61ea5ca95da029d3765aef9226bbb6a861d6a7b5e003947495488c1b1ce494f64076de466d5681c142c98f4d42673a25f001a3d2d98f7d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:31

Reported

2024-06-01 11:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 4236 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 4236 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
PID 2140 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 3808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 3808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2704 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"

C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe

"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe" Admin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa083046f8,0x7ffa08304708,0x7ffa08304718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 arc.srv.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp

Files

memory/4236-0-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4236-1-0x0000000000780000-0x0000000000781000-memory.dmp

memory/4236-2-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4236-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2140-6-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2140-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2140-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 612a6c4247ef652299b376221c984213
SHA1 d306f3b16bde39708aa862aee372345feb559750
SHA256 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA512 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

C:\Windows\system32\drivers\etc\hosts

MD5 03450e8ddb20859f242195450c19b8f1
SHA1 9698f8caf67c8853e14c8bf4933949f458c3044a
SHA256 1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA512 87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

\??\pipe\LOCAL\crashpad_2704_YTAFGYXQUNICNBJZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56641592f6e69f5f5fb06f2319384490
SHA1 6a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA256 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512 c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc56974ecf3c94fddffaf93fbb420122
SHA1 aab4ba09649eb6e9544e0168183ccd148579525c
SHA256 a0acbddddc0d931370eacaaa61b9ba4b4ea4ddd867284ea2b5f8f2931f0512e6
SHA512 85db1c979cdec55655ee6b1143f8250b95c2b3448a71bb0667172345ce9ac3c95990eec86b10374fce6e85daf1fab6a61dba6a7b35e4965d438791490c250b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8799271fccab59938c94351eed3a478a
SHA1 fe8a2bd8979cd56551a41a218ef4a0c13752a24d
SHA256 50dd4669797385e4b2ecf36f46b6957a56cb8d5faf5284bff209aba87482133f
SHA512 05578cbf150cd6763cb3ccc81804f6e2072f36186f89a1f66a649eac7a1a57bd4e79246ceb1493c2a54d9fd46aedad9a43f07f072e2b4018128c9a887b9d8f2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 878aac9489c7b8d48d4ca5ae5fed6580
SHA1 68d94414e1e3dcdcc0c491de93203d0d6a766486
SHA256 b0fecdd1d5b8f48fe5a5b01a369e10817360c38ec7f052564bf2f3c5e05f7adc
SHA512 7285d18d3541a4911769b77797cb59c8820af1eb5b1d2736c078fc27b0a5ec64c875ab158d6676ffb020eeeba6b122054d1b1950a7023e412d6598e8e0bbd3a2