Malware Analysis Report

2024-09-23 07:38

Sample ID 240613-rytghashma
Target ee537a5335c4658517c66e234cf2d6f4098e02668b2a1d4d09bd953effaf719b
SHA256 ee537a5335c4658517c66e234cf2d6f4098e02668b2a1d4d09bd953effaf719b
Tags
bootkit persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ee537a5335c4658517c66e234cf2d6f4098e02668b2a1d4d09bd953effaf719b

Threat Level: Shows suspicious behavior

The file ee537a5335c4658517c66e234cf2d6f4098e02668b2a1d4d09bd953effaf719b was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 14:36

Reported

2024-06-13 14:39

Platform

win7-20240419-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe

"C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 w.nanweng.cn udp

Files

memory/2164-0-0x0000000000400000-0x00000000005A5000-memory.dmp

memory/2164-3-0x0000000003450000-0x000000000345A000-memory.dmp

memory/2164-2-0x0000000003450000-0x000000000345A000-memory.dmp

memory/2164-4-0x000000006D820000-0x000000006D830000-memory.dmp

memory/2164-5-0x0000000000400000-0x00000000005A5000-memory.dmp

memory/2164-15-0x0000000003450000-0x000000000345A000-memory.dmp

memory/2164-22-0x0000000000400000-0x00000000005A5000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 14:36

Reported

2024-06-13 14:39

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe

"C:\Users\Admin\AppData\Local\Temp\u____________U______3.0_______@186_6840.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 w.nanweng.cn udp
US 8.8.8.8:53 www.msn.com udp
US 131.253.33.203:443 www.msn.com tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 2.16.106.138:443 assets.msn.com tcp
US 2.16.106.138:443 assets.msn.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
CN 47.103.45.17:80 w.nanweng.cn tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 138.106.16.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 data.goosai.com udp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 121.40.54.198:80 data.goosai.com tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
CN 47.103.45.17:80 w.nanweng.cn tcp
US 8.8.8.8:53 98.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp

Files

memory/2668-0-0x0000000000400000-0x00000000005A5000-memory.dmp

memory/2668-2-0x000000006D740000-0x000000006D750000-memory.dmp

memory/2668-14-0x0000000000400000-0x00000000005A5000-memory.dmp

memory/2668-17-0x0000000000400000-0x00000000005A5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:36

Reported

2024-06-13 14:39

Platform

win7-20231129-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\____.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424451259" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{536FE9B1-2992-11EF-8221-D669B05BD432} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406201289fbdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000badb96ba01112a4f832b9eee51c6053d00000000020000000000106600000001000020000000688fc7695a2d152c96d8585e4a78d42d17d5c6070e713eb95f91417aa8ddd47e000000000e8000000002000020000000b9d7345a5a4dd0cca8bb082143a0517f2ded2592163313bb33fc647841c8131290000000235dda0dea9bca6c9d5e7d9de8821fdc440df181f5413eb446322923a1c52eac3bfc388abec3ed442f647030296b821ab9190c635839a34d6a719fee52666d263974f37b25e946529ef5568cc90a8b45abe2b71b78930788d7652e1762185f29735c97e3b531238395bf1382345a9c3cbac8ead94851c1ceb697f07d2378bcfc5ddcd755e65e9ee9d8d2e4f90784775a400000002b9da61ff651852d03f5a35be75ff7216d6d9a367196d99aa2d2432016b98813d8f00acbe8e48ebc0aa64b14669a1e57435bb9855c6baf1148fe716094446fc5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000badb96ba01112a4f832b9eee51c6053d000000000200000000001066000000010000200000000bb095bb9958a59d71a0c60c9f86d69f02d7ea405adf0016a7cae055ba879488000000000e800000000200002000000094ff47f56d7335d03ecbb7e4e8bab1111b014579b7945cf02fcecea54140bfca20000000eb4dec6e9a0228d3f0c2311491834170114040b66a4674bd9b656e911e0d2b6a400000002ddbd54bf8e916ed18cdeebe9e5e7bcd034950fb5dd6c0be143edecc28e434c7cf235b555bcc524bc34b8be1c5121cea14cf21bed1e9792345c4bb3198cd2b7f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\____.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.xitongzhijia.net udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.17.107.107:80 www.bing.com tcp
BE 2.17.107.107:80 www.bing.com tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3347.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7568d4c24d988d7674567174dc6f885
SHA1 58e3eb2607a0e16dd60c800b318c303fadde1ae1
SHA256 23d04776747dd93bd43f9bb80cd8b333804c7c733fe206382e836bd333613fc3
SHA512 e26ad9b479b41dd02529dc7691aafb454ff1d08a7a52da7837856bf66a8f2d6bd3dcdac5b7cc3aa43cab2782c5781908795910006144b74f793f6ee27333e968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3025fc38fb1022d076f88689a172c525
SHA1 c3feb97d4235e32b1495c3ff2298ee19cb6154c3
SHA256 d67e40abe1906985acdbdd7a90a06913f54181f2831db4b2c4c018bc223c0210
SHA512 057715088b38ac2cef41c99de6a38b78a3472e7642811f827427b9a18337ffb64c93c37f83025af70c9282270113d4877ce5213f06fe181b39140415d0d1ea6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92d7013aee736b4d13c02d590edf71f4
SHA1 bb81277a870ba0513c8bc2972701148921dc622e
SHA256 3e255fbeec3a927dc6e458fec03b8f13d85c671ecaa1c5e0e1088d300ce3d569
SHA512 467c22c79c8dd83dd6ddef590e62d08b772f9d08fbb37657f796165ccd6cae6e3f08d1fac1e99a21b88837a9a54ec24963d5cd01a0076fa7fc0d2ef7b56f0154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e933ae93302ebb04951a19484aaec690
SHA1 2fd8361d761dbc2a9b9ff1b15756631f1d21eb58
SHA256 77d42e24d2781146452bd92cd8c39f276a8f50afcc516a8ada42ae9bd2c83dee
SHA512 6beea1ffad9d009c9031434a087c960f2f2888502ad91ee9b115f3e85c6fba3cb94c497903ad2c4edf574c99bcffdc79ce79ba48380952df0bbe13a60d91e929

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6823976cac2d08d523a4f6750a70ef5b
SHA1 c033a8755e8af7aa206f732cb477b217d94f7f1c
SHA256 05263a94255e7cad1b6e620386b521b8fb19e31fd9da677066cd00af8a2de3df
SHA512 e67530579398160037d2cbc465beb3a0e4e8337712222620098591f42f9fff7d9b56f73e5919e3808ac8b23eb4029e2fe640d30af600653170a9db8203ac08b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7487e2fca2a7e861b06a9309af312a13
SHA1 b496903d89c3cc8650bc6e880264dfa35c13da27
SHA256 d1b83d4438c0eb5f910640ae48603a0981172c53a222f2db9e464ce6590dea25
SHA512 1fd9c6cfc4074ebb21128b8940e62feb54946ddee39573ec9452ff67ed9ebbaf3d196793341d5bf2ce309b1afa2cac4f6ef9e175edc472bde52e5ea548d42db0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7ef2374d880c54a94f09bd00c4c12e3
SHA1 ee31c9a40d67fdf2fa749ffb670e3978cb7556d9
SHA256 043e38fe9a06cbc919e72dee5dcc3bb238714ef35d9d6e2d6e4278c90dbd1ba3
SHA512 237b04bed84f487f2c5dfbd8f315a47d231fb04e17e081d27823c9a601591a6217d7d4c3f0d8e5648d804ed146f39aafd406a034661f5387c9d323e55c21d5b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31b48a9811451d1da9396b3b08eb772f
SHA1 5e3ca43e402826a46382b0feb89835688082df9b
SHA256 eb3b5b62e80e42b12ab7e480fde55ccec16fa306666dda358583e7e45b6b112a
SHA512 6d903c4674309882d496ad56cf042a8d2923f598d11a0e43866ec4b8cc4ee95b9060e393c2dd546b2f3e54d3625d6e0aa8785663c6f505f3fb605e493bc01eb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 53250e384c0a649b12f0b6d6ac5fe036
SHA1 05a810ce5fcd60a4e957a9c34d9533dbd63b8827
SHA256 d6d8224f93cd4344e907538f5e745e1ee9aa91c1c1b9cebad8429b353315db5f
SHA512 76fafe07985ea53423efe70ba2ea297dc2f741a7b6046ddcd64c9d628226c2c390bedd06d38efa2a3b15fc494a813aafdf9b39050d82ae4efaeb19e5eb79ed38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef271d71400f3343db432f75da2d17cd
SHA1 e3709833ca19fa9114d3f9ecf7d62a3e111b0c7c
SHA256 b7e1d56ae627b14f19a7dfc1cd82c8fef1279d0441e4d81d1a3eefe5419831ee
SHA512 a652db0afdcedb2b5eee20eb6f91cc7d5ba5fad825256ff2140909fa348d420b3d8fce265a23ae5a651b645fcf443b359fd1e28c33d473a55bf4fc0a6b858ccd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d4022bd10f4792fab58b34204003130
SHA1 703eee6044f145569327080d17dd2ff62b1e8fd6
SHA256 ac0dcff91fc4deae2f1c6ec7b5b67bd88f69d4d4cb2078d15105096134dfc521
SHA512 788c227f3338e277aa934c1672cf5819fe04916b2248d01c8ad269fe28cf8d459297cfdaa3e9641d38f06713b1e9ed535fc3f599631afe9d94992c195e281b24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16033cf94d9a82c6aa9f95212be089e4
SHA1 bec62c1bd36bea272acd3d45d9d4b56147a1ff71
SHA256 02367cac13ef186b0368eccdc1352bc3c433c8d5f0a8ff3a83fff797b2756486
SHA512 60fb502c300aa2462496f33af230491fc066a515d7980345d6348db082d8f4d29b3cd504f690f9421f6e747cc7d1b3206c463145c8f4b34a27dbf52f8382eff4

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a9595cba15dc83dc5f8bf058437837c
SHA1 89c7ffe660d122ce10b94575a4d67296c5893c92
SHA256 19b4f689ab3c66c777ea18538ec730cc8ddee21358563d723b23adfc2817366d
SHA512 5e0c81cdcb59264bf3c9bde0858e06c05dadf4b0b38ed0eebd60bab293497fba15c8aff565df57b40a096d8a162d7b6277e71a99faba33c563464086ce236b93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0402aa85defd989cd96d8839c73d188d
SHA1 49f33a13c46a2e892481a11c23ca7a2e89dcb655
SHA256 0bc4fe6d3977331857b9096d130a6fa6dc6f0a4bde5d1796c9970b542c966ef2
SHA512 f184da41e3d2c3e15a7aaf9c2d2f4abda13e88cf5f0268cc646ef0478e69f034219362b4c5f798fc2af693a34e73c422fd8bcca09bcb1a1f08a8e156ba77671d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd53129ef4c52af84770ac49ca6605bc
SHA1 eaad0d9459071017ad9d0cf28ec32c47de8182a7
SHA256 81caffa5f58c23f9894907477a0b17e0e275c21da0af82c8afe10b7e2e7d8c77
SHA512 4dc7a7fc55c78eb469e02f2c858ec170f9cabff115292538d64474b36d8daf5683733010f1fb65ffe2430820ea6d8119121cb665332950b263c2c6efefcc7979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e8ed2ba5c634440df0ff63a8ab18337
SHA1 88c9e03c40ab6eece7b1596c040f836f32eaf397
SHA256 f289c66cee3a9b0185b3ae8059e160f5bba8320fa01ecafca14cc0a90d104eb7
SHA512 8b73c389a663ae7d7273f915e282bdb7e957c70599a56f18e68978b98acdfe7b308f697cf1de1a4c32264aa3708a4582c32eca155b6d224980a5f6a788c7e1e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffcfcb5543a7a6528c9fc8998613b499
SHA1 11552904ef365d8e0e03f03716bcd1ba86791feb
SHA256 51008353091dbc70aae807fc511890b2e308d87814569c73843674c7ffa2ff73
SHA512 891ceb67c294bdafa796044143399d35fbfa80caa6e511380efa6b3dcf1d711385b2fa95af773753f81b1a1fe2ce76d5176e5d29d43799f04e053ade16e0b5d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db87ed48017c8e2162316ab44c74ff42
SHA1 5cff90870c6c506e51305f92758573303488db0c
SHA256 c04350804866d6ff905bfa1acdb6751c5b303d1eb81e14e6d9d04129baeee629
SHA512 12a0e52dc6191cb7e00e440a2e3414bca83ddffe1eb99b0a04b666dcbf0acba864ca9dddb0d0ea9e0b60e5fc1531d75aff044ce878c81fa0109c1bcfd77d693d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 228ba1199e10b7040d2e130a8af593d5
SHA1 3c64e537a12401f9ee905b28b63f10a5c3fe4fd1
SHA256 7345de1a44fb4b080c4afdcfa490151696763a02b84a79212805b3fdd9e10c2f
SHA512 e3347699f5166e02a92ac3d03d41e1a0872c985be7abbc6b3563bb63a4f0ab40ea368959bd91c056f388ed7d0bb57e3a9a2dc34baa12980feda675df6737156b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abe069d7fbda44754ce0d6b5a7fc4851
SHA1 0e9e1303294286285140271a010373d1b3660efd
SHA256 d21c28f42c5f80e06e652aa18ee62a67222f9e69e0766b0cf9a00a3035f90987
SHA512 284552fd4f3890a72a011f63b32b64d529ed52f0d52302c82ee4bb49f08acc8f00dbdb00a01b5ba08fa0b4cbfb7caad2f452b9370a1a206642753653f1a63a0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03318058b8d433ab6418baa97c995d80
SHA1 82115b5d7e73e4de26f8c9b60f81dfa53f512baa
SHA256 076c2a9d2daa6099c578a8e57983500eff4c273005358a0b0231c747d6569663
SHA512 944b1d29bf289ce07b42ad392d85a53126f57fd4645c658e3f451e926fe1e151bc3fb02a73ccb4caf44375af554e75673a6c62351a7bc171b16b97b629d2ba24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37dad4662013e6a78640c54f5ac62884
SHA1 435860d0c1b37e932a16a13e3e30d0c3a84e5799
SHA256 295f0c8c362f22361b8b44f863db3e21e1316059d0f2e7e54d18fabce7052748
SHA512 9a1539a2bdadda2a2c70657c41af05b3667b5d8a5c12af49fa48a2a485900512d455e28dd0a235f11dcbbd95ab29f4e91db5b6108b1276e668f3cc9515382d44

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:36

Reported

2024-06-13 14:39

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\____.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 4464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 4464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\____.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9c4646f8,0x7ffd9c464708,0x7ffd9c464718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9289320698714620568,16163811158213968905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3616 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.xitongzhijia.net udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.xitongzhijia.net udp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
CN 124.223.124.125:80 www.xitongzhijia.net tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4a74bc775caf3de7fc9cde3c30ce482
SHA1 c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256 dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA512 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

\??\pipe\LOCAL\crashpad_3872_JVGMNDNLGQLCEOAT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c5abc082d9d9307e797b7e89a2f755f4
SHA1 54c442690a8727f1d3453b6452198d3ec4ec13df
SHA256 a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512 ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 88317c1020c4707b64e07bd872e4834a
SHA1 c8f0184c384b4447de93aa57d7069ec788512de4
SHA256 5a9e8d5434a09a0488b9deec049aabc57aaf3253f2c338ba96b5320f15e01002
SHA512 2cedef483abebc1c0664f826b77ee1ed874323179cc96cb75489295cb8d8a1e1a2a14aeb23cb367ef9ba8aa338bb94929691c1a1e37af7c38cce50b4af6dcde4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cceb1f76a63fc86fca10b7018ca0e1f6
SHA1 9e3e2b2d33a6afb4cdd0a82cf9fe4cdc4f37adb0
SHA256 844cf8ca540860ac0b4fdc0967fe6c92ceabf20abca830303a27e0d9711b90f2
SHA512 47673690ca7af37abbbfc31b4d3998ddea45df11d9f9f60298ca8a8fed19e10346dff861043be5b6a8096c8cee200085a0c34c148c0e5d81492cf4549dd07d7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9fff0f83a2bb2a8be8dd8cce23b05986
SHA1 9b300f860d66afc1cd1c1d20e21e34b353d87a1f
SHA256 f68f9fbbf37925e6cd408aa28b116589644d5117a37d139cfe8dc1c57c1206c8
SHA512 5d8cd999ad57363076852b443407028cfa6f8ccc220c2b502333d15e89ee6ca9aaf4f31b7c3ec126b2bbcb6953020d51e38cec08885875500c19ace67c9d2fd6