Malware Analysis Report

2024-09-23 04:20

Sample ID 240620-d5qgja1crj
Target f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432
SHA256 f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432
Tags
metasploit backdoor discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432

Threat Level: Known bad

The file f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery spyware stealer trojan

MetaSploit

Drops file in Drivers directory

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:35

Reported

2024-06-20 03:38

Platform

win7-20240611-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425016442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d9662cc3c2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000b2cb83e8ff52bac6003f87ad55592a2fcb9487def754782b20a9e9bbe8d1af0e000000000e80000000020000200000005023d71effb61e809bf21255e0e0ded680d1cf6b467772bc1f7c93e2bb8bde7d90000000d73d03310f5bf570bba659e6a09d87c40a7f730ba9907c4c88511aeb755ed3152149bb9b5fb6d2116c12f2a49d483a6d7dab50c32a4e2168a6b2b149f15bc75446f10bc4f2d03695063399398e670d4264cbfe7a4d21e80314146e234a1a0c4f94369bdce9349b95a5a245e213ac7608205becd34cfdf4b3aa8373d95e9c52d056a2ce43adbfa4b0423c62aa5f83b65f40000000c9f8e640783b8ec2c9bb5fe374e7746b67bc3e92c7c1f1611aceba7fd697c69bff22fb056d60394bdb73b9efa5601f8f40aae8c77c6c5941ae6087bf85753250 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E692B21-2EB6-11EF-B98D-FE0070C7CB2B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000077dd06f38a86d08d51c40e2e9991e1e4c7464f673a539812a124a9f7da525413000000000e8000000002000020000000f1ca05a380667becb044eca2d1e975786fa72970485fae2bb20ba030695c608c200000000cd63659bcaf53f740c9acdc53476c5f50c011da8d5ed4fa3a23f095458bafff40000000c1e0d2b6a8d752d18a3959c584db5e87ab143c3bccc7aad093beed8e352d53a09f381c0b69c595a6a582fcb4f15076f4a0dc90f4ce7a51b3435e9190dff10e2f C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 2404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe"

C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe" Admin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2208-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2208-2-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2208-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2208-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2404-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2404-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2404-10-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2404-12-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab76A8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7796.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b0794dc28f20cac8fc584b0a1f3e07
SHA1 c4997a87594c5d02a7526041b5afa5b22f2246e4
SHA256 56e19a4d0592f77c3d48fd34454f126f9622509caceaf1ff1e5a802a455a0ddc
SHA512 a9897560e021da08342c34e4bb30cfe03d347ef2b2963ec2bf99fe7fe80fe6f1df87bf40512d13663842b9be835749be24946bb3e6967de9fdb13696c46bfc1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b2a0f3c2791309f0bf6c48502d5ac63
SHA1 ee4e74e069ad0aa606e51e6afd1620bfeb40341b
SHA256 90b3583276d03a71d5d8fa0c6d05bff199a7d83b7cab49b0b2cd018d5161f5c1
SHA512 da4fb38f6d17f90b843a43fdfd1fa161b89e14e81d61c0b217be2f42551afd311a6708be7e277fccd4b54ea686aad3d6b06dcaada2ae6b445bbd8feb4e499e1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67440313499d903aabc601617228812e
SHA1 b7c0c122301bc4e9e821bbda10aecaaac6eb8601
SHA256 4d002266b35e39e4756de37577ed9e4fcb053e72726b6950d9d393b9cda63113
SHA512 a6b112cefa2447f2909b6c73eccff0bbb9a0646ecbccd3a2da9523443cdbafe91b5d56f3f7aff4f383241ef80df8fd13857d6933cf875fa77909b5ab6356b638

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6960f8addfe3645b5dbe756fbdfb8c40
SHA1 0ca930125985272a6c712fc6c2d7cff4de3a0fc6
SHA256 85bdc0298f2b815b2fa6b475d0bc9aca1b0ce2e0a4d35c123b2998594e654762
SHA512 ecd8bcbf7e32e5a97b03f8c9859cd46badbc90c98778544cee05292b27ba46ba2c0f9d1d72e47af58d82769b0b7507405d9ff6d29fe1494d50761300580f8144

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8276e49626afcc582e8dddcba22bfe8
SHA1 ac455c43b1ff2e84488b4f38fafc58c1ab273433
SHA256 da45ce791d22e2706a19aa4b5354e64222b3c6845cfe543d8d6e396e7a581657
SHA512 731b7a00c9f866c0f0b20d0407185412f271ecea7e8f5c503c1dcff33058e81c97f6b769c44dd751cfe39a5662c3207e8d6db0790fe2a8d7ea37dcaa1a381eef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d293af22050fa258187c8e566e0f005
SHA1 ec15fa744866a5ad26ff6c2c991b472082634eb3
SHA256 881cd383db29b98b9dbbb4850e2bd665a67550c50aacfe4fb95e4472e6fe0c79
SHA512 27fdaaa056aa776ec2ed5b33d504d60051cc92fe76d9ecc73ada6d82972dc0ce9cb30a3ac476121b6036aa1b28a7d9a90993baf1aa07d6f45699cd73e26d0a9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dd2ca58124ca2cf5c7470b2fc967c7f
SHA1 a039b9ee2e78b17e560ace30b7b594a463d1f099
SHA256 8033158c95dd30f04a87877f7832b39c7e87c6fbc22601046ad48ff1f07ff9c7
SHA512 a1221114528fa8ebab7e228d74b427b340e5eb49f203533531b5ec97818b28fba55ffd758090e50d9984c54480e36c8a0b6e94068c7bdb2673400bc2ab6a3a3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02aea08e219c9c9da398a496a2ec94e8
SHA1 7b7c1ae9ffa5371a2f7765c56f0034ce28b65dd9
SHA256 93d0bfd75875c987fe585d59d740ac8dc5a20fb91d203cf99e468b1c24ce2283
SHA512 e0239360bcb5ab79d41c0c49d65af408387af48085b4dbee851d49367eae764e5c408a5d64993cc319e344f8896ba8c12166565253d0ff3c248374c6361da8a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34cd15528052e63d8ef9decbba7f7781
SHA1 fbb88133e56e3da18326538bfdfb7a089eb3162e
SHA256 4ad9dc5772d47ea5489bc409ddb4e898bbb1a56328209e1e217b1ef42eafcc96
SHA512 51d9f13b6e3f4db2e868210d10feed232de6ba7c457b84e4a071e5c8eca7a06ec46a5492f67de0150d537ea210e991cc8d0f02895879c92a3d99103e51ca5f2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96244ceacb195a1e73ff13cedae03d11
SHA1 c14d94f304026e1f8ce16bf3714cbee5ca3ddb55
SHA256 8a010996b2ae3a4be554838d5545c6e1a49fdbaf8253fb7eae311e40747456c5
SHA512 d5cb359a62f6b951fb91a60bb7d037cde2cde1b688b4d0ee89426eccb5c5ead2cc91e016947c87160d6cc5f05073da9ff3d416b347b259027f0b5792dc67a6a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcc6568e2847a3bf0f1c14297eaeb31d
SHA1 61f5787b159f8a12fe7619408313be35393b3e32
SHA256 922dfafc04735b272a89ebe525ffc22785eeb9dcf000e1b3d65522ab39d2d279
SHA512 6f3fb01bbc2d819daf5b5295793cd0e0d9386d8a5ba90573cd201a362ccc8550dfeee2650052f5b7e24a9e7a043b906a7f2bdbcc909ec86d5e0f651052666729

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 077fccbf5f486f5fec644bda3a1134db
SHA1 a4307010e49f644e0cd7a8fc0aaa71a4b40de208
SHA256 65171d49c6efacfe714d71830b19d897040eff7618fd90efe426ffa7d152e6d0
SHA512 87e111c74485d9187c702952f225e943f72210f41accd3e6660eea3ff00a9e140a83fee9b4a3b9128d3d1a9bb29aef972de326487777c6d3903c112048b4abd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0f5db150318320e24640108bea4ff3c
SHA1 753214a1b427e311f42c469d800e714a86f36e32
SHA256 3a84cd2d834553ad4e21bc7033a0400cbb7c48feb47f2061f34ffefee0a8ab1a
SHA512 11962bae780b618585032d02b7faf3313db836c8dc562cdc09570c0bcdd9a5eb7aa7a6171daf9d5d651ed69dbe527fcbc9bef5f4bd3b1893236388506c2c1314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d64a71b63b11dbf7d4e6d895b5d481c
SHA1 de778db9ea7170ecf98c19bb4ce2885c8ace8d80
SHA256 a16d826f38e6aa2e673c33709942e8664b94c9768d101cfa80febfff32171b84
SHA512 31e9a0cb8705cf36bfd646d548211578ffb00d372075486050747ef5cba682c42eecee143477885d22d259ea6fc3ca936b62c990f8a24de720c06bbcea440dd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1baaf06ce48014430d9cf4c12e756711
SHA1 427f082fed7227b7c415271a1df58cea4fb37b0b
SHA256 c976fe1d1f38e6ee48eac026f699a6dd638e43f3bf057848afff04b6a92dd2f6
SHA512 04421241ead955897b84500d2548a36ec464f9c6cd36aefde2f5702e8f5d55ff846a0fff93ccd05cb7cc1793ca213ebab77276501a86af3fa7ca634b6535864b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a9c2ccde2b39a04258e1d9dec6d6dd
SHA1 9e09d76b7f9cb50c6773b41c9b57ff5d48a37f27
SHA256 e4a5c9a30748d0542c65da3bfeef6e8d80ef727e0ee5e48f0ce7154e8fd440e8
SHA512 5e3daa9a858211414b337a12b61a216ddaa1fde8ef564f09fdfa07959c0c97465f5e7ade47c7809a82a8651ba5bff65a92381a785f42bb7947ffb6032610de44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd9a52b7af8ba92ae9ba6c1e1bd3ca2f
SHA1 db41344a99a60c45464743114f6305a355ddefb9
SHA256 29f977de54e068c158b424ed949e0608a77b5ada98cc049214bd5a2eeb7fb48d
SHA512 3371c5cf6ec275e94f29f3e32380ab573798bccd07fb3590c8023a4fae89c60534e46d7a524cb40dc975ab6741faaec197d9c44b8da3c534a66bfc81907d74d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8701bfa60d28c0cb67df4d908e6f0402
SHA1 72a5956cc86b0b6ad69846fd6bfa3fcdaa2382b5
SHA256 3b4476044a19f1834eb60329192794869551bcde6c8f9d9cfe299abbe0c00872
SHA512 a53e9070c87a722c03cda6fb44fe09c6aa2dc536a2cf99f8b9cb09c62ddf1e10e66ce3f569481c85836fd2f93cab023e6d6e6ac9cd72b47c3e5a5201bb2d4ee6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b50797a2e2982d48510be55f0be8f3a
SHA1 d21109a580715bcd16054d8da4c63c5ff6048e3b
SHA256 9e76f1549cbcdb0dc31d0bdb682009487cc554985001915b2649ac492da9eb2f
SHA512 cb2eaba38cc4d0bf92d1c375671acb0150209597b18e7aeff1efe250178afbb1e6b69ce9b44f40dd019c59b7f1445a9b988bb92ef57b8d8361f8b25f0c39328c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f03e759ba7d0439e044be706ff51afe1
SHA1 db181bc3a164f31755b05250490043959fe49499
SHA256 820a29755460316093943bf0c5a32cb86dc3271abb57db1e6c3a7976f30d0811
SHA512 ba0f5dbb544fa122915a5ef75eef27249846d5e69c7044e69fdd030a34bfdfe1a9b10650ec1d4c8f59f7be1ccb80923485145d3040b59804cf941126c15e6b03

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:35

Reported

2024-06-20 03:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 1852 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 1852 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
PID 208 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 3476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe"

C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe

"C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe" Admin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e6546f8,0x7ffd8e654708,0x7ffd8e654718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17910623732058781064,12835570193743707482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 arc.srv.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ntp.srv.lan udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1852-0-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1852-1-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1852-2-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1852-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/208-6-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/208-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/208-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4a74bc775caf3de7fc9cde3c30ce482
SHA1 c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256 dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA512 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

C:\Windows\system32\drivers\etc\hosts

MD5 03450e8ddb20859f242195450c19b8f1
SHA1 9698f8caf67c8853e14c8bf4933949f458c3044a
SHA256 1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA512 87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

\??\pipe\LOCAL\crashpad_3540_XNYKANJXOTFJABVY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c5abc082d9d9307e797b7e89a2f755f4
SHA1 54c442690a8727f1d3453b6452198d3ec4ec13df
SHA256 a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512 ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 126f578d8a04636235458817e9e32cc5
SHA1 f3903dd5979f00e1e4a8d6a08011c35d18580085
SHA256 e1128953d4ba0ffad99781d8c321644545c6bcc2966a9676122745934866595b
SHA512 c6658a81b4800a44ba5dd6d8a54d845aee7c4a3bc84fcdc4a89b795314190e3fd2eeef7ff989080c5d3b2486db8ee1c598e23e6e7526f6b5e1dd9ac1d0ce0899

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2782a5818e3a54ba99eb212702e31cba
SHA1 768e9b723bc094ce0f35612872004f2d364035ad
SHA256 ef5b385a9155de8a98848b94acf5727ac012fc7e5543887a5a59b7e575e4966b
SHA512 f27e75121ab4cc78cdc01659a6c002d26e9980ad8f73f18376882f5e3e87ce5f800837d08760fabb2e4372e2beb0c668254f34ab94012fcb38711788b1ec1524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f522b1b9db7d36da68f47123a5af86ad
SHA1 4b5ae72dbaa3a8ea979e06a2df6181925a8eea7a
SHA256 589ee9cc10fd041d27d72c5d344b888215189bb09672191a3a489bc98895ee28
SHA512 bca37d75fd9280e0733eeb01fb9cd405473d34e1efe49fdc469af81b3d14751f7917fa089a46d162832dd56dc3d5d16abc37da01d948a27645c4a9361d41540f