Malware Analysis Report

2024-10-18 22:16

Sample ID 240624-lp25dsyhpr
Target c96edc1d61ab02eaca223a545daf698bb8f8fd96205fa6e21a0f0ca9c6faa234
SHA256 c96edc1d61ab02eaca223a545daf698bb8f8fd96205fa6e21a0f0ca9c6faa234
Tags
qr link evasion trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c96edc1d61ab02eaca223a545daf698bb8f8fd96205fa6e21a0f0ca9c6faa234

Threat Level: Shows suspicious behavior

The file c96edc1d61ab02eaca223a545daf698bb8f8fd96205fa6e21a0f0ca9c6faa234 was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link evasion trojan

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

NTFS ADS

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 09:43

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:43

Platform

win7-20240419-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:43

Platform

win10v2004-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:45

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe

"C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe"

C:\Users\Admin\AppData\Local\Temp\7z63C4C6F0\KexSetup.exe

C:\Users\Admin\AppData\Local\Temp\7z63C4C6F0\KexSetup.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7z63C4C6F0\KexSetup.exe

MD5 652448785ef29b50673ac479ab320ec2
SHA1 8b2bffc5dd383e48d1662473b82225fcbe6056e7
SHA256 52ecd6cf623ae74808924692c4c2d79417904a12c6b7afb890cd6ce0478d3178
SHA512 737e0ed0175470a6f55443385eaba48865d1594253b7ec1d88bca938775ebce579c8a7e9755671f560249fcb1e9cada9f1acd657ace6d7f581f74bab2de7afd0

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:45

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe

"C:\Users\Admin\AppData\Local\Temp\VxKex\VxKex.exe"

C:\Users\Admin\AppData\Local\Temp\7z73B0535C\KexSetup.exe

C:\Users\Admin\AppData\Local\Temp\7z73B0535C\KexSetup.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\7z73B0535C\KexSetup.exe

MD5 652448785ef29b50673ac479ab320ec2
SHA1 8b2bffc5dd383e48d1662473b82225fcbe6056e7
SHA256 52ecd6cf623ae74808924692c4c2d79417904a12c6b7afb890cd6ce0478d3178
SHA512 737e0ed0175470a6f55443385eaba48865d1594253b7ec1d88bca938775ebce579c8a7e9755671f560249fcb1e9cada9f1acd657ace6d7f581f74bab2de7afd0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:45

Platform

win7-20240220-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3182C781-320E-11EF-85B9-4A8427BA3DB8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiaoyi.vc\Total = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425384069" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiaoyi.vc\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiaoyi.vc C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiaoyi.vc\ = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5027a6850fa354fa1123ad0752f24fc000000000200000000001066000000010000200000006c31f2f1ecb05b05688d0c1f48edbf2231550edb0697df500d7525541dab8ed8000000000e8000000002000020000000daf4a2ea7f3db11fc80baf7d5876903b6aa5105b066e57ab376ead230c42048a200000004b8ceac8ad3b751fc0f368e797ee4fdc720ded4db330e0dd3c41b2a6e733eea640000000a3c90dab6d447261184f0b658f7f241cff3fa8b86c6b50f689eb14a98e82b1f6ec256adf6f91cbec9ea47ca6c8099388e2f0462748ae628dc9b91c3abf4efb0f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ea0e091bc6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5027a6850fa354fa1123ad0752f24fc000000000200000000001066000000010000200000005fd70ce1143c4ba7caa7ea527833c10c9b38be29e22418b2f3463c8afa2718a0000000000e800000000200002000000093bb355c899178980c12a16cdf4c011df49f2c9e393345bbbca0f4d36000ac0690000000319a74819784b3e83a23611aa10c2ddc8f4609b10136beb8b309d014fa13b7b4f276088a205b13464aa7c88e87b1a198c970b4367d45a4bda843c7d375648168def8e26ea0c1ed3be8453dcd3299cc9fb2af6c27112e1bc3b88ac9f944474c94bf5372278af9ea0f0d25bf0671d841fdc3079d1978b84f43b141ce0da602c7790cfbd5d60c8a05e1c85c66c660dd613640000000ca4aeca6bd42e18ae0e83ebc63bebac837fd4ca6258a7618acb3faf3b0a5bdd75888cf36bbb529de21fdc6d31c5b6a075407e12665d734b85b30ca8c7c2bcaf0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\www28F3.tmp\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 xiaoyi.vc udp
HK 149.129.119.2:443 xiaoyi.vc tcp
HK 149.129.119.2:443 xiaoyi.vc tcp
HK 149.129.119.2:443 xiaoyi.vc tcp
HK 149.129.119.2:443 xiaoyi.vc tcp
HK 149.129.119.2:443 xiaoyi.vc tcp
HK 149.129.119.2:443 xiaoyi.vc tcp
US 8.8.8.8:53 www.xiaoyi.vc udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
HK 149.129.119.2:443 www.xiaoyi.vc tcp
HK 149.129.119.2:443 www.xiaoyi.vc tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
HK 149.129.119.2:443 www.xiaoyi.vc tcp
HK 149.129.119.2:443 www.xiaoyi.vc tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
HK 149.129.119.2:443 www.xiaoyi.vc tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 fe0.google.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2368-0-0x00000000001D0000-0x00000000001E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab18A0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6af036c38e72df0b057856fc60c5b805
SHA1 00227d106eff04484daf9fb6dcc98257bbda5440
SHA256 ed2a64d6aafd1c39bfb55fcbb5ecd4f77ae31ca8110c3e0d7c362a8ce51c3e0f
SHA512 72a3759cc8736ef68049d8a6df26d67e71144bb01bdd51a7cb3e0f8dc75f5f6e16342a638876cb612c22c56815f96e0f1bc108976d9a2a767d12089f85548bc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d00cec7297b413b893e7f21456fc48b4
SHA1 0fe1598d8eb115398045492db2fcb6b8811ee606
SHA256 645ac22878a2b6b03716509663cc41e90c6ace62a1c5ec613a134fb9e1833886
SHA512 2cc36be8a49b7f93bdde45f3b6f0052d9c0bd0e333c9c065f6bed022d6347587cecc114890db85b38aab9345bb08b79a815edd39d1680a4a4cc152287d0a5ea1

C:\Users\Admin\AppData\Local\Temp\Tar1B91.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 ad52e6363ab9e1a430742cd4e41730ca
SHA1 0eebe1a136f6845409f152f2b39eaa53019d1601
SHA256 ff0aa847211075f91bb88243a3bc7b921800442310b81feb6d108a6bacdc762a
SHA512 d9c298db1fede308f3e58b8d740b459fc7b33f7abbb8f899cca3a0a3ecb1844a22423ad21d0725dcb03c8f501f26b782897c10182fdbe2a82dc3cc5a7108be65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1C95.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f79e8a737d53bf4ee0b2cb9b7f305caf
SHA1 f8051f74cef8b32207f95a5b793be9909e8b0963
SHA256 00facfd6c01336e5f6a974e9726c3f2d245ba14ac7d5f68d4030be97403a3071
SHA512 ce3669768cab629c6c8ef228304295a515bcebb8c4128f5ce5466c6f0440e8554d6a0ad39ec23e90b119a32141b5c89c68bad68532273f454ba7d897234d63e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 102da26327ffce3d6e2eef53bd17f53e
SHA1 0e285c7f2973cd6b8d794483e756b2ef8e110922
SHA256 722052be3eb19e448ca2915e0c825ce74b205c4a3200e40237e2235b21fe92e4
SHA512 d722d489bde3d334a1bd76750c7007ef97f32779a9dde93143fe72cd19fba3e9455e56449ca63e152da138431d1c7743c1f563ad94174cd970f20456b8cac08f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\9X0PVW8O.htm

MD5 49b2c34ece1901ec0a10aee1226c0dd7
SHA1 e3b0594a49c28e48e8e95b0993c43dc27c4aa015
SHA256 8087fe1c24dc3c28960b036fa761c29158c71f7b0af121c31af42654cc97a040
SHA512 d47578205aaecef5c00c3fd3cc4b8813a8ed8dd67302349f9c83aaad76d2ab23c5b479c80def32f530a564df80efe10d0708f45c679c1ce6e0a3874af24b0981

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\1676901037-favicon-xiaoyi-150x150[1].png

MD5 3091b72b05924dad1b5e0d4cfe70c231
SHA1 c202a413d435ed64efd307e6c24b0d69d9be4571
SHA256 6df1e29453339ad98ddcf7cd4095d74e62c5a8f79ad75988cca2a78474a18733
SHA512 7e1d83d96b75a68b12984cd3026f2eed50ad1b2cf6aa85fc32e2f1e889c2c359c7337d697c32fdadd28731af3f6008d859dd5c32a00304a87422e1ea1b8e15bf

C:\Users\Admin\AppData\Local\Temp\www28F3.tmp

MD5 d4dc1c9dc7de3b22d6ebcf2ddb2f9da7
SHA1 6aa0a6e04e88f137646d06a13f1f357ab4dc1363
SHA256 c5e57e234eff00ddec429b1b209dd09664d4122bbfe156d75a2382776b2abbaf
SHA512 1b92a08ded87fe7a6676227002e7b65f001165c28d325ea34b3711956767b322bc130aa10cd20d5d4a71240e46140d7cd781ffb5ce3b4ab867e790f15bf2458b

C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url

MD5 3ccf12701c5e138b2eaf07da27793b16
SHA1 98194c28e7c08c4dd722283ef5fd5ed6927853b3
SHA256 637d0daf5c92e5d4fd8651deac9f821719e88753aaa06774bf46ee2e31e1af62
SHA512 285b54f2f1b6cabf86e70ced70521cdcdc7399d297d33107c59c3932dc1de4f31e0acb447118ba92be2224757f5737b9f6d4f28edbe678b79839795346ec6955

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

MD5 ad5b9e242bce4b28d93aa80a6b02f730
SHA1 78d241808e2999cc98182ea74d095d107cc00f72
SHA256 b96503302d7165e5bd85fcf1cbb9a375cc534f17e32da63b47b817b03c99c029
SHA512 53e40ba47e440477aa6a2c21956d8f5422ba531408f27e6dde2cef1333efc11a8137f09977b79ee70990d803cf178a223c38b46573b9d2fb7cbb5e1b22e8b8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e41d8bb3db3c1d2bfbff34ec3ada0199
SHA1 ee5acd5b9fa614aad39f9b096fecf1b1239f84e0
SHA256 4b25f2fcab45e239b70b9f8bb4c997c1efb70cd8b16d0d379fbdd622aa804251
SHA512 f98156592ee8396ebe182991526c4e12831c1d5cb5c1d252e45e09b09aad91459c268b1132bc3015678c51beb1ca826400c81a24c011879daf24622185076d29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39366f5482a52e211349bb591c252ddd
SHA1 466d378d2a6f74d5c6f4e1f7b6590c2269536a14
SHA256 18264831bc9fd7c6e08feb808aef6862b988330aa62ecd5ae617610fdc83a5b0
SHA512 0805c4bba2c5b85e4cdb7dea5405f09a15267048c3d3375b06ff3139a3e65595135a7511514ed50eaf769a9f59e55a7648a0e5e0ce88d6246c17763e578f40ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13f5ff59ff67fe3eaf06a097f500a677
SHA1 518147c6fbcd066ffddd6793ba4990fa0493485a
SHA256 ba6d43673e88c41c1cd67d373c2fbaa7d08cd0f96b573df34397d39ca6493607
SHA512 600d83dd4c420d91b2204a479acd3cdfab63de058c3914a19621396358c88c99c617ecc7e259ac8a87ab9e39f55558d4fd9abd2ec147a3f3ef01e6bc2630dc98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3132b45adc9de49f14b428ce7817364
SHA1 dec0643fcc54316986c7d58446732edacf03cd2e
SHA256 74e84dd866596178b50636b9682548ea5fd45e5a1804c51eacf242b7a6039fb6
SHA512 f48c4560848f62842a96a435e69271848d89bbf5d6722820ce49428bcd00e2e0a7a31792921b7ac50489eb72109859396261267f5e75f31f62eeb8c71517371a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21038d16973377498ae2d0d27e5c27d8
SHA1 4aab045135dd6111cdb46583a6336a065891da05
SHA256 2b015bb530614f58de61620804cbb4b585b372e30216ee7b41bdfe0d847c5eae
SHA512 a90f635e53d499a094596697a3fd724175372843f5a9c8024d13bce6ab5e6dab0f16f6913a886c15019d8a0e02987bd9bb04399da6232f8436a72f9213ab4ed6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9a4459c914e167f8fccde7bd61e3d6
SHA1 9f0a314eef60cf489965cde16990392bfc89cedb
SHA256 0cfa9f250eb4eb2ad4b575691d5aacdf4c8f5c85a6283df2defde480060e2f88
SHA512 75d3a3dc1ac6ed34fcdf4c7e9accc0d153fbd5ca6304d1baa9a0e73782f7712c3a249c76cbc47b73fbaf296b22f5d287b9998c52cbf6a1b412a5b85febda72e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0c3deb87a90a1c004011c94996d239e
SHA1 ff347ed467ed92d48de5d3a82b73d65089d58098
SHA256 d837d62b62b98c3b3f7dc2de259df95b922126f3e5d460b44bb74773a9e8ae74
SHA512 4d36c6d9ccfe6c63567bcec81f152237efea0c695bffa286458abf498502e39e0d2fe9c7c19d0574c43160094178ef68a6d881f59c4377ac58b06ea51a56dd39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cb13d59c5f9d448850f51b2f14f88bb
SHA1 a151e3e7bb6ac9c930f270c9f8a353368d872ff8
SHA256 063c85e5dfe6f3bb59aa2fcef4dc0d3fe8d764f1b37b3dc8a2011df69dd01230
SHA512 d746a311d2a810736c356ac947a6d4193cd69e96ae96394f7744b4e52b7a56f077172b4282829ebb8998752d7a9bea229006657171cb1eff0f7d33b1141e18b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80597ba893b9dd44545a8ba796dfb47b
SHA1 a258db318a9579063a36e8106385ddaebec19e2f
SHA256 8e3dc6e15747b243d2aeac0542e4f70885769e426cfe4efe292444fec9cf97a4
SHA512 abb29d98f7761dc63d6133f1fab1973fbf2d6481fc3e19c6e93eea5c18c302363e4cae8b8a9d6a040d45ae67cfc04601879f8633ab89bd6cd11fde7e1f24d92f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee1dda294eb3486923c4dcde2b5955c0
SHA1 6615e0ad0db3fe9a346df4934d43ad186fd51426
SHA256 0236c2ce2de62488e14bd4c5fca77e920b8e9fa78c56e3f3d8b1c1e48c8b29e0
SHA512 fd3f71488c9464b330a53839c6977e292315f13b54c965d80955f2e1d531e4d53367093df5549654f6d6a0892e1fb1161f9bbd92d125f5e460d3838fd920253e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da947195c6a4e692be146cc7e3e136d0
SHA1 f825ff92d4e7e93a4545c46e62bc99df4857d3e3
SHA256 a831a0a0ab2101d3d4e5c80025e65f87085d68489784b9957dad85609ed09a6a
SHA512 49c4e20bd25f10e6829a13b7a117450073e01c788c01b85a8340d69003cb0f0dccd2d6923c8b76b09a212dd944ece9a4140215393438b2182a1ebe8b56184cc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1836b9c3af110e4be7ffde6525f8b0ac
SHA1 aa3e6097fd59aab7f12fe86268fdd4737e86e334
SHA256 98f68fcf684d03fd9da00efa4134310497c4cdfca66b3d84534d24dd81947d16
SHA512 76f377171ea4d5fdc2885462102bbc1405459b8ecc9207ced131b8760e40445e47cfb7a89981d91501ecad5a45b029fd310d9e02e4969a3e8bf1ad1c413df2f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e6989295f10094eb06ff682abf6cb29
SHA1 73eaed920e6cd589fd6853554ceb5dd7eb726808
SHA256 8dce5269713887160e699f8fe87af5b0add2e5fe65b980f78a2c688984137558
SHA512 506548abcd39ad5b87b3df23637c3503e554154a193459b0ef84289a79ba64c10c9e4582c6ecc837e44dc0682c6851799343e365614405a412b6fe5a46dc3abc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bf022169339929883589619d591b46b
SHA1 d60bc9fa96c7e1bc0313ce793d03ef1c74b67405
SHA256 e82a4caf36d338ce4b261573e10750fa53fb9ef118f4faaccc8ae48ef881aa4d
SHA512 04142c41d83b8ed7a96429c4283b1697adae49cc6d01acee38bdb2b579b680abfc6625727790c0f7576fda75cf53c8da1a5e0d5f27904ca7459b67751c76fd10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93e9e8ef67002a345af9373c117dfe9d
SHA1 2df8923f4b55ef38c0af9d4add8e51c131d07b4a
SHA256 804d1c73a3bd5f256082e462bc87f12e217fea42e37c948d5474713fd029a41f
SHA512 30c71927d2b385c1a4f35e07bcdf740602e7842a86197de3dd4a170bcf834125a45c18da77a2268cb3e4002a3ccaf33339d8498b419f3700aa8fd7bfcdcfacda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efbfb069b7629d6e291e28e794020a5a
SHA1 a5ef7ea7ed78ffa171b01a4147f413a91465858b
SHA256 4f1e66f63737f447c78a07a4466423273116afbca09bc7468168317ba8d3c215
SHA512 063b60d8140ee8a359ffa6ae85dec8839ffd5e07a76126cec43b25158e3280deecfec9d601224b17c369ab18b1633a20b3b3ff589a28a88ea8bd06cb9547839e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 72ba795020acb32651be1073fa9ad15c
SHA1 92de8c6fd7ea4164f0d83d31c2ef52b9d389f0df
SHA256 b2347ebfe0ffaad5d63e767238a151c6c2fd1d221f569dade48602c60ed40dbe
SHA512 489010b8b210a0de164843d1a5fb45ef87af4518e220de591d944f0c9ff561871e2480f8411c695cb9ca1da73ec61546b10135919a151d68b7103e6597e6053e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47829c062d830cab086cdb9e57a6bc33
SHA1 edbb7b2d273b61eeef9e0cd57cc408b9a17ebc75
SHA256 11baa96151c95a7041e953b127efd3e015b6c7aa37d53e7b831be699793266aa
SHA512 959fcc88b1eea2cb0d24eb48cee8777996b9bd213239b76284ff6f85a5e2b7ef7e84ff0056f68c4a66c83f2157f81413e94da558db85c118ccdccf23d105f2bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20db3651b5c46f7e8c1454071ecbd93f
SHA1 5ca4095fd75f56c732fb235c1b0c50dec3a8ed3e
SHA256 97bc409276eb43388371a17c28bb660d89561ed8c3d40c20d46e4300a2ba7496
SHA512 9dd1f6f46fef4a70752a44aec139fdc54fa75fd40f800648e18def0d63ab9f6bbf3f8ea9685d283467ebb7944351e7100fd0bb578d5a8ce13cd4169bb1d04997

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acf363a7ca6ac5f0bedb70143d5804e7
SHA1 6a1ec6979dcc44576ef3988eb9d5e86e9818748b
SHA256 b2eea7fd841aca1b698cc4f37748699ccebb852865007fbd50479563c0582df4
SHA512 c44e1f85caaa039216900b4d07ced94ef50affe2953b87d40670aa62d50f61255ec4d38353e60b6ee93e656dd6266763baef4b2e7d6b69bfac44d3dad1d85124

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70830f3948456dfd3a79834e04a1926d
SHA1 982c8a18832f1f792045f749a53760b07ad91148
SHA256 efe43a6a7423bd1c2e92b90bb94821cef624cca95ffcdc500a8c0a967c0a5e58
SHA512 c106be778262a56c359f70455844b95d3a12dd629faf0f4e4c8d6eb6ba04b6696fe3752b0854bb8284204ef71080ef7e4b3a469e7134e0024774c1054cc9c1f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 09:43

Reported

2024-06-24 09:45

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 1676 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1676 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 2012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 2012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\VxKex\#XIAOYI.VC.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://xiaoyi.vc/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbd7b46f8,0x7ffdbd7b4708,0x7ffdbd7b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8156440054128432392,10256101285575477415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 xiaoyi.vc udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 xiaoyi.vc udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 xiaoyi.vc udp
US 8.8.8.8:53 xiaoyi.vc udp
US 8.8.8.8:53 xiaoyi.vc udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1676_OCITEPKCQWCDOMEF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d32076d535b73d7b2c1f79edaeed004f
SHA1 09977608df35a5d21cbe6f745017ece63251d708
SHA256 49b9dd6f9d67a6bbfce4991407bed6771b0a04d4f5dae5d74709f62bdca79afa
SHA512 ea0ff1a9395314a8279054f9a5665ef674ddb9bb6bab4f3afc709c6f80f266fe8d96b3ce33f438fb82c89994ccbf06641ac222e2f9201c3bd656e09996e9641b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d334380be81d163b03de520bf9f410aa
SHA1 a2a9c05be617301844e71f3edec079110a933cea
SHA256 40ebdd696f25b8bf89ab52839eef32679f88f00fb9acfb495066c84065b82a10
SHA512 3af703bae02b97f4278e97d3da95eae2500096226686aa2f2ba488d931657c27524a49856e36a8f51250f9855afac22ce67d72d1b3290340309fae2daca47b72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db1379486ca2c4b95e3145c622d35be6
SHA1 2c26d168b73fb5d432477db5734e2db923dcaf81
SHA256 0a4b9b0264611d46880b2c7c23d0b2d25a90c1bd7f77f66e2c33e44852b631cf
SHA512 33371fa27ccd6e1cfdcc3e1ea08bb27ff78403e0535e5821df7bcb4c39a581cc3dfba4e215737d61e30637152f81701d65db88d5e907028eff42e5138467891e