Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-jq7p6acf35
Target a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293
SHA256 a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293

Threat Level: Shows suspicious behavior

The file a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 07:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 07:53

Reported

2024-05-26 07:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe

"C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffe3ff246f8,0x7ffe3ff24708,0x7ffe3ff24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 221.229.162.62:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
N/A 224.0.0.251:5353 udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/2068-0-0x0000000000400000-0x0000000000A6D000-memory.dmp

memory/2068-1-0x00000000028F0000-0x00000000028FB000-memory.dmp

memory/2068-3-0x00000000028F0000-0x00000000028FB000-memory.dmp

memory/2068-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-48-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/2068-51-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2068-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-54-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2068-53-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2068-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2068-2-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

memory/2068-99-0x00000000060D0000-0x00000000060D1000-memory.dmp

memory/2068-98-0x00000000060E0000-0x00000000060E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 bf266107c358df5c2f746e809c9c0e09
SHA1 2dc2b845c4456b1ee2dd6334cab42e4ae99e4668
SHA256 09d4dae875f7f29622fb0cf09a7961a0e7065359a910dab4e7668519433b67a3
SHA512 27290a2da1a43c150cd761d238495fee51b5e2b791a57866d4c34a17ec3c6a0999629cfa23502e7c3b4c4ca23222947c56b41004c0728df5bff6bd287f1a4b7a

\??\pipe\LOCAL\crashpad_2440_MRFQZBPUABWAXMOS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 16ef8177433976c14d23f839a8c1152a
SHA1 2b653ca841498be9292cbbc8b5119504e225f56d
SHA256 2a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA512 9cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 924bf7a4ce305dad87743ba3c5773aa9
SHA1 12d0fddb472394b23e5176ab4ede38974e723b81
SHA256 01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA512 2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 322f59ce015ff2f1f00ecbe4fdfce380
SHA1 eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256 c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA512 2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bae881256b1566a8dc2722cc10347aec
SHA1 2f3be5dd7bad34900509a229578b7ee71d4ec31c
SHA256 7321673b00c31f2f48b8b2a0134960fb37d3a3824dcf71f6813a1548e20da3e0
SHA512 093acd55f69b6b3f2483ab8964680de16793dbe2ab4c94074bd58396fd75307f61625f0253e5ef670e1d3b977f6c6d25fcae33b0eecbcb08e112812fa61c2af8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c6dee3f1e40f9c440696be678f8d451f
SHA1 0f079a3f2668e1c9e5870c52ce94288a11552612
SHA256 d345c4d32c6d8eb20bed52f4f42deca8ac44c102069517516ba5c167d04dd552
SHA512 27251f97616283bbcf24a65106dd5559efca231a9591ce23e270ac741c7e4977da42273d0e07c26658ade668016a17ba063287f39394100df6c34acf927e6c17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e6750a7f63d46cc1a148b262bf4da0c2
SHA1 871b28869240f67881768141db98aaa04e2e6f67
SHA256 6c41eb44ec480a7380450aa9e8f360b6050d0e3ab90717a1c5d0911f60e257bc
SHA512 0818b6cb321c121106a1650d009f55f1f5fddf3a0f1386c3ff68ae60c39d365eb3f3bda87fd524bfa726c89efbd7661b434b1b28f8e56d725100256a28906559

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 07:53

Reported

2024-05-26 07:56

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{470EAF01-1B35-11EF-84C7-4637C9E50E53} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe

"C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 120.52.95.234:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/352-0-0x0000000000400000-0x0000000000A6D000-memory.dmp

memory/352-2-0x0000000000290000-0x000000000029B000-memory.dmp

memory/352-1-0x0000000000290000-0x000000000029B000-memory.dmp

memory/352-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-48-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/352-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/352-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/352-54-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/352-53-0x0000000000B70000-0x0000000000B71000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 6274cd2606f9b75ae3bae96d47a120c7
SHA1 537bd99f5a39bf8556fd6299375837f1e2bd674b
SHA256 b940e2c7356601f5a4c223152f8da1efb1a6f09b262150582e21bcddf3df5d8a
SHA512 98a77e99f537a618e498b5ecea9ef8c7743940deba9d7275e58d70d279c512b60dd656cb12d001a8b093f8d48ef3391ccdfc4009a254c8605e50029ffeb764af

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 16ef8177433976c14d23f839a8c1152a
SHA1 2b653ca841498be9292cbbc8b5119504e225f56d
SHA256 2a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA512 9cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 322f59ce015ff2f1f00ecbe4fdfce380
SHA1 eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256 c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA512 2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 1188d570226acfff34a9522df1848479
SHA1 2ebcce8b1018c59b377a096425c5f2340e7997c0
SHA256 33323e9733df1f05799438497a1c9270ca8de472bd17852e80b1c6e82301a5fa
SHA512 4cc8ea37c6cfe065ea8026d9085f9999508071efbca0baef3c3325fce3cba01bd64912907baf7f2b4d0e38c665ce8eaf5034d2131478712f050588719fa539c2

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 b06ddcfdb64cc28ca0a0ef609de5f05f
SHA1 bd95d141935795e249d2ab00824839fd42c8f505
SHA256 da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00
SHA512 a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 924bf7a4ce305dad87743ba3c5773aa9
SHA1 12d0fddb472394b23e5176ab4ede38974e723b81
SHA256 01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA512 2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

C:\Users\Admin\AppData\Local\Temp\Cab542B.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar549C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f03259c88534e54d2426d30df6b9a22c
SHA1 c187bf97f42b5979a24b311c7f788b1b40b6b498
SHA256 ce945da4df7cb139a4424de74b42d7b527b92dc8fb5e961dc5dffbc278d04a97
SHA512 383256c69e8474af7ffbd7d4eb4779a8e220ab5abc8c10d1da19eadca1af61ff00cd3c7a8e4e8f620996e3a79a533f76e1ac71bff9b37352c2a51cc8c91b431a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b40734ef0ee4922c1f9fd85778b6ab5e
SHA1 7c2d965b9b84ba1259ebdbeed2212700a535d9dd
SHA256 97728eef2cfb7f2bee29d0d39ac00dd4f2ec2d3542406b140556a11fc347d4e1
SHA512 e75c1cce4e190b1b0f68ba32f15e93d74945d6c350382580e0f83dfb160a75018dfd24bfada2fd5d3daadbbc3edef72523a0d19357f47762c6b66760a0b04e57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a97f93d4aab5cb41c88aa58670c2642e
SHA1 fee107bbc7fbf5a2d05aee8e2706ecb167f01685
SHA256 f17e330c45d841a57c2ea54eb387e1442da9af0aed0c311fab861be287a006fc
SHA512 9b314867b302daf37a28514b3e2d653d02b02a19b566712274e44f04f905cd7517a2aaad8703321d3ed8cdbcacf3c196e5494ebec49789724c8225e75748ad66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f6b3b5aeebb300df3aa6a84ee35b229
SHA1 dfbfb936651e15252c144e5eae17b1aab9a2ca29
SHA256 d29b1ba73ce3d307eb670eac3655563094edfad7e26d6d10a9f304efa8dcfe74
SHA512 6f25f2ad88af366eebb1fdea791721cec5ef37b9177dd71e120a268a0b10474d11950e129e38d5a9eb45003f95ca3a00fdbd7f29bc96816d1cfec008e97656e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 660b961e544e144c7ddbf5b81cb4803b
SHA1 9f2ad2560fdfda7fbdb877a6c9f69aec7f783a2d
SHA256 759bf9eba1c6a4cd08c6fbc96880842f1e01db977c47766d97fc4f25c6d9b529
SHA512 4409b949f6ef83de4320baa0a49c22afbbf936b513cc327ba665248b3919f85d38c08510473c15a115edd88329fbe965fdf6a6bf940f1e81689481667e4fe23c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57405bf4b26ab0dace67920dfe19eb4b
SHA1 dd5ed35940e5c75ef04f4bbebb0c31127c29d425
SHA256 2297b2ad347adfaefca960f3d549add57a984dbd3f07c7641dc3a7c20097ab8e
SHA512 5a9edf89b7f74a513aa5010482eb2db0c0f74c41372f2598cb8f1b304e6afd598ba8e2e5fea6f64b5202e76411ecd4e1e1c541f6616edb5283dd1d6aeb714815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 801365a9002ad2fe90718483156aaf6b
SHA1 2285624b3970cd5d6907402e8204039043e85293
SHA256 43f34c9e57d634b9e919a3d9010929718584fb605d0bac85d1644c72e05bfa62
SHA512 aced43e4b20befc046251d30310ba03c9d421525a57e9eed4b1ac892a773c2a01a23bb69277ed684f5105a10b1583d627cd3386cf3a5ebb2d291c6497adcc539

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2377e2a3ac292e05fc1a3d68544a750d
SHA1 d739f333d107f79fdb8c291a525b7c85b89c6459
SHA256 15531baacfb6b9a7ba182f0a529086689df932bdc78631e23e688046644bbb37
SHA512 fa5d59a96da8f4c2aa524162e2f53acf428a3fdfa7463f8893780733f2754acbcae56d772ed9191b5d52f17df752d23596ee5c9073c4f8eee945c3f9a9e5ec25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c65be52741a85d42ac275783fa4fabfc
SHA1 a28acd7c65464a9903631e9e192e020a272aa815
SHA256 c4101413a45e0ad1b11cf31d427188dab7209b3fe0cc2bd1d5fdd05411ce0bf0
SHA512 bf63c15dc449b21c8ae7feee9b1d598cd0a0962f9e3253f715eacae52999853b24e53b08509010a0b9bf86af27fa7ac93c638db290d48c254944bb01fabe959b