Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-md5xkseh7s
Target 744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89
SHA256 744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89

Threat Level: Shows suspicious behavior

The file 744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:28

Platform

win7-20240221-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74CC5221-1B4A-11EF-BECC-D2EFD46A7D0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe

"C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 119.188.49.80:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2920-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/2920-2-0x0000000000270000-0x000000000027B000-memory.dmp

memory/2920-1-0x0000000000270000-0x000000000027B000-memory.dmp

memory/2920-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-52-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2920-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2920-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2920-58-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2920-57-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2920-61-0x0000000010000000-0x000000001003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 be1ed890b76305de558c92cdec4ac2bb
SHA1 f9886e1bcb55dcfcb06294141496d8ac9eb7e014
SHA256 bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb
SHA512 0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

C:\Users\Admin\AppData\Local\Temp\Cab14DA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar15EB.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42efd731c04e34d6272d88af5d29a849
SHA1 fc6e93fb0cdbcc1cb175bca5221ca0c2c6b35c47
SHA256 7ffa3c1ea9b0d9948db3a2e049fd2a4818e0123b20cc7b69a69d6627f51f53b8
SHA512 02d8006b535f0f3e124c7a46e5c51353aa92000ac8395d885587a74fa1fb50a5968de679b68d81ecb0583f68ee16a97e6aa6b874678e7da3889821cca8371484

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c877f8b7e5ad67bde824a48ac2ff05df
SHA1 49f4e9afcaf600676f8325038a5f1cdf5a008af3
SHA256 68677cfc78a3731bba137d621b59420ec89d55fb51fae9b5194f93472f5682d3
SHA512 b1298ad755a2777558a1aa614d29370ed97554bc72fc1900329f29a034095de6c7f7263c7c57c3dc4ee3d536c56071b965cdeaf94a10332f00e06a1b0f895a78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2c5253ea9110604f2e96604ec5bcef7
SHA1 72daa0f36f0528c1fa62d9d507473f4598ffbedc
SHA256 fac824b2838b67fa6bad8dfbac5663bffde6c2e0358670c105f9f6c47efb3261
SHA512 43700f3ef450fd6e55ae7312b6c8bd4c8d0d3954a8f4607d679257c5e9eff1e634cb4e96203fc0560108b65f9f6029aeaad63000965ffdcd97f5ec4a8989b37f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b11582b4e3c9d46b44a614d7d75a91ef
SHA1 3de5045594d2aa1f9d27c316aaaa81253df05d0c
SHA256 cbe219f384515092af1a2bb91c977e6e8673e6b9cc4ba797e16c46a00b254114
SHA512 91d3ac12d3fe10d3a058b36d9f8c44c464efc99e0885e4b94fc8d9483019a1da2e5f2b1f947adf1603439db88946b43b705e44f6da8bf9dcce83f811c0e4abf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edde304f6cd721b9591f0016d81229f4
SHA1 994c8e12c121ed160c6a720fececeed80650694b
SHA256 5d0fbeffbb35d444eeab50062796430e4dbcedc29d6cd0a155a0d580e66fd4ea
SHA512 7e73c799525392d368c6fa5b136542badeb358cf40f949d0bf3557cedde45bb2b15bfda50add63361bbe3fff1f84530bbf9e518d1fab63b709f615d980b24b29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84d46a13f5009bb2b1bd41e9af473850
SHA1 d5a8ba637b4937fcded691cb91431b19d0d836d4
SHA256 89075d10e7176cfab8155d22f1970da5f56a7b0ddf7fa42b7f3e48070952310e
SHA512 3805e6f93b3d81aabde5223eecad7e2de759111c6e060d2132a49645967c27dc87685d7616e11a87ca0bcd78f6bc452a428d00a1cc36f8561be51eac0dea34da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bb36f37819e4f844d8d9ae19ee1e830
SHA1 96d76c2caa6bc7bb2747eeeaa2a43e4ab6ac95bf
SHA256 d6ecedee152437d3a978db6581bdb7fc4cddeabd36c2a2cafa626c0e60c4e5da
SHA512 82c8629951e7263f3b56c927719d869b76cf38669ac893b70d34169bfeaabc99d27633dc48edbf9fb8241f3c2961469be21d3722ce2f1017bda59ca02cb6312b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efa9e67f6ca42a5beccc7c489ce6a80f
SHA1 cd1174e1c6f25f322999b72814f432ed5ed6288a
SHA256 0f13fb0a47fd0d2c40059d26616e8238ece16d94640129624ff606ffb2b60456
SHA512 1ac653ba0cb6195a25ccd2f7a305d1c4d8f4277c0eb7bf10d99ba58d1d8053dcee805feb88f33a0ffd22fe39392b6991141e75fcf5dd75868b93b25c91a6863f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb78a340a29ee0d16eeaa6e5d5d11025
SHA1 650e0a8cdadd9e9c19ffa50307c3175add813fd1
SHA256 a3a708b9811ec061716e957b205ed5a813c3ec39870cd475b8dcb3e6ac666498
SHA512 7965d41369955f240c4675500643f8b3cf84e61d88291f612f26bfbd357f49519732b9027e99f89a65d2b4d1e764ab8c7542b93fbf29c4b3261bcd1d4800cd67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0df170f1c610760b950916399c8bcbcb
SHA1 2c5ab98d3a10d1d40f579b7bb464c4341846f344
SHA256 0f824a20a888be6ebeb0bedb10deb0cd594d4da17186be2462e80b859003698b
SHA512 cff1dc18f61ba85a5d2c8f5907873e7b2f1fdd165b48b455ef6faf86ef752442ba038d87e82ac2ecc64127abdb6e1fd438491d7405beddb21c88c33d2f43f505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f36af8cb64937152eb66c6cbfcb310d
SHA1 610e477cfa86a9dc68e67006530c5e70d8683dfd
SHA256 cde30967bbcd3d6e49f3e3d6f4002b3c62f06fae7d35455d66b29702606e0c54
SHA512 37759427e30a9cbda770b348fbc521d9c3cb16e6343fc129d1b41b7aa0a21a35eb0e74c3c9ba9b8defa115f26006451843d07b9b78685e9538903567b104ea96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09eb78550239a991e66ff9a841a32dff
SHA1 a3ee7ee4c3ffe995666593ce72401882845a86b8
SHA256 278500b1dda05537ccc53944800574df494b58f4182ffc6e03bb74c1ebe0fee8
SHA512 118bc5a641d496e30a1c30e155b3a86b8c413b557bb0c26f568f029944cb8145b2419cb78c0aa18a8eddd3c23403975ed03242ef13f603755ac84fa8d3e037e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db95f6d4d9d3358653638aa172cf3944
SHA1 241f22124c78c55c8fe7d4522979709234b3e576
SHA256 b52c11b39b0d7650b813f5891e41a02f3cb69e43ae005532bf709f5485d6be01
SHA512 252143f5ee7442a589bb8b969df52ea7d5ffd2b964c33e7838d767d2162927038c65c93039fbe2313be0d56e522c8901fe4a004d8e044c4e1d341b3375d7e4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29acc781287492bb29ed5522ab063a85
SHA1 c539deff7a25f0dbbda04ada1f30e118f2bcbf23
SHA256 a6b7aa598b22fc024bbb833813b3468593826384134d368eb480673954e0895d
SHA512 64741c4dd3f6869244549d35629b806b606646e438b0012e25545df63b132c82efb6039eee7057ae10e89635db32469706673fe48799a228d7a00473d8968b67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b7162ff329eadb24ecc06854b6ab4cc
SHA1 6f972f7dcf5a7c5449dbfea133fb19e2dfb69ea9
SHA256 d40d4721fe92a0fa1d1d5bdf18dd8bb2f1eb387f6529205ff93e150751775e1c
SHA512 5cac5ecdf5152ea1a5d9c1e0be18b2f1f4aef0c4bd3b62a10bbf0145316629035f89c8b725fee3ed60fd5c6a298030ff05a14c87ea7ee7e16d04d41d63faf768

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fab03d4a73ce9712c1bc1ce8362a4e43
SHA1 9a65ac1120b10275220e8178a03e011f59e4f6b8
SHA256 65d41af5de998ec3ebb37cd6560357af654268e03b0888af5220271a10575a32
SHA512 a4d99c62bb8e7569c49154f9649c011ca5304e81edfd146ce76d3f54d3be10ca17682643398cdebad67c921f0aa124aeb131ee8d8712a66ba01be99092846889

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b0c0ce10193c67c679d8c2edb097073
SHA1 f74dc1056c2cce5c215c4a3fcf9a3eeaa1e9a4fc
SHA256 6b4a79606daaaabda053f68f5257a58c9711b87662833351f3b35f82f88440ab
SHA512 478fd13658a0a650fcd60848469f4779f95bbb5c074000b9170f7468ac7ab8b37d085ff2a72dd01e0fda7e8664270401120ef3dc36ab53c20b328972f5ea32a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c47c057348cfaa6c6ec6de7106a9a386
SHA1 daf713c0277644032e0015a48feccae0f5fa8c71
SHA256 2d406efe3047ddd617711258bc4f7ee5560180b9b9f985e67644b34dc7465d70
SHA512 85f8b0bdeda3848008bdcf08e3dbf5c833250da364454765f8ea608bc27f2314a916ed38dce23870fd09856df92028770cde87732283271270003a7e86ccb3fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ac4f34a9681fad93d288fbc17f71794
SHA1 44a5d2519870c5cf0334b3c6e4cb555bc7c62a1f
SHA256 90fcd92866301c4a9462b99a4ce4b7bb299365d7268fad1982dcef14d8032527
SHA512 090ccf6a2eca4488904cd4e8a2ccecc1cbdc13f8ad4481bc58c499ae6d324105a626826e1266e3428146a1484d7003ac96249837efdd591a65375e1b85254e69

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1476 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1092 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe

"C:\Users\Admin\AppData\Local\Temp\744780692d69f16ef980235e53b061e932e22b83ff254a8bbcff75187f022e89.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce5046f8,0x7ffcce504708,0x7ffcce504718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4903281103203066139,10791625615678922520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 218.60.101.80:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

memory/1476-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/1476-1-0x0000000001150000-0x000000000115B000-memory.dmp

memory/1476-2-0x0000000001150000-0x000000000115B000-memory.dmp

memory/1476-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-49-0x0000000001170000-0x0000000001171000-memory.dmp

memory/1476-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1476-52-0x0000000001180000-0x0000000001181000-memory.dmp

memory/1476-55-0x0000000001190000-0x0000000001191000-memory.dmp

memory/1476-54-0x00000000029F0000-0x00000000029F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

memory/1476-103-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1476-102-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 49f36aa007f23eb6c74c4a2a1a3a33b1
SHA1 24bc012bf366135ed5b87fa1fae78d5a2995536f
SHA256 2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb
SHA512 6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

\??\pipe\LOCAL\crashpad_1092_KOLIPKOTABIVOJGT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 be1ed890b76305de558c92cdec4ac2bb
SHA1 f9886e1bcb55dcfcb06294141496d8ac9eb7e014
SHA256 bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb
SHA512 0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a981bd591af7a916ff2fb85c2130d189
SHA1 d8190934309ff9b3c9ac90a0155ebb8cec3750c6
SHA256 99e1ce58bae4a415b4ce51deceff1fa9b24eb4b83dfead502d6d17dd02618162
SHA512 50cc29c0f33c040bd06583e8693ef1e977b28090911f66330ca489af28139dc17752136ac4c23764e22e6d043fde25baae1774fd2610d0086f5eb88a4fc2d0d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b5b06bc0fd16d7c8af9846d63f45cca
SHA1 9a995f2c901f03dcfe6367ed8b2e5ef621242b9b
SHA256 2f5fb5aebf995c9398077c37063bea38ea349df08ab131ed5b5479456b8d8ce2
SHA512 dedb1e2e33a10b32655940fce29395aa05b20174502952cd0a03a435f3a4fe6be8f661c12e974d23d6486ec037f2b59ded6e66668cd774b7c7af951b442caf08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de521e87717301e5f10902953afa5dbc
SHA1 a2ca3df2198ac2765b6859a9a2f821f5ddcec4cb
SHA256 2f80da8d5b2a43e5b5274bab3abe684726f3d7b52935eb50fd5646c990ab23d6
SHA512 181b7a869c5fd210039e4a14ad841b70c442e2eb29171736336947c207b154a1180ae3cf98927e96fda66b0529817af61765f23395bf0e9b5a127cff6a66b287

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bbdb43b7e3e195ea3c507f9e777797c4
SHA1 422768a5f9045b8700c1ac7615c72cd42310e873
SHA256 296de556eb179e88eb922c70ff8c5df1543a25b759ea94735b9b3de12dba6ee0
SHA512 85dc3a176acb4d365dc95d523dfa8fab5896a8da9fe7938dbeb5681a1721c2593d0fbe06e3f7c44ca2aaa82bc5ebf0c67b44ed6e6c873ce2178f2d23a4a278fe