Malware Analysis Report

2025-06-16 03:38

Sample ID 240526-rm37kaaa36
Target c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58
SHA256 c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58

Threat Level: Shows suspicious behavior

The file c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 14:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 14:19

Reported

2024-05-26 14:22

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3544E1A1-1B6B-11EF-97A3-C6E8F1D2B27D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe

"C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 221.229.162.62:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/2176-0-0x0000000000400000-0x0000000000A6D000-memory.dmp

memory/2176-1-0x0000000000270000-0x000000000027B000-memory.dmp

memory/2176-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-51-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2176-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-14-0x0000000000270000-0x000000000027B000-memory.dmp

memory/2176-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2176-54-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2176-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2176-56-0x0000000000370000-0x0000000000371000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 842d9e10867153ad73a1a80d79afef13
SHA1 33a49d893273182e8aba6e9531c3077d4ab86516
SHA256 2823197bddf0203ea011003a4e70f2687da234a3388b5090a76da2c2562d33e4
SHA512 e6e10f63c7d3e65358bd6e66a7328f7d06d096b2ed936cd4504cfb8c6b5f4081dd55884bb915191156965b0eb9b3fda6a97b5b1a1eee45d59a41a4e375d1e518

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 16ef8177433976c14d23f839a8c1152a
SHA1 2b653ca841498be9292cbbc8b5119504e225f56d
SHA256 2a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA512 9cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 322f59ce015ff2f1f00ecbe4fdfce380
SHA1 eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256 c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA512 2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 764ece63db57842a490eb694cd2a68d3
SHA1 205d1caf7db22def5ab4a8ffdaece98cd80278f2
SHA256 fd8bb49fbad7aa33af93d4067ec84aaa1080175f7850a9e46a7eb15e68bcb62c
SHA512 f8c6225c2a8570616526ee06a70e889e02d2dc43cdb21d1736177cc69250df74a5d7492dbe59c634f8e48ea21bb200199f3615d85894cfd751fbb8328e4cf7d4

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 b06ddcfdb64cc28ca0a0ef609de5f05f
SHA1 bd95d141935795e249d2ab00824839fd42c8f505
SHA256 da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00
SHA512 a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 924bf7a4ce305dad87743ba3c5773aa9
SHA1 12d0fddb472394b23e5176ab4ede38974e723b81
SHA256 01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA512 2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

C:\Users\Admin\AppData\Local\Temp\Cab5B7A.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5BEC.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6977c645e91f992a3527d1b35ab7990
SHA1 5e2a031a77775036716cc5706ee425966e9ff1ee
SHA256 9a9bf879a27d5be14aac113c833c2f895c83c8dfdbad9459546020ce0ec5e4da
SHA512 c9e16368a5a434abbcc94f58475e4078b98b4319403deac33342d485f78c4a4e076fd29abf00b5f7248c6b16e68985faa5625bc639d48300e5918fd744b4ff36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98074591ba3b02f1de22659d39fb8848
SHA1 6b3322d966ab0d1ef7de3d97b165dde823a6cd17
SHA256 d4980296379b6044bd383cb2cf4dec8b4508bca724b62b794ca7b370078d935e
SHA512 96aebbea95128815ffef93c0ab1f0f650a61d9ecbc60c6ab0b305957ce73c89d8f91f45ac64a49801c1351707da0f4f7cc46e2c892fc70120e6410dc1414f0f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59cecfe697d46ed1fcfb949b79e7b51d
SHA1 3f93a62db0f3938d31f870b411f3fe8716cce4e0
SHA256 76af8bb2e072cb60dbf02e283b243cb0f15c19e80ac639337aeefdc9dff87b5a
SHA512 a1552acab6d38950666c8e50f7e92201d8a606cf32604fa7403cb185a28370f9cae3e29ec0a600748ded02cab2610d24858de7f33e1bf38b252c7c7cffe5346a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2f5d5dda20104f5ab2e1672c336b8f9
SHA1 0da91d3a911c478ed28c6328d4a0d69ffc71a739
SHA256 67d7e6cf3ef6d9c26ddbff5da0c651387aad14e49e27662580a00ce52ad19936
SHA512 d5cccfcbeed7380c9ec42edb97cadbe48d67fb71dc08454371eeb06f78c02c886d506e76866f3bc7b2131cc758b5805b18895d5cd12d2a809481e1f1b76192ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc0662fb923f0bc5e92eb1f9ff3a9775
SHA1 e6a22828c42aa41fd81ded4b1eb9fdc49c17abd1
SHA256 90966838ae8ee83f6d5358c09531a49edb9e634dc4e5c335a6617c461c062c9c
SHA512 4ae57b7b64243cd75234fe95b405f1380940edf3c18dac49a6dbe167b27b8cf5a9f75b34572b48484f53e72a17c82be97c526033c3dfcfffab3058892cd7f482

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11e68bc2fd0c35203795269cbd6a068b
SHA1 87bc5e6d64206c9294e73dbf36ce67eb27dfab3f
SHA256 c1e7b9dcbf1caed66354ffdacacd52ee11ffde8dcf184155d3f3d4b3cb88ae62
SHA512 c257fd3a83868790521f29e8847fc29cab7d60a2b464d19191e6e71864688d49363cc02df49833b046a04dff1989060792eb2a6383a9f39040de3dcb6fd84b28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a9d2b3416d3164ddb6f45a4cb2e53be
SHA1 117e26b7ed011511e51e24cb6f01add76775a2cf
SHA256 79d7a88dfe0724b5e68c45d6021a5eefedf9d8ee0a221a87009bb4250cd1f9cb
SHA512 e6b298cf12a3e07b6c6ad1e1961172436da44e1294ffef66a51a119622a059adf30036f06ecd6e15e2ef00dc736367dbbc2df336fedbb51625c51eb383306e05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da9e747856792b5c17892498b4b9dcc4
SHA1 ec3713b4f4a854ad03ce660af6b498a47a1e0745
SHA256 fcf86d6d09691d7d9175233cf0ba3370be3d17987817e9499b35238e9c1ef0be
SHA512 0b04ef6dfa985da1eed9f2a651fa415221be56caea8830c956ae9debdc90ac06830751d3dd48e46bd6d9bcb777cc607c2e2cb21bc9a39c273ba75eb7f8998e67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75a434c33c2d8da84e56a8ec5bb4c4bb
SHA1 2e061c1f7734618a990d1971b2b6d599e603a18b
SHA256 22e5b0c3356cf7330b2db6fa682e3b8117f7567e16019fee5e7fcc229bd12a48
SHA512 5c74b9fca0312d4d183a040d985c5ef13e68d97bb0826cbb81199d4684337c15c65de1659411b9fb749de3d8c08b8b05da26e57c95904d2f6e88c3dd6a5328b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 14:19

Reported

2024-05-26 14:22

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4008 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4008 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 1288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 1288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe

"C:\Users\Admin\AppData\Local\Temp\c66e725556cfc9f8d6a3fad93ad77e918dc9844aa410e6c8687702d7adf1ed58.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffc4ec546f8,0x7ffc4ec54708,0x7ffc4ec54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17883558669164808225,5719655293763858003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 106.8.246.201:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
N/A 224.0.0.251:5353 udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/4008-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-47-0x0000000001020000-0x000000000102B000-memory.dmp

memory/4008-46-0x0000000001040000-0x0000000001041000-memory.dmp

memory/4008-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-36-0x0000000000400000-0x0000000000A6D000-memory.dmp

memory/4008-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-1-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-0-0x0000000001020000-0x000000000102B000-memory.dmp

memory/4008-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4008-50-0x0000000001050000-0x0000000001051000-memory.dmp

memory/4008-52-0x0000000001070000-0x0000000001071000-memory.dmp

memory/4008-53-0x0000000001060000-0x0000000001061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

memory/4008-82-0x00000000064D0000-0x00000000064D1000-memory.dmp

memory/4008-81-0x00000000064E0000-0x00000000064E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 612a6c4247ef652299b376221c984213
SHA1 d306f3b16bde39708aa862aee372345feb559750
SHA256 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA512 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 842d9e10867153ad73a1a80d79afef13
SHA1 33a49d893273182e8aba6e9531c3077d4ab86516
SHA256 2823197bddf0203ea011003a4e70f2687da234a3388b5090a76da2c2562d33e4
SHA512 e6e10f63c7d3e65358bd6e66a7328f7d06d096b2ed936cd4504cfb8c6b5f4081dd55884bb915191156965b0eb9b3fda6a97b5b1a1eee45d59a41a4e375d1e518

\??\pipe\LOCAL\crashpad_3056_ZCQKQPWIIKSKKUAM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56641592f6e69f5f5fb06f2319384490
SHA1 6a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA256 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512 c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 b06ddcfdb64cc28ca0a0ef609de5f05f
SHA1 bd95d141935795e249d2ab00824839fd42c8f505
SHA256 da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00
SHA512 a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 322f59ce015ff2f1f00ecbe4fdfce380
SHA1 eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256 c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA512 2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 16ef8177433976c14d23f839a8c1152a
SHA1 2b653ca841498be9292cbbc8b5119504e225f56d
SHA256 2a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA512 9cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b1e4e211015e67a75459003b48755bc1
SHA1 7de808956ecc7987cb517a5e712b672414805e03
SHA256 f4b0885d3bd2082565fed83f08e11bb640d6688ce60fc2fc9cfba297cfbd70f7
SHA512 5db5bcbdb778358d24194265eaf4df05f600e4fc8d5055ecea0fbd1fa7a3cd54843d14d55b098df44e6746e977c3f522268ba51b7041e24ea9cc35fb7a5a6f3e

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 924bf7a4ce305dad87743ba3c5773aa9
SHA1 12d0fddb472394b23e5176ab4ede38974e723b81
SHA256 01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA512 2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 013d8cd9d77b2ce6d3e63c7bb30ac15f
SHA1 04731e16b02f3353dcabeeae0af2181d44d4d1c3
SHA256 ba1bad6e6c222e4df530612a185a8f5d9fc3692f01a4c3d02ca701b0eec5db6f
SHA512 b66af2a9353f8d7d9214d89bb1c82d35891180e7582365ed155a67b010ebe9501acbb1ac09fcb8a10be726d717288d3ee8d07669e8aa718d78c7680e40be98cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d5a16a304d4162b1bb9fd1060ab35ddb
SHA1 02967b65c9275e9a91a242eae3ede0687474a896
SHA256 9dac52620bb4e2d66da31b1c1a36b79290e991d37e56f5c95c4dcbd77558d4b4
SHA512 f89c61666e68d61d08711a53b5f5534d3e3646e36e25aa8063377e199e8c37dfb48b9b8d6f5befcb97509cbf186ad89d93d992dda57785c53df072a81a837fe7