ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
Size

111KB
MD5

0a9dfe5f60f2c99508cacd9261b62b25
SHA1

b89b32f1cbfb9d6040c00131d65fa3cd03a5ffa8
SHA256

ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b
SHA512

348a259755b7107bb4f38198f0f3b35877587f603e9540774da9b11fbb5db58035fce9b8d2fae33109d452080fbb99b77980c1c3221d4991ea1942049d7ade8b
SSDEEP

3072:u0v4Yb2eruGgAaeXWhTj+feuCL0ov7jG8Cy/ecX:Jvrb22uGLbWhTjYeuvgew

Score

8^/10

microsoft persistence phishing upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5084	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp
1580	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
4728	YZH.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-132-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x000300000000072b-136.dat	upx
behavioral2/files/0x000300000000072b-137.dat	upx
behavioral2/files/0x000300000000072d-140.dat	upx
behavioral2/files/0x000300000000072d-141.dat	upx
behavioral2/memory/1580-142-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4728-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1580-144-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4608-147-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4728-151-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	YZH.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	YZH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	YZH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YZH = "C:\\Windows\\YZH.exe"	YZH.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened (read-only)	\??\B:	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1f9aad6a-b5f1-428a-83df-0302d6d26784.tmp	setup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221002001718.pma	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\YZH.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
File opened for modification	C:\Windows\YZH.exe	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
File created	C:\Windows\YZH.exe	YZH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe
4728	YZH.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4728	YZH.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 5084	4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe	82
PID 4608 wrote to memory of 5084	4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe	82
PID 4608 wrote to memory of 1580	4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe	84
PID 4608 wrote to memory of 1580	4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe	84
PID 4608 wrote to memory of 1580	4608	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe	84
PID 1580 wrote to memory of 4728	1580	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm	85
PID 1580 wrote to memory of 4728	1580	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm	85
PID 1580 wrote to memory of 4728	1580	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm	85
PID 5084 wrote to memory of 3376	5084	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp	86
PID 5084 wrote to memory of 3376	5084	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp	86
PID 3376 wrote to memory of 3256	3376	msedge.exe	87
PID 3376 wrote to memory of 3256	3376	msedge.exe	87
PID 5084 wrote to memory of 1884	5084	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp	88
PID 5084 wrote to memory of 1884	5084	ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp	88
PID 1884 wrote to memory of 4592	1884	msedge.exe	89
PID 1884 wrote to memory of 4592	1884	msedge.exe	89
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4936	3376	msedge.exe	93
PID 3376 wrote to memory of 4180	3376	msedge.exe	94
PID 3376 wrote to memory of 4180	3376	msedge.exe	94
PID 1884 wrote to memory of 4912	1884	msedge.exe	95
PID 1884 wrote to memory of 4912	1884	msedge.exe	95
PID 1884 wrote to memory of 4912	1884	msedge.exe	95
PID 1884 wrote to memory of 4912	1884	msedge.exe	95
PID 1884 wrote to memory of 4912	1884	msedge.exe	95
PID 1884 wrote to memory of 4912	1884	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe
"C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp
  C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa672846f8,0x7ffa67284708,0x7ffa67284718
      4⤵
      PID:3256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7985182310594072923,12506356742533194996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7985182310594072923,12506356742533194996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
      4⤵
      PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa672846f8,0x7ffa67284708,0x7ffa67284718
      4⤵
      PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      PID:3776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
      4⤵
      PID:3796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
      4⤵
      PID:1776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      PID:3420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      PID:1092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 /prefetch:8
      4⤵
      PID:3956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
      4⤵
      PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7dd995460,0x7ff7dd995470,0x7ff7dd995480
        5⤵
        
        PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
      4⤵
      PID:2612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
      4⤵
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10603123146606856185,651187694501459327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 /prefetch:2
      4⤵
      PID:2900
- C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm
  C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm /zhj
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\YZH.exe
    C:\Windows\YZH.exe /zhj
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
134cd5863206871ee818911ad6c6cdc9

SHA1
f61b565d88b199f1a87f3bcde3c1a546f1199dcc

SHA256
97a63c5fc2eb0fd62f47827461de672927e0991c9e8005e0844902c268eea072

SHA512
00e922cd406aab93e86e1e989ca23d2f1c55148d672d86809b5e18889bf1baf87204da3867de7c67e84970b09bde82876df62f89dc59094315017a000b540308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
c23b69393fce27542d40c40b433e02e0

SHA1
eb8ce98c5d20d7a19ad3e126afb2b007ff6bab82

SHA256
dc702082209ae37c6ca7549fcba9b139ceddf1c56acf3490d532c4ddd51e32fa

SHA512
4e9ce85e7bc8b58dd99af2627da88b507c43bea218f59ef01640a467a5641129600352e83fb281cdde1e79696a9228605a0dd1a441d5ea5b0a03982264d0e60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
a35bf1a6a8a23cd536a96197e2cd788e

SHA1
b0ce6c7a965cf66a522e7daed502fa35d9641fd9

SHA256
9f28ba3cc5df7b218abbae0040836dd29488f071abde955cd47b66064fbbbe8e

SHA512
efb6abbf22ba138fdad23692a7bd0cc190a8ac464798986e9512f9a010c21b124ad1987efb9e49b44d68117502ba2156c8c127ab1c0aee8150630f1ce9b909c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
22ef04769a8e550a0e824e1e9439c221

SHA1
e5fa0a2d77ea3030ca5bba9c17fd6ca9cafe2ef6

SHA256
4e068f7fb27b8208ef9936301f4d95f7bbf2006857dd5c8bec0771db5c886f27

SHA512
d47b4f842a3692fcf7c595defaaa92ecaf880c1ff56c80af529af70d654b613babb2992a7ab640002b4f1be62067a0618ab581147aded30816614214a83f0fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8d078b9d259df79b5fae6c7ddce16386

SHA1
abcd7b91262dce185d35fd9d5af8aefaed72fbf5

SHA256
ace695247226ae12576d9ad8ff7f89451eafd54c69031b600c2d2d79f5001505

SHA512
12631f1c69d8fa8dfda460d1cddd7207127a8558b028c92201a5037b7be02ff5b88476019c42831f0159acb2e4a61316dc15ce9c4ec9ddae37bac3f92ca2c107

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm

Filesize
83KB

MD5
0d4e2a192df1abaf9edb4a3673a61096

SHA1
ea32f10e12ddba6c400c7159fbdafcd53a9c719a

SHA256
a8bd6c3e90f8ac160bf590863c6fe63ed3a7b4646288aae7fd76cd36f97deb6a

SHA512
7f9e2299634f58bad94b3b51ffee0d1a9e370052baa7252d0343dbabba61f61efd491e0baeba97adecaad337620190b20cbf43b007936364750fdfde5c341d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.mm

Filesize
83KB

MD5
0d4e2a192df1abaf9edb4a3673a61096

SHA1
ea32f10e12ddba6c400c7159fbdafcd53a9c719a

SHA256
a8bd6c3e90f8ac160bf590863c6fe63ed3a7b4646288aae7fd76cd36f97deb6a

SHA512
7f9e2299634f58bad94b3b51ffee0d1a9e370052baa7252d0343dbabba61f61efd491e0baeba97adecaad337620190b20cbf43b007936364750fdfde5c341d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp

Filesize
28KB

MD5
704bb7d1eead3a913233b9e7a8c7c6c1

SHA1
be976b246766b09d96c7a13888f489c2ed91d49e

SHA256
461d6d0a3b830e78e5c48e4188d172c565bee389c8490d8f1ff04660e05a8493

SHA512
11bac0a186bcc5a49819276844b53ea5709c2b2c30677c22a3fce55e061d1fdf360d4820dae1c148678c72b9d9d17dc3077b18498ce8b7df1a4a7e0e75b84466

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca29c95370adc8897660104db605b360ab953ad2330c6c336dfac3deb260147b.tmp

Filesize
28KB

MD5
704bb7d1eead3a913233b9e7a8c7c6c1

SHA1
be976b246766b09d96c7a13888f489c2ed91d49e

SHA256
461d6d0a3b830e78e5c48e4188d172c565bee389c8490d8f1ff04660e05a8493

SHA512
11bac0a186bcc5a49819276844b53ea5709c2b2c30677c22a3fce55e061d1fdf360d4820dae1c148678c72b9d9d17dc3077b18498ce8b7df1a4a7e0e75b84466

Download Submit
C:\Windows\YZH.exe

Filesize
83KB

MD5
0d4e2a192df1abaf9edb4a3673a61096

SHA1
ea32f10e12ddba6c400c7159fbdafcd53a9c719a

SHA256
a8bd6c3e90f8ac160bf590863c6fe63ed3a7b4646288aae7fd76cd36f97deb6a

SHA512
7f9e2299634f58bad94b3b51ffee0d1a9e370052baa7252d0343dbabba61f61efd491e0baeba97adecaad337620190b20cbf43b007936364750fdfde5c341d12

Download Submit
C:\Windows\YZH.exe

Filesize
83KB

MD5
0d4e2a192df1abaf9edb4a3673a61096

SHA1
ea32f10e12ddba6c400c7159fbdafcd53a9c719a

SHA256
a8bd6c3e90f8ac160bf590863c6fe63ed3a7b4646288aae7fd76cd36f97deb6a

SHA512
7f9e2299634f58bad94b3b51ffee0d1a9e370052baa7252d0343dbabba61f61efd491e0baeba97adecaad337620190b20cbf43b007936364750fdfde5c341d12

Download Submit
memory/1580-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4728-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4728-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download