640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6

General

Target

640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe
Size

2.3MB
MD5

9b0a133907d375fe9660fe1096c16e25
SHA1

483be8832a4d7e5215485869857d4e55a6f02536
SHA256

640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6
SHA512

5e6c71c667af4f8e13868379f30027a18536cdb0ca4353bc7125dd55775210b5a03cdb25cda18c97ba456b75cfe26ed8467e48bb47e44f2347ab671279950bc0
SSDEEP

49152:hc//////ZTIuA0Vt5yEslK/3/fKWFbZXgmp8xm4pvo1irlR/nF/T7DZ4:hc//////jt5yDI/3ntZJ8sKw1ol1F/TW

Score

8^/10

discovery upx vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exetj1.exegamedmon.exe

pid process

4872 CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
1304 tj1.exe
2648 gamedmon.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
behavioral2/memory/1304-141-0x0000000000420000-0x00000000004A3000-memory.dmp	upx
behavioral2/memory/1304-145-0x0000000000420000-0x00000000004A3000-memory.dmp	upx
behavioral2/memory/1304-151-0x0000000000420000-0x00000000004A3000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe	vmprotect
behavioral2/memory/4872-140-0x0000000000400000-0x0000000000906000-memory.dmp	vmprotect
behavioral2/memory/4872-142-0x0000000000400000-0x0000000000906000-memory.dmp	vmprotect
behavioral2/memory/4872-144-0x0000000000400000-0x0000000000906000-memory.dmp	vmprotect
behavioral2/memory/4872-170-0x0000000000400000-0x0000000000906000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tj1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation tj1.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 2 IoCs

Processes:

tj1.exe

description ioc process

File created C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe tj1.exe
File created C:\Program Files (x86)\Æô¶¯\Uninstall.exe tj1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tj1.exe

description	ioc	process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	tj1.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	tj1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exetj1.exegamedmon.exemsedge.exemsedge.exe

pid	process
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
1304	tj1.exe
1304	tj1.exe
2648	gamedmon.exe
2648	gamedmon.exe
1068	msedge.exe
1068	msedge.exe
2500	msedge.exe
2500	msedge.exe
2648	gamedmon.exe
2648	gamedmon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tj1.exe

description pid process

Token: SeIncBasePriorityPrivilege 1304 tj1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2500 msedge.exe
2500 msedge.exe

pid	process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1304	tj1.exe

pid	process
2500	msedge.exe
2500	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe

pid	process
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.execmd.execmd.exetj1.exeCFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exemsedge.exe

description	pid	process	target process
PID 1996 wrote to memory of 4208	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 1996 wrote to memory of 4208	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 1996 wrote to memory of 4208	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 1996 wrote to memory of 4748	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 1996 wrote to memory of 4748	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 1996 wrote to memory of 4748	1996	640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe	cmd.exe
PID 4208 wrote to memory of 4872	4208	cmd.exe	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
PID 4208 wrote to memory of 4872	4208	cmd.exe	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
PID 4208 wrote to memory of 4872	4208	cmd.exe	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
PID 4748 wrote to memory of 1304	4748	cmd.exe	tj1.exe
PID 4748 wrote to memory of 1304	4748	cmd.exe	tj1.exe
PID 4748 wrote to memory of 1304	4748	cmd.exe	tj1.exe
PID 1304 wrote to memory of 2648	1304	tj1.exe	gamedmon.exe
PID 1304 wrote to memory of 2648	1304	tj1.exe	gamedmon.exe
PID 1304 wrote to memory of 2648	1304	tj1.exe	gamedmon.exe
PID 1304 wrote to memory of 740	1304	tj1.exe	cmd.exe
PID 1304 wrote to memory of 740	1304	tj1.exe	cmd.exe
PID 1304 wrote to memory of 740	1304	tj1.exe	cmd.exe
PID 4872 wrote to memory of 2500	4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe	msedge.exe
PID 4872 wrote to memory of 2500	4872	CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe	msedge.exe
PID 2500 wrote to memory of 1652	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1652	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1376	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1068	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 1068	2500	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe
"C:\Users\Admin\AppData\Local\Temp\640b41fd6e2b9d33490ecc0943abf950127803bdca344999702e6714d1afd9c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.75yoyo.com/
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc930b46f8,0x7ffc930b4708,0x7ffc930b4718
5⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
5⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
5⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
5⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
5⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
5⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10716392327124433438,11975565260514409817,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
5⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.75yoyo.com/
4⤵
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc930b46f8,0x7ffc930b4708,0x7ffc930b4718
5⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tj1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\tj1.exe
C:\Users\Admin\AppData\Local\Temp\tj1.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\tj1.exe > nul
4⤵
PID:740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
474f6b5f63fd2cee53faf117f3f35846

SHA1
42235947062a354f912dd257b96eca7d393ffd3f

SHA256
eaf639382d795b255efd8870c502a646fb1ca75d55347821894d3cac56e5a822

SHA512
998d7ff694cf521d86afe808699b7f2cc2834ef2528ac3384de22cdb43adb81723209c1060021ca6f14e7012baa87425ab63cd340987f52dfa903e0980b33794

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
Filesize
2.0MB

MD5
374ed76da0246da8ff3f8cf611066b27

SHA1
36437344d1ad7bf863517c57fb704877171ed450

SHA256
47ae3aa334c6f294879fe0033da6417b3e5df4e11241d17bef230e1ced421fb5

SHA512
561b20748d1a9f4829d4735672401e365f512da58b243282ce2cc3ae6d7bf14f782c49090eda0f7fea97c80111724999082e60aa978fa60959ee3ec4d20b2172

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÓ´Ó´Ê®±¶¼ÓËÙ.×Ô¶¯¿ªÇ¹0820sp1.exe
Filesize
2.0MB

MD5
374ed76da0246da8ff3f8cf611066b27

SHA1
36437344d1ad7bf863517c57fb704877171ed450

SHA256
47ae3aa334c6f294879fe0033da6417b3e5df4e11241d17bef230e1ced421fb5

SHA512
561b20748d1a9f4829d4735672401e365f512da58b243282ce2cc3ae6d7bf14f782c49090eda0f7fea97c80111724999082e60aa978fa60959ee3ec4d20b2172

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe
Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe
Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
\??\pipe\LOCAL\crashpad_2500_CGYCDXLLMYRSVYCC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/484-163-0x0000000000000000-mapping.dmp

Download
memory/740-149-0x0000000000000000-mapping.dmp

Download
memory/1068-155-0x0000000000000000-mapping.dmp

Download
memory/1304-151-0x0000000000420000-0x00000000004A3000-memory.dmp

Filesize
524KB

Download
memory/1304-145-0x0000000000420000-0x00000000004A3000-memory.dmp

Filesize
524KB

Download
memory/1304-137-0x0000000000000000-mapping.dmp

Download
memory/1304-141-0x0000000000420000-0x00000000004A3000-memory.dmp

Filesize
524KB

Download
memory/1376-154-0x0000000000000000-mapping.dmp

Download
memory/1652-152-0x0000000000000000-mapping.dmp

Download
memory/1996-162-0x0000000000000000-mapping.dmp

Download
memory/2124-164-0x0000000000000000-mapping.dmp

Download
memory/2296-158-0x0000000000000000-mapping.dmp

Download
memory/2500-150-0x0000000000000000-mapping.dmp

Download
memory/2648-146-0x0000000000000000-mapping.dmp

Download
memory/4128-169-0x0000000000000000-mapping.dmp

Download
memory/4148-160-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000000000-mapping.dmp

Download
memory/4312-167-0x0000000000000000-mapping.dmp

Download
memory/4748-133-0x0000000000000000-mapping.dmp

Download
memory/4872-144-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/4872-142-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/4872-140-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/4872-134-0x0000000000000000-mapping.dmp

Download
memory/4872-170-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads