bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631

Analysis

max time kernel
159s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
Size

176KB
MD5

f002092bd75dff61e380008ffbcd7b73
SHA1

410c3124f8886f99773e6d1d21b5378ed73f3c8f
SHA256

bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631
SHA512

03dcbc809b0188d01b8cde4f3da75bf12c45c1ca76dad294e172b5818252d975f5da0d17415b7be6ee12b99c1c32b1f47bf5033a79ab99e726cd6345218c6235
SSDEEP

3072:/Lk395hYXJcMpvnZ77j2NZdjy4tbWsqfW9X25rplo6sOvuP4hc1HGr+M9q7:/Qq+Mpv98Zdjt5drmlopP4hc1HGr+h

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2432	yt906554.exe
4672	hy906557.exe
4636	hy906557.exe
1076	hy906557.exe
1412	hy906557.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yt906554.exe

Loads dropped DLL 24 IoCs

pid	Process
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
2432	yt906554.exe
2432	yt906554.exe
2432	yt906554.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	hy906557.exe
File opened for modification	\??\PhysicalDrive0	hy906557.exe
File opened for modification	\??\PhysicalDrive0	hy906557.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d6697481-4faa-4838-98be-90180da26e47.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128120600.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00040000000006d5-183.dat	nsis_installer_1
behavioral2/files/0x00040000000006d5-183.dat	nsis_installer_2
behavioral2/files/0x00040000000006d5-184.dat	nsis_installer_1
behavioral2/files/0x00040000000006d5-184.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
1960	msedge.exe
1960	msedge.exe
2432	yt906554.exe
2432	yt906554.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
1412	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
4636	hy906557.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4672	hy906557.exe
4672	hy906557.exe
1076	hy906557.exe
1076	hy906557.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 1960	3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe	82
PID 3276 wrote to memory of 1960	3276	bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe	82
PID 1960 wrote to memory of 388	1960	msedge.exe	83
PID 1960 wrote to memory of 388	1960	msedge.exe	83
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3876	1960	msedge.exe	86
PID 1960 wrote to memory of 3516	1960	msedge.exe	87
PID 1960 wrote to memory of 3516	1960	msedge.exe	87
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89
PID 1960 wrote to memory of 3348	1960	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe
"C:\Users\Admin\AppData\Local\Temp\bc07acc685fd9f411d43de2375f460d66a578cf2c384055724da1019603e6631.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.zhendeshihuidaojiale.com/YmMwN2FjYzY4NWZkOWY0MTFkNDNkZTIzNzVmNDYwZDY2YTU3OGNmMmMzODQwNTU3MjRkYTEwMTk2MDNlNjYzMS5leGU=/40.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa688546f8,0x7ffa68854708,0x7ffa68854718
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 /prefetch:8
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:3316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
    3⤵
    PID:2228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
    3⤵
    PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ff796585460,0x7ff796585470,0x7ff796585480
      4⤵
      PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,68602507265672920,6610397156128798028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:528
- C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\yt906554.exe
  yt906554.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- - C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe
    "C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe" SW_SHOWNORMAL
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4672
- - C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe
    "C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe" /ShowDeskTop
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4636
- - C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe
    "C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe" /autorun /setuprun
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1076
- - C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe
    "C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe" /setupsucc
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\709A8EC0F6D3194AD001E9041914421F_7DF5A5CBB15978A50A00CA98F50007C1

Filesize
471B

MD5
fa5e73f1e2bde01fe9adccf05c3f1ae5

SHA1
42ee4aaa7d66b7f9b1c5985bcf3f8ef3c0d54c49

SHA256
7c33be87c320c0e054ec89d2bd816db98100aab682da297ec8ca2e67c3f5e891

SHA512
718db586f12ed2fcec55ec2758979c3b9b29c80868f818e96973593a2a87b7fa9e994e3eecd634f3a39f944c2e0a0063682fef8d484f04c50f229cca5834a6ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB

Filesize
471B

MD5
8c852f730c09e03ff5a918bc3cfa9ae0

SHA1
155feb988bcc692e00c27d4617573c23f25301dc

SHA256
ea3cf5ff57ee6e180fcc7ba6a8a545ae5e8f7024cb2bc74d6fa880a104c3587b

SHA512
5c8f9023b6256586364da6faa59d8c7d728b24076b1a8f941f93354269575acbe63ccc7b51bde5d4384d542b925ba8c3b837b60c5dd101cba9ba746f7ea9b853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\709A8EC0F6D3194AD001E9041914421F_7DF5A5CBB15978A50A00CA98F50007C1

Filesize
426B

MD5
d8d15cb2bca00d5208fe89318e28ef1b

SHA1
55e55230bc4a021d4e18bb58199090b6a9f06cf8

SHA256
4ec07a811ddcd6c2df279eac8a52466c1409926529677ecc971af0fbe1479bcb

SHA512
f0ec506e9f8b470b0c95ca9bb1be11cb3c3a7c7b86820a384331fa161875c128ea02674da79590cfed2d323fbadfddc4865c03a70a1600c72a2442b0c5224cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB

Filesize
400B

MD5
a79e0fafc50c9b094460b0e6643be7e3

SHA1
e848b5ca8585afb8eaa98a4f61ff944fce3247ad

SHA256
73d3c8ffb5a9fa8a0ff934331ed6d2cf114aabd0db49c8fe0a97db92a9c85770

SHA512
c6ccf47a1e178df70fc4b36ea1a51b9e213b58d7af438b37b5f4765138b8d71d63956946ab3abd519b6498d7c4b433ae613442b3ccaf7821dff758408a473bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\yt906554.exe

Filesize
826KB

MD5
2341b17f076c095ce8ffff56c812a9dd

SHA1
9196fe6095d00fadc79f7cf49da11fcc7aa80da9

SHA256
7482d352ade04b802efd408f6b281d84003a7000275456158159265e1344706f

SHA512
fa4250bfc564492aaea10e0dc046978d553252d23af4a0d14f81e464261819cd4870e92ee7054ca720082247cb4494da7c00f1bcd62f9bede0f49eef07a7a68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\yt906554.exe

Filesize
826KB

MD5
2341b17f076c095ce8ffff56c812a9dd

SHA1
9196fe6095d00fadc79f7cf49da11fcc7aa80da9

SHA256
7482d352ade04b802efd408f6b281d84003a7000275456158159265e1344706f

SHA512
fa4250bfc564492aaea10e0dc046978d553252d23af4a0d14f81e464261819cd4870e92ee7054ca720082247cb4494da7c00f1bcd62f9bede0f49eef07a7a68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD11D.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD11D.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD11D.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe

Filesize
848KB

MD5
c84e8677178050de237d63e6927dc9c5

SHA1
9120f72c81e048a65a2c6db5788f4f303f51a21e

SHA256
3a14b2aa699fd0a8354ccbc2e185d124fce3a6c6723264365789f7375fca8336

SHA512
f9e1be242f5523fc7b236e0b54c9ff5cb6b1cf4103ededdb12be7f6018751c1a130dd0eb4547aa994f4cd9111d5fc6c1406d7467ece82c06ff87c8a3f3ee06c8

Download Submit
C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe

Filesize
848KB

MD5
c84e8677178050de237d63e6927dc9c5

SHA1
9120f72c81e048a65a2c6db5788f4f303f51a21e

SHA256
3a14b2aa699fd0a8354ccbc2e185d124fce3a6c6723264365789f7375fca8336

SHA512
f9e1be242f5523fc7b236e0b54c9ff5cb6b1cf4103ededdb12be7f6018751c1a130dd0eb4547aa994f4cd9111d5fc6c1406d7467ece82c06ff87c8a3f3ee06c8

Download Submit
C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe

Filesize
848KB

MD5
c84e8677178050de237d63e6927dc9c5

SHA1
9120f72c81e048a65a2c6db5788f4f303f51a21e

SHA256
3a14b2aa699fd0a8354ccbc2e185d124fce3a6c6723264365789f7375fca8336

SHA512
f9e1be242f5523fc7b236e0b54c9ff5cb6b1cf4103ededdb12be7f6018751c1a130dd0eb4547aa994f4cd9111d5fc6c1406d7467ece82c06ff87c8a3f3ee06c8

Download Submit
C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe

Filesize
848KB

MD5
c84e8677178050de237d63e6927dc9c5

SHA1
9120f72c81e048a65a2c6db5788f4f303f51a21e

SHA256
3a14b2aa699fd0a8354ccbc2e185d124fce3a6c6723264365789f7375fca8336

SHA512
f9e1be242f5523fc7b236e0b54c9ff5cb6b1cf4103ededdb12be7f6018751c1a130dd0eb4547aa994f4cd9111d5fc6c1406d7467ece82c06ff87c8a3f3ee06c8

Download Submit
C:\Users\Admin\AppData\Roaming\ÓÎÏ·\hy906557\hy906557.exe

Filesize
848KB

MD5
c84e8677178050de237d63e6927dc9c5

SHA1
9120f72c81e048a65a2c6db5788f4f303f51a21e

SHA256
3a14b2aa699fd0a8354ccbc2e185d124fce3a6c6723264365789f7375fca8336

SHA512
f9e1be242f5523fc7b236e0b54c9ff5cb6b1cf4103ededdb12be7f6018751c1a130dd0eb4547aa994f4cd9111d5fc6c1406d7467ece82c06ff87c8a3f3ee06c8

Download Submit
C:\Users\Admin\AppData\Roaming\游戏\hy906557\Lander.ini

Filesize
66B

MD5
8295606af8e42b20bad5da1bace4e4d3

SHA1
48de534e4d4df0745daf3e646da255e6805f1b3d

SHA256
a9ba3692c3dc2f1860b44dcb5c776b2b5143bad12c173d00fbbbdf3363e1c5d3

SHA512
8b82d2c7a5397eb8ab6dd38130903e5b49bf5173a21f5e1c4a104428e3d858760c18a7d0b1c1b28e2f2ce36b33c664f779fceb6a7ae649b4946afcd4b15f7d28

Download Submit
C:\Users\Admin\AppData\Roaming\游戏\hy906557\Lander.ini

Filesize
66B

MD5
abf8b276f0615e9746b69de33b6ec8e8

SHA1
77a7316f7d0463dd76436180aa83d0bddcaa7c84

SHA256
6da6057228f7290fee66e2ae48a285d982174ea456c9000265ce7220f7477d38

SHA512
94153c580f4cd9e7684eac8746c066ea710f2f0766da8fe6c4d54a06ef7bbed4af82c5320494c94459114892c8329c34323b62c51af014c146d9f2fa994e5a59

Download Submit
C:\Users\Admin\AppData\Roaming\游戏\hy906557\Lander.ini

Filesize
105B

MD5
af97c1c24be7993b3917e514ed948a99

SHA1
5890bda2b4e79ccd518744f6031f924354a575f5

SHA256
2482b2480cf16c4040be29155fb5ebd150fe27eace4ac0c2eb06d5c70db653a8

SHA512
e9f7301bf5a3e6a52e59a6fc43bdde1dd8cbd57e62e50a3ead9483f4f5caa003f2a296725360fe17d8f0f6d44f23c7832e07984e820af156f0ba04edf5da907c

Download Submit
C:\Users\Admin\AppData\Roaming\游戏\hy906557\Lander.ini

Filesize
120B

MD5
dc636f52be6bdeb5fa4da06f44a19d16

SHA1
0d8d28da2a450b8dc5597b8a8b3c2cdc5eddf08b

SHA256
2f833ae6f2895c77f2b883657591a59badc8a04be751243eea34cbc542548791

SHA512
c1c6d80213a64629a2f4a56cd7bc1e5376b96e5b6f3c68435ce820bd3c9acce344a1ada0c1af67fca4eb4734ff8c47653b1c0bc641880efa7fb94acb8afe1bdb

Download Submit
C:\Users\Admin\AppData\Roaming\游戏\hy906557\Upgrade\app.ini

Filesize
33B

MD5
59ab193bef60259bcf88e9b323eeca3c

SHA1
bef6d690f2e3e0719cce84af6e6e5046a8b3d250

SHA256
dbbcff6a684995e02fca1cad9ce914d1e48586b75befe044d5b8e42fdd15a156

SHA512
739125439d0d2b1f6695599384812d52019370ee9411bd1f6a38f7e457b8e69d43fca43a732d303486117a724c7304e8ba4b5dbd3dd20eea6c4012cf53e35de0

Download Submit
memory/2432-188-0x0000000002120000-0x0000000002123000-memory.dmp

Filesize
12KB

Download
memory/3276-135-0x0000000002161000-0x0000000002164000-memory.dmp

Filesize
12KB

Download
memory/3276-140-0x0000000002161000-0x0000000002164000-memory.dmp

Filesize
12KB

Download