Malware Analysis Report

2025-08-11 01:35

Sample ID 231208-e6f5xsae4v
Target 217.exe
SHA256 0b8c847eb78a586597beec4b5efc14118f315b7dbcc41b69f863e6f2d315eaa7
Tags
gh0strat rat upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b8c847eb78a586597beec4b5efc14118f315b7dbcc41b69f863e6f2d315eaa7

Threat Level: Known bad

The file 217.exe was found to be: Known bad.

Malicious Activity Summary

gh0strat rat upx vmprotect

Gh0st RAT payload

Gh0strat

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Enumerates connected drives

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 04:32

Reported

2023-12-08 04:35

Platform

win10-20231129-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\N: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\O: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\T: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\V: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\G: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\M: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\P: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\R: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\W: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\H: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\I: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\J: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\K: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\S: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Y: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\E: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\L: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\U: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\X: C:\Users\Public\Documents\yybrowser.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\yybrowser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: 33 N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 4168 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 4168 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Users\Public\Documents\yybrowser.exe

C:\Users\Public\Documents\yybrowser.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 oggfcv.lol udp
SG 206.238.220.217:2025 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.220.238.206.in-addr.arpa udp
SG 206.238.220.217:8888 oggfcv.lol tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\20231208043322202~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

C:\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

C:\Users\Public\Documents\MSVCP140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

memory/3100-60-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/3100-61-0x0000000010000000-0x00000000100A0000-memory.dmp

\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\VCRUNTIME140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

\Users\Public\Documents\msvcp140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

\Users\Public\Documents\msvcp140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

memory/3100-63-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/3100-65-0x0000000003620000-0x000000000367F000-memory.dmp

memory/3100-66-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-70-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-69-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-71-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-72-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-74-0x00000000037D0000-0x0000000003959000-memory.dmp

memory/3100-82-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/3100-83-0x00000000037D0000-0x0000000003959000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-08 04:32

Reported

2023-12-08 04:34

Platform

win10v2004-20231201-en

Max time kernel

41s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\V: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\W: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\G: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\P: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\N: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\T: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\H: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\I: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\K: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\M: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\O: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Y: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\E: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\J: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\R: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\U: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\X: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\B: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\L: C:\Users\Public\Documents\yybrowser.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\yybrowser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 692 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 692 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 692 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Users\Public\Documents\yybrowser.exe

C:\Users\Public\Documents\yybrowser.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 oggfcv.lol udp
SG 206.238.220.217:2025 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp
US 8.8.8.8:53 217.220.238.206.in-addr.arpa udp
SG 206.238.220.217:8888 oggfcv.lol tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\20231208043321401~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

C:\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

C:\Users\Public\Documents\VCRUNTIME140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\MSVCP140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

C:\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

C:\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\msvcp140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

memory/4220-61-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/4220-60-0x0000000010000000-0x00000000100A0000-memory.dmp

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

memory/4220-63-0x00000000035A0000-0x00000000035A1000-memory.dmp

memory/4220-65-0x00000000036F0000-0x000000000374F000-memory.dmp

memory/4220-66-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-70-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-71-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-69-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-72-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-74-0x00000000038A0000-0x0000000003A29000-memory.dmp

memory/4220-82-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/4220-83-0x00000000038A0000-0x0000000003A29000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-08 04:32

Reported

2023-12-08 04:34

Platform

win11-20231129-en

Max time kernel

34s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\M: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\T: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\W: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\G: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\I: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\O: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\R: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\V: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\X: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\L: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\N: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\P: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\S: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Y: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\B: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\E: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\J: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\K: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\U: C:\Users\Public\Documents\yybrowser.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\yybrowser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 5116 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe
PID 5116 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Users\Public\Documents\yybrowser.exe

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Users\Public\Documents\yybrowser.exe

C:\Users\Public\Documents\yybrowser.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 oggfcv.lol udp
SG 206.238.220.217:2025 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp

Files

C:\Users\Admin\AppData\Local\Temp\20231208043322327~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

C:\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

C:\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

memory/4848-62-0x0000000010000000-0x00000000100A0000-memory.dmp

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

C:\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\msvcp140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\VCRUNTIME140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\MSVCP140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

memory/4848-64-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/4848-66-0x00000000030A0000-0x00000000030FF000-memory.dmp

memory/4848-67-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-71-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-70-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-72-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-73-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-75-0x0000000003250000-0x00000000033D9000-memory.dmp

memory/4848-83-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/4848-84-0x0000000003250000-0x00000000033D9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 04:32

Reported

2023-12-08 04:35

Platform

win7-20231023-en

Max time kernel

131s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\I: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\V: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\E: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\G: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\O: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\P: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\T: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\U: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\X: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Y: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\B: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\M: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\N: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\S: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\J: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\L: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\W: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\K: C:\Users\Public\Documents\yybrowser.exe N/A
File opened (read-only) \??\R: C:\Users\Public\Documents\yybrowser.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\217.exe N/A
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\yybrowser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A
N/A N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: 33 N/A C:\Users\Public\Documents\yybrowser.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Public\Documents\yybrowser.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Users\Public\Documents\yybrowser.exe

C:\Users\Public\Documents\yybrowser.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 oggfcv.lol udp
SG 206.238.220.217:2025 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp
SG 206.238.220.217:8888 oggfcv.lol tcp

Files

C:\Users\Admin\AppData\Local\Temp\2023120804332370~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\yybrowser.exe

MD5 46343a46271dcaddf9f5192118d4190a
SHA1 998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256 f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA512 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

C:\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

\Users\Public\Documents\meshrpc.dll

MD5 007b92f069cc2445120bcd55ffb01f86
SHA1 20c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA256 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512 bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

C:\Users\Public\Documents\MSVCP140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

\Users\Public\Documents\msvcp140.dll

MD5 8b1d762ddec577e6bee5ceff79d34811
SHA1 d8a266dab792952415f7bea84843c412418627d5
SHA256 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512 dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

C:\Users\Public\Documents\VCRUNTIME140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

\Users\Public\Documents\vcruntime140.dll

MD5 ac85fa80b4c9bcab021ba214c56f7f3e
SHA1 f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA256 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA512 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

C:\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

C:\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

\Users\Public\Documents\dwutility.dll

MD5 71918ce3973e4741542022287de9f947
SHA1 21baae8623f8ade60954193cf6b2899ff868ccab
SHA256 d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512 f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

\Users\Public\Documents\libcurl.dll

MD5 7870f90ed274348346f499dca9716c6d
SHA1 a898355b54b17a80b298210ccb00228384dd2e85
SHA256 d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA512 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

C:\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

\Users\Public\Documents\dwbase.dll

MD5 b87e123f675b38a7e5b15b0515040bed
SHA1 fe5a958192effbf379f8a3331863069bb1d886a2
SHA256 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

memory/2296-61-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/2296-62-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/2296-64-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2296-66-0x0000000000560000-0x00000000005BF000-memory.dmp

memory/2296-67-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-71-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-72-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-70-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-73-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-75-0x0000000003430000-0x00000000035B9000-memory.dmp

memory/2296-83-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/2296-85-0x0000000003430000-0x00000000035B9000-memory.dmp