gh0strat | a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
Size

5.1MB
MD5

2e956653703d1fa9a23d6c9d23d53ee3
SHA1

31248acc7821c939e66d30de27ad28ef9c1b4e76
SHA256

a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266
SHA512

21ad4f6919b5b4adeb90210b453c6ee1ac4707b71c4500e4525178dddf6ef483ff6e7cc8771015f7d5292099873cc588dccd27b2b9b41f0282b80f73bf7ddef1
SSDEEP

98304:EvWCf5WKLknWxK9J8zfq+qM3p+Okci3wVS3obHzdl3Okt4:UWCf344zC+xp+vcDRbHhl+kt4

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/896-148-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/768-186-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/768-187-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/536-150-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/536-149-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/896-147-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/896-143-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/896-142-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/memory/896-148-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/768-186-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/768-187-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/536-152-0x0000000000400000-0x000000000044D000-memory.dmp	UPX
behavioral1/memory/536-150-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/536-149-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/896-147-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/896-143-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/896-142-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral1/memory/896-138-0x0000000010000000-0x000000001018F000-memory.dmp	UPX

Executes dropped EXE 64 IoCs

pid	Process
1172	ttttt.exe
2932	winos.exe
1992	Client.exe
2612	Client.exe
2808	EP.exe
2924	Client.exe
1524	Client.exe
1536	Client.exe
2248	Client.exe
2092	Client.exe
2096	EP.exe
2412	Client.exe
1812	Client.exe
536	EP.exe
896	EP.exe
1264	Client.exe
1144	EP.exe
1496	Client.exe
1124	Client.exe
640	Client.exe
1136	Client.exe
904	Client.exe
1668	EP.exe
768	EP.exe
2288	Client.exe
3068	Client.exe
1772	Client.exe
2356	Client.exe
2220	EP.exe
2240	EP.exe
1452	Client.exe
2368	Client.exe
2772	Client.exe
2736	Client.exe
2764	EP.exe
2672	EP.exe
2564	Client.exe
2588	Client.exe
2544	Client.exe
2944	EP.exe
2552	EP.exe
1828	Client.exe
2780	Client.exe
2964	Client.exe
3064	Client.exe
2640	Client.exe
2304	EP.exe
1644	EP.exe
2116	Client.exe
2496	Client.exe
1464	Client.exe
2920	EP.exe
1392	EP.exe
2088	Client.exe
1264	EP.exe
2824	Client.exe
1720	Client.exe
1520	Client.exe
1772	EP.exe
572	Client.exe
1164	EP.exe
2820	Client.exe
2680	Client.exe
2836	Client.exe

Loads dropped DLL 64 IoCs

pid	Process
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
1172	ttttt.exe
1172	ttttt.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2808	EP.exe
2808	EP.exe
2808	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2096	EP.exe
2096	EP.exe
2096	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
1144	EP.exe
1144	EP.exe
1144	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
1668	EP.exe
1668	EP.exe
1668	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2220	EP.exe
2220	EP.exe
2220	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2764	EP.exe
2764	EP.exe
2764	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2944	EP.exe
2944	EP.exe
2944	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2304	EP.exe
2304	EP.exe
2304	EP.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2920	EP.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/896-148-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/768-186-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/768-187-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/536-150-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/536-149-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/896-147-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/896-143-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/896-142-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/896-138-0x0000000010000000-0x000000001018F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	EP.exe
File opened (read-only)	\??\O:	EP.exe
File opened (read-only)	\??\X:	EP.exe
File opened (read-only)	\??\G:	EP.exe
File opened (read-only)	\??\H:	EP.exe
File opened (read-only)	\??\L:	EP.exe
File opened (read-only)	\??\M:	EP.exe
File opened (read-only)	\??\B:	EP.exe
File opened (read-only)	\??\V:	EP.exe
File opened (read-only)	\??\W:	EP.exe
File opened (read-only)	\??\S:	EP.exe
File opened (read-only)	\??\U:	EP.exe
File opened (read-only)	\??\Y:	EP.exe
File opened (read-only)	\??\I:	EP.exe
File opened (read-only)	\??\K:	EP.exe
File opened (read-only)	\??\Q:	EP.exe
File opened (read-only)	\??\R:	EP.exe
File opened (read-only)	\??\Z:	EP.exe
File opened (read-only)	\??\E:	EP.exe
File opened (read-only)	\??\J:	EP.exe
File opened (read-only)	\??\P:	EP.exe
File opened (read-only)	\??\T:	EP.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ying-UnInstall.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Windows\SysWOW64\Ying-UnInstall.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 536	2808	EP.exe	43
PID 2096 set thread context of 896	2096	EP.exe	44
PID 1144 set thread context of 768	1144	EP.exe	53
PID 1668 set thread context of 2240	1668	EP.exe	59
PID 2220 set thread context of 2672	2220	EP.exe	65
PID 2764 set thread context of 2552	2764	EP.exe	69
PID 2944 set thread context of 1644	2944	EP.exe	77
PID 2304 set thread context of 1392	2304	EP.exe	81
PID 2920 set thread context of 1264	2920	EP.exe	84
PID 1772 set thread context of 1164	1772	EP.exe	90
PID 2212 set thread context of 2840	2212	EP.exe	96
PID 844 set thread context of 2900	844	EP.exe	102
PID 2788 set thread context of 484	2788	EP.exe	108
PID 2468 set thread context of 1084	2468	EP.exe	114
PID 2352 set thread context of 2976	2352	EP.exe	120

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\²âÊÔ\1.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\12345678.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\DTLUI.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\path.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\winos.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\log\UpdateNotice.log	winos.exe
File created	C:\Program Files\²âÊÔ\12345678.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\winos.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcp71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\ttttt.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\ttttt.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\vcl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\XPFarmer.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\XPFarmer.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\Ë°.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\msvcp71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\path.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\rtl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\Ë°.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcr71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\1.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\DTLUI.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File created	C:\Program Files\²âÊÔ\EP.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\EP.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\msvcr71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\rtl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\vcl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	1172	WerFault.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
2932	winos.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe
896	EP.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	EP.exe
Token: SeDebugPrivilege	536	EP.exe
Token: SeDebugPrivilege	768	EP.exe
Token: SeDebugPrivilege	2240	EP.exe
Token: SeDebugPrivilege	2672	EP.exe
Token: SeDebugPrivilege	2552	EP.exe
Token: SeDebugPrivilege	1644	EP.exe
Token: SeDebugPrivilege	1392	EP.exe
Token: SeDebugPrivilege	1264	EP.exe
Token: SeDebugPrivilege	1164	EP.exe
Token: SeDebugPrivilege	2840	EP.exe
Token: SeDebugPrivilege	2900	EP.exe
Token: SeDebugPrivilege	484	EP.exe
Token: SeDebugPrivilege	1084	EP.exe
Token: SeDebugPrivilege	2976	EP.exe
Token: 33	896	EP.exe
Token: SeIncBasePriorityPrivilege	896	EP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1172	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	28
PID 1700 wrote to memory of 1172	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	28
PID 1700 wrote to memory of 1172	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	28
PID 1700 wrote to memory of 1172	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	28
PID 1172 wrote to memory of 2608	1172	ttttt.exe	29
PID 1172 wrote to memory of 2608	1172	ttttt.exe	29
PID 1172 wrote to memory of 2608	1172	ttttt.exe	29
PID 1172 wrote to memory of 2608	1172	ttttt.exe	29
PID 1700 wrote to memory of 1476	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	30
PID 1700 wrote to memory of 1476	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	30
PID 1700 wrote to memory of 1476	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	30
PID 1700 wrote to memory of 1476	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	30
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 1700 wrote to memory of 2932	1700	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	31
PID 2932 wrote to memory of 1992	2932	winos.exe	32
PID 2932 wrote to memory of 1992	2932	winos.exe	32
PID 2932 wrote to memory of 1992	2932	winos.exe	32
PID 2932 wrote to memory of 1992	2932	winos.exe	32
PID 2932 wrote to memory of 2808	2932	winos.exe	34
PID 2932 wrote to memory of 2808	2932	winos.exe	34
PID 2932 wrote to memory of 2808	2932	winos.exe	34
PID 2932 wrote to memory of 2808	2932	winos.exe	34
PID 2932 wrote to memory of 2924	2932	winos.exe	35
PID 2932 wrote to memory of 2924	2932	winos.exe	35
PID 2932 wrote to memory of 2924	2932	winos.exe	35
PID 2932 wrote to memory of 2924	2932	winos.exe	35
PID 2932 wrote to memory of 1536	2932	winos.exe	37
PID 2932 wrote to memory of 1536	2932	winos.exe	37
PID 2932 wrote to memory of 1536	2932	winos.exe	37
PID 2932 wrote to memory of 1536	2932	winos.exe	37
PID 2932 wrote to memory of 2096	2932	winos.exe	39
PID 2932 wrote to memory of 2096	2932	winos.exe	39
PID 2932 wrote to memory of 2096	2932	winos.exe	39
PID 2932 wrote to memory of 2096	2932	winos.exe	39
PID 2932 wrote to memory of 2092	2932	winos.exe	40
PID 2932 wrote to memory of 2092	2932	winos.exe	40
PID 2932 wrote to memory of 2092	2932	winos.exe	40
PID 2932 wrote to memory of 2092	2932	winos.exe	40
PID 2932 wrote to memory of 1812	2932	winos.exe	42
PID 2932 wrote to memory of 1812	2932	winos.exe	42
PID 2932 wrote to memory of 1812	2932	winos.exe	42
PID 2932 wrote to memory of 1812	2932	winos.exe	42
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2808 wrote to memory of 536	2808	EP.exe	43
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2096 wrote to memory of 896	2096	EP.exe	44
PID 2932 wrote to memory of 1144	2932	winos.exe	46
PID 2932 wrote to memory of 1144	2932	winos.exe	46
PID 2932 wrote to memory of 1144	2932	winos.exe	46
PID 2932 wrote to memory of 1144	2932	winos.exe	46
PID 2932 wrote to memory of 1496	2932	winos.exe	47

C:\Users\Admin\AppData\Local\Temp\a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
"C:\Users\Admin\AppData\Local\Temp\a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files\²âÊÔ\ttttt.exe
  "C:\Program Files\²âÊÔ\ttttt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 232
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2608
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\²âÊÔ\Ë°.txt
  2⤵
  PID:1476
- C:\Program Files\²âÊÔ\winos.exe
  "C:\Program Files\²âÊÔ\winos.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:896
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1144
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:768
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:640
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1668
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:904
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2220
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2368
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2764
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2944
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1828
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2304
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1392
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2920
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1264
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1772
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1164
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:572
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2212
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:2812
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:1664
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:844
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2900
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:1564
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:600
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2788
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:484
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:760
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:2400
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2468
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:2896
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:2460
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2352
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:2576

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Íaw"
1⤵
- Executes dropped EXE
PID:2612

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "\"
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "\t "
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv\ßw#"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
PID:1264

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:1124

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:1136

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ",x "
1⤵
- Executes dropped EXE
PID:1772

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv\ßw#"
1⤵
- Executes dropped EXE
PID:1452

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvDßw#"
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
PID:3064

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvTßw#"
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "tè"
1⤵
- Executes dropped EXE
PID:1464

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv¬ßw#"
1⤵
- Executes dropped EXE
PID:2824

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv¬ßw#"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv¬ßw#"
1⤵
- Executes dropped EXE
PID:2820

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "œ’¢"
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv´ßw#"
1⤵
PID:2996

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" " õQ"
1⤵
PID:912

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv´ßw#"
1⤵
PID:376

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "\‘¢"
1⤵
PID:2164

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bvœßw#"
1⤵
PID:2444

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
PID:2332

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv´ßw#"
1⤵
PID:2772

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv´ßw#"
1⤵
PID:2700

C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\1BQ9LyMM\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Ú˜bv´ßw#"
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\²âÊÔ\1.txt

Filesize
897KB

MD5
8fc1359886925ed139a86cff4c41ab5c

SHA1
d0ec508e063cd424294a387e36e7b29125cbc3bd

SHA256
37baa8b4c908b98bcf12fb44fdaef688096f2e645ee5ef81c4f50ac8e0f0b264

SHA512
ae9f7ab2f3e3aa09701e1e5aece466682dd588d31973b0fbc7b73672bdfe80afa378e92cd7eb709583f96fb8998d1638008e33df6db7537bb34488f95f4642ba

Download Submit
C:\Program Files\²âÊÔ\12345678.exe

Filesize
302KB

MD5
570fb4a8e2736f584ecb71fce7b66a0d

SHA1
1e41a32a754a0dc02e33f79693358f88240d3993

SHA256
f8b93502b5d4a2d8180acd6bdf0a855146df0eeec437dfa3b5ee35059d8791a3

SHA512
678180dc0c63abf26abcd1ea4fbd9babbefb34ed74032ec67a667ce0597186ae11669d7b3961d1dfece881163f8bf6ed7877c31e823b2e422e66538cab9529a3

Download Submit
C:\Program Files\²âÊÔ\DTLUI.dll

Filesize
2.4MB

MD5
42d8e9a3d01b2150856bd4025a546748

SHA1
96284f7b91db099f954966622273d2a8228de805

SHA256
0989c2b74aab08c0e8ec997e5535c39ef1eab45ec829da7c1421624cd1f0f2dd

SHA512
db6bc1d7cc87ce26bba8c3ca2c4cd976b592bb579a80df52e902389d5c3da693a10c616ee2fd21fdebb7d93d231b36bf1850a19c17134b68c878fa638adc4327

Download Submit
C:\Program Files\²âÊÔ\EP.exe

Filesize
1.1MB

MD5
4ddce14e5c6c09bbe5154167a74d271e

SHA1
3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad

SHA256
37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a

SHA512
f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

Download Submit
C:\Program Files\²âÊÔ\MSVCP71.dll

Filesize
2.4MB

MD5
b88acff9179dca5fe1a50bd2d6062370

SHA1
8553c2eb5edd71a11a442cc542247a668dee39dc

SHA256
62c333e609dc0311065404a7af460cb927051865cab8a3ad5e7ff576a596f59b

SHA512
39500c806189faa7bb5eb9ad8de32e93f121942e6681d1a6f980937e96a2694a72bc712de05a634bdec47ae533b0bd3f3190de12f25c62426c1ffe08706377b8

Download Submit
C:\Program Files\²âÊÔ\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files\²âÊÔ\name.ini

Filesize
46B

MD5
1f88eb36df47acc027661d30453cdb20

SHA1
9c5a1b7c1617274e6ebcc8542ddcdbbf62e0bb08

SHA256
8569e322a29334f0461f4a975a48d1e5461a6e08081d027d9adf9a15772d2c8c

SHA512
9c5e59418cd0d9bffd50289d6c9df6e246fd035aa63151382cb694d599e53f8014de8602b3cbe7243ca3cf4096423f85420bedaa417e4254fe8ae2384fe1ca04

Download Submit
C:\Program Files\²âÊÔ\path.ini

Filesize
92B

MD5
14f5819ee91324e11979be356f297744

SHA1
daa54231b13ad12a97cbfe687b4cccf6c762b66e

SHA256
b133165dd89e2102b868937a226bc67f2840b1068f2025b4237997210cd426af

SHA512
924aff3cdf20a995da07a501e17c2641c47e75c10dac5dd5be63f21d9ea1ae49227e460e95bbbd6c73b7a9dbbc2c4aa6ca4736916440f088cb344b0a02fe072b

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240613015128444~YingInstall-TopFramePicture.bmp

Filesize
563KB

MD5
a528a1efb19f5bee2fa74cd8650dab24

SHA1
51b72c994283ec899a32732bc60655d3039138a8

SHA256
d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608

SHA512
bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

Download Submit
\Program Files\²âÊÔ\XPFarmer.bpl

Filesize
1.5MB

MD5
56e4471fd4eb35e5eda4537bdf5b9b17

SHA1
8437cbb230195463d7e543d45908927022f95f21

SHA256
b8d383284ee56e69af969aeb332a3efc5a1318552925962ec9bbcd85fa6deaec

SHA512
77979fc6b9d2ffd225efcf202d7dc61132dd1efc755069ce0121b59d4ac58102e8cf932add16721589f4085ce1408513ed1ff0df4fa508bc98a17621be5cb44d

Download Submit
\Program Files\²âÊÔ\rtl70.bpl

Filesize
640KB

MD5
ea8738b2908a2dd7d15df834d6008d26

SHA1
1ccfdb3f2647bbfa4fb638bc17ae01092b287bf1

SHA256
b8c41a8e2824c21b4e3eaa901e1af8c772ab0e68d1bf07580da62969792af5a2

SHA512
4091c1f21d08e5d37694ce9b395f38b6f07c9f2dd466a268ee4feae42743ac02c420abd631977f75f41b9d461234e690283979934a66f9e52bccd61dfc3b3981

Download Submit
\Program Files\²âÊÔ\ttttt.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
\Program Files\²âÊÔ\vcl70.bpl

Filesize
1.3MB

MD5
16a1c27ed415d1816f8888ea2cefb3f6

SHA1
80db800b805d548f6df4eb2cb37ba2064dc37c05

SHA256
a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390

SHA512
68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

Download Submit
\Program Files\²âÊÔ\winos.exe

Filesize
216KB

MD5
5ac2deb3ceb9e32fe681483373c2d4c7

SHA1
ed4e9af7c4f3e462e41f542c1ef7d0c3c0613769

SHA256
a937d9295271cc131a2e019dd41ce4ead3bca2d5115fb7d7482508297971b17e

SHA512
43d4ce96a3c5b5f3e234df70e365e05cdf416f57e262ae70ea1b04450eb397f38ed8db45a8d5df630e759c8e4a3642ad26c9d897d312085c5fcf8703e20162b7

Download Submit
memory/536-149-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/536-122-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/536-152-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/536-150-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/536-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/536-127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/536-124-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/768-187-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/768-186-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/896-148-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/896-147-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/896-143-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/896-142-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/896-138-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1144-166-0x0000000000770000-0x00000000008EB000-memory.dmp

Filesize
1.5MB

Download
memory/1144-180-0x0000000000770000-0x00000000008EB000-memory.dmp

Filesize
1.5MB

Download
memory/1144-179-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/1144-178-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1172-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1668-173-0x0000000000760000-0x00000000008DB000-memory.dmp

Filesize
1.5MB

Download
memory/1668-195-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1668-196-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/1668-197-0x0000000000760000-0x00000000008DB000-memory.dmp

Filesize
1.5MB

Download
memory/1700-56-0x0000000003E20000-0x0000000003E76000-memory.dmp

Filesize
344KB

Download
memory/1700-75-0x0000000003E20000-0x0000000003E76000-memory.dmp

Filesize
344KB

Download
memory/2096-116-0x00000000006F0000-0x000000000086B000-memory.dmp

Filesize
1.5MB

Download
memory/2096-137-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2096-136-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2096-145-0x00000000006F0000-0x000000000086B000-memory.dmp

Filesize
1.5MB

Download
memory/2808-128-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2808-104-0x00000000007A0000-0x000000000091B000-memory.dmp

Filesize
1.5MB

Download
memory/2808-126-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2808-129-0x00000000007A0000-0x000000000091B000-memory.dmp

Filesize
1.5MB

Download