gh0strat | a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
Size

5.1MB
MD5

2e956653703d1fa9a23d6c9d23d53ee3
SHA1

31248acc7821c939e66d30de27ad28ef9c1b4e76
SHA256

a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266
SHA512

21ad4f6919b5b4adeb90210b453c6ee1ac4707b71c4500e4525178dddf6ef483ff6e7cc8771015f7d5292099873cc588dccd27b2b9b41f0282b80f73bf7ddef1
SSDEEP

98304:EvWCf5WKLknWxK9J8zfq+qM3p+Okci3wVS3obHzdl3Okt4:UWCf344zC+xp+vcDRbHhl+kt4

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/1644-106-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/1644-105-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/1644-110-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/1644-111-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3312-139-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3312-140-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/964-164-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/964-163-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/116-186-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/116-185-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral2/memory/1644-106-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/1644-105-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/1644-103-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/1644-110-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/1644-111-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3312-139-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3312-140-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3312-142-0x0000000000400000-0x000000000044D000-memory.dmp	UPX
behavioral2/memory/964-164-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/964-163-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/116-186-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/116-185-0x0000000010000000-0x000000001018F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	winos.exe

Executes dropped EXE 64 IoCs

pid	Process
3588	ttttt.exe
2100	winos.exe
3824	Client.exe
2684	Client.exe
3584	EP.exe
4348	Client.exe
1644	EP.exe
2256	Client.exe
3912	Client.exe
2548	Client.exe
4244	EP.exe
3504	Client.exe
3312	EP.exe
384	Client.exe
1572	Client.exe
3528	Client.exe
4020	EP.exe
1556	Client.exe
964	EP.exe
1032	Client.exe
3680	Client.exe
620	Client.exe
2248	EP.exe
1712	Client.exe
116	EP.exe
2972	Client.exe
4596	Client.exe
460	Client.exe
1004	EP.exe
2508	Client.exe
1328	EP.exe
3884	Client.exe
4748	Client.exe
2444	Client.exe
4424	EP.exe
3808	Client.exe
3020	EP.exe
4784	Client.exe
2784	Client.exe
2220	Client.exe
5092	EP.exe
4316	Client.exe
5064	EP.exe
2640	Client.exe
408	Client.exe
4844	Client.exe
4420	EP.exe
4476	Client.exe
4244	EP.exe
4224	Client.exe
2616	Client.exe
2432	Client.exe
1100	EP.exe
336	Client.exe
4020	EP.exe
2564	Client.exe
1364	Client.exe
1068	Client.exe
4556	EP.exe
3460	Client.exe
2460	EP.exe
2940	Client.exe
1004	Client.exe
1540	Client.exe

Loads dropped DLL 64 IoCs

pid	Process
3588	ttttt.exe
3588	ttttt.exe
2100	winos.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
3584	EP.exe
4244	EP.exe
4244	EP.exe
4244	EP.exe
4244	EP.exe
4020	EP.exe
4020	EP.exe
4020	EP.exe
4020	EP.exe
2248	EP.exe
2248	EP.exe
2248	EP.exe
2248	EP.exe
1004	EP.exe
1004	EP.exe
1004	EP.exe
1004	EP.exe
4424	EP.exe
4424	EP.exe
4424	EP.exe
4424	EP.exe
5092	EP.exe
5092	EP.exe
5092	EP.exe
5092	EP.exe
4420	EP.exe
4420	EP.exe
4420	EP.exe
4420	EP.exe
1100	EP.exe
1100	EP.exe
1100	EP.exe
1100	EP.exe
4556	EP.exe
4556	EP.exe
4556	EP.exe
4556	EP.exe
3144	EP.exe
3144	EP.exe
3144	EP.exe
3144	EP.exe
3020	EP.exe
3020	EP.exe
3020	EP.exe
3020	EP.exe
3020	EP.exe
3836	EP.exe
3836	EP.exe
3836	EP.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1644-106-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/1644-105-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/1644-103-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/1644-110-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/1644-111-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3312-139-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3312-140-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/964-164-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/964-163-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/116-186-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/116-185-0x0000000010000000-0x000000001018F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	EP.exe
File opened (read-only)	\??\J:	EP.exe
File opened (read-only)	\??\U:	EP.exe
File opened (read-only)	\??\Z:	EP.exe
File opened (read-only)	\??\O:	EP.exe
File opened (read-only)	\??\Q:	EP.exe
File opened (read-only)	\??\R:	EP.exe
File opened (read-only)	\??\E:	EP.exe
File opened (read-only)	\??\H:	EP.exe
File opened (read-only)	\??\I:	EP.exe
File opened (read-only)	\??\L:	EP.exe
File opened (read-only)	\??\M:	EP.exe
File opened (read-only)	\??\V:	EP.exe
File opened (read-only)	\??\X:	EP.exe
File opened (read-only)	\??\K:	EP.exe
File opened (read-only)	\??\P:	EP.exe
File opened (read-only)	\??\T:	EP.exe
File opened (read-only)	\??\G:	EP.exe
File opened (read-only)	\??\N:	EP.exe
File opened (read-only)	\??\S:	EP.exe
File opened (read-only)	\??\W:	EP.exe
File opened (read-only)	\??\Y:	EP.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ying-UnInstall.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Windows\SysWOW64\Ying-UnInstall.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 1644	3584	EP.exe	96
PID 4244 set thread context of 3312	4244	EP.exe	102
PID 4020 set thread context of 964	4020	EP.exe	108
PID 2248 set thread context of 116	2248	EP.exe	114
PID 1004 set thread context of 1328	1004	EP.exe	120
PID 4424 set thread context of 3020	4424	EP.exe	126
PID 5092 set thread context of 5064	5092	EP.exe	132
PID 4420 set thread context of 4244	4420	EP.exe	138
PID 1100 set thread context of 4020	1100	EP.exe	144
PID 4556 set thread context of 2460	4556	EP.exe	150
PID 3144 set thread context of 4364	3144	EP.exe	156
PID 3020 set thread context of 4560	3020	EP.exe	162
PID 3836 set thread context of 4268	3836	EP.exe	168
PID 3760 set thread context of 904	3760	EP.exe	174
PID 2940 set thread context of 5032	2940	EP.exe	180

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files\²âÊÔ\EP.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcr71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\XPFarmer.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\DTLUI.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File created	C:\Program Files\²âÊÔ\ttttt.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\DTLUI.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\EP.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\winos.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\12345678.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\msvcr71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\rtl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\rtl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\ttttt.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\Ë°.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\log\UpdateNotice.log	winos.exe
File opened for modification	C:\Program Files\²âÊÔ\12345678.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\winos.exe	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\XPFarmer.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\path.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\1.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\path.ini	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\vcl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\Ë°.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\1.txt	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\msvcp71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File opened for modification	C:\Program Files\²âÊÔ\vcl70.bpl	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
File created	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcp71.dll	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	3588	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EP.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	winos.exe
2100	winos.exe
2100	winos.exe
2100	winos.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe
1644	EP.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	EP.exe
Token: SeDebugPrivilege	3312	EP.exe
Token: SeDebugPrivilege	964	EP.exe
Token: SeDebugPrivilege	116	EP.exe
Token: SeDebugPrivilege	1328	EP.exe
Token: SeDebugPrivilege	3020	EP.exe
Token: SeDebugPrivilege	5064	EP.exe
Token: SeDebugPrivilege	4244	EP.exe
Token: SeDebugPrivilege	4020	EP.exe
Token: SeDebugPrivilege	2460	EP.exe
Token: SeDebugPrivilege	4364	EP.exe
Token: SeDebugPrivilege	4560	EP.exe
Token: SeDebugPrivilege	4268	EP.exe
Token: SeDebugPrivilege	904	EP.exe
Token: SeDebugPrivilege	5032	EP.exe
Token: 33	1644	EP.exe
Token: SeIncBasePriorityPrivilege	1644	EP.exe
Token: 33	1644	EP.exe
Token: SeIncBasePriorityPrivilege	1644	EP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
2684	Client.exe
2256	Client.exe
2548	Client.exe
384	Client.exe
3528	Client.exe
1032	Client.exe
620	Client.exe
2972	Client.exe
460	Client.exe
3884	Client.exe
2444	Client.exe
4784	Client.exe
2220	Client.exe
2640	Client.exe
4844	Client.exe
4224	Client.exe
2432	Client.exe
2564	Client.exe
1068	Client.exe
2940	Client.exe
1540	Client.exe
712	Client.exe
3668	Client.exe
3612	Client.exe
2548	Client.exe
1164	Client.exe
4516	Client.exe
4768	Client.exe
2024	Client.exe
4364	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3588	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	84
PID 4920 wrote to memory of 3588	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	84
PID 4920 wrote to memory of 3588	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	84
PID 4920 wrote to memory of 2836	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	88
PID 4920 wrote to memory of 2836	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	88
PID 4920 wrote to memory of 2836	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	88
PID 4920 wrote to memory of 2100	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	89
PID 4920 wrote to memory of 2100	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	89
PID 4920 wrote to memory of 2100	4920	a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe	89
PID 2100 wrote to memory of 3824	2100	winos.exe	90
PID 2100 wrote to memory of 3824	2100	winos.exe	90
PID 2100 wrote to memory of 3824	2100	winos.exe	90
PID 2100 wrote to memory of 3584	2100	winos.exe	94
PID 2100 wrote to memory of 3584	2100	winos.exe	94
PID 2100 wrote to memory of 3584	2100	winos.exe	94
PID 2100 wrote to memory of 4348	2100	winos.exe	95
PID 2100 wrote to memory of 4348	2100	winos.exe	95
PID 2100 wrote to memory of 4348	2100	winos.exe	95
PID 3584 wrote to memory of 1644	3584	EP.exe	96
PID 3584 wrote to memory of 1644	3584	EP.exe	96
PID 3584 wrote to memory of 1644	3584	EP.exe	96
PID 3584 wrote to memory of 1644	3584	EP.exe	96
PID 3584 wrote to memory of 1644	3584	EP.exe	96
PID 2100 wrote to memory of 3912	2100	winos.exe	98
PID 2100 wrote to memory of 3912	2100	winos.exe	98
PID 2100 wrote to memory of 3912	2100	winos.exe	98
PID 2100 wrote to memory of 4244	2100	winos.exe	100
PID 2100 wrote to memory of 4244	2100	winos.exe	100
PID 2100 wrote to memory of 4244	2100	winos.exe	100
PID 2100 wrote to memory of 3504	2100	winos.exe	101
PID 2100 wrote to memory of 3504	2100	winos.exe	101
PID 2100 wrote to memory of 3504	2100	winos.exe	101
PID 4244 wrote to memory of 3312	4244	EP.exe	102
PID 4244 wrote to memory of 3312	4244	EP.exe	102
PID 4244 wrote to memory of 3312	4244	EP.exe	102
PID 4244 wrote to memory of 3312	4244	EP.exe	102
PID 4244 wrote to memory of 3312	4244	EP.exe	102
PID 2100 wrote to memory of 1572	2100	winos.exe	104
PID 2100 wrote to memory of 1572	2100	winos.exe	104
PID 2100 wrote to memory of 1572	2100	winos.exe	104
PID 2100 wrote to memory of 4020	2100	winos.exe	106
PID 2100 wrote to memory of 4020	2100	winos.exe	106
PID 2100 wrote to memory of 4020	2100	winos.exe	106
PID 2100 wrote to memory of 1556	2100	winos.exe	107
PID 2100 wrote to memory of 1556	2100	winos.exe	107
PID 2100 wrote to memory of 1556	2100	winos.exe	107
PID 4020 wrote to memory of 964	4020	EP.exe	108
PID 4020 wrote to memory of 964	4020	EP.exe	108
PID 4020 wrote to memory of 964	4020	EP.exe	108
PID 4020 wrote to memory of 964	4020	EP.exe	108
PID 4020 wrote to memory of 964	4020	EP.exe	108
PID 2100 wrote to memory of 3680	2100	winos.exe	110
PID 2100 wrote to memory of 3680	2100	winos.exe	110
PID 2100 wrote to memory of 3680	2100	winos.exe	110
PID 2100 wrote to memory of 2248	2100	winos.exe	112
PID 2100 wrote to memory of 2248	2100	winos.exe	112
PID 2100 wrote to memory of 2248	2100	winos.exe	112
PID 2100 wrote to memory of 1712	2100	winos.exe	113
PID 2100 wrote to memory of 1712	2100	winos.exe	113
PID 2100 wrote to memory of 1712	2100	winos.exe	113
PID 2248 wrote to memory of 116	2248	EP.exe	114
PID 2248 wrote to memory of 116	2248	EP.exe	114
PID 2248 wrote to memory of 116	2248	EP.exe	114
PID 2248 wrote to memory of 116	2248	EP.exe	114

C:\Users\Admin\AppData\Local\Temp\a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe
"C:\Users\Admin\AppData\Local\Temp\a85624b7bbe2561ef81d85c48bc7b8f25a7b4908fd1de8f9a37626e173600266.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files\²âÊÔ\ttttt.exe
  "C:\Program Files\²âÊÔ\ttttt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 596
    3⤵
    - Program crash
    PID:5032
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\²âÊÔ\Ë°.txt
  2⤵
  PID:2836
- C:\Program Files\²âÊÔ\winos.exe
  "C:\Program Files\²âÊÔ\winos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3824
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3912
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3312
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:964
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1556
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3680
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:116
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1004
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4748
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4424
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3808
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2784
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:5092
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5064
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4316
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:408
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4420
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4244
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1100
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4020
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:336
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1364
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4556
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2460
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3460
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1004
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3144
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:3588
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:5068
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3020
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:1560
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:3040
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3836
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4268
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:3512
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:628
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:3760
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:904
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:836
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:544
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2940
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
    "C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe"
    3⤵
    PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3588 -ip 3588
1⤵
PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:1168

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "[)w@#Ž"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "ì€’"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:384

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:620

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:460

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "ø/–"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "ø/–"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "\˜"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "Œ˜"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "l˜"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:712

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" "$òo"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe
"C:\Program Files (x86)\7tesY8Fw\WeGameApps\CF£º´©Ô½»ðÏß\´©Ô½»ðÏß\TCLS\Client.exe" ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\²âÊÔ\1.txt

Filesize
897KB

MD5
8fc1359886925ed139a86cff4c41ab5c

SHA1
d0ec508e063cd424294a387e36e7b29125cbc3bd

SHA256
37baa8b4c908b98bcf12fb44fdaef688096f2e645ee5ef81c4f50ac8e0f0b264

SHA512
ae9f7ab2f3e3aa09701e1e5aece466682dd588d31973b0fbc7b73672bdfe80afa378e92cd7eb709583f96fb8998d1638008e33df6db7537bb34488f95f4642ba

Download Submit
C:\Program Files\²âÊÔ\12345678.exe

Filesize
302KB

MD5
570fb4a8e2736f584ecb71fce7b66a0d

SHA1
1e41a32a754a0dc02e33f79693358f88240d3993

SHA256
f8b93502b5d4a2d8180acd6bdf0a855146df0eeec437dfa3b5ee35059d8791a3

SHA512
678180dc0c63abf26abcd1ea4fbd9babbefb34ed74032ec67a667ce0597186ae11669d7b3961d1dfece881163f8bf6ed7877c31e823b2e422e66538cab9529a3

Download Submit
C:\Program Files\²âÊÔ\DTLUI.dll

Filesize
2.4MB

MD5
42d8e9a3d01b2150856bd4025a546748

SHA1
96284f7b91db099f954966622273d2a8228de805

SHA256
0989c2b74aab08c0e8ec997e5535c39ef1eab45ec829da7c1421624cd1f0f2dd

SHA512
db6bc1d7cc87ce26bba8c3ca2c4cd976b592bb579a80df52e902389d5c3da693a10c616ee2fd21fdebb7d93d231b36bf1850a19c17134b68c878fa638adc4327

Download Submit
C:\Program Files\²âÊÔ\EP.exe

Filesize
1.1MB

MD5
4ddce14e5c6c09bbe5154167a74d271e

SHA1
3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad

SHA256
37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a

SHA512
f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

Download Submit
C:\Program Files\²âÊÔ\MSVCP71.dll

Filesize
2.4MB

MD5
b88acff9179dca5fe1a50bd2d6062370

SHA1
8553c2eb5edd71a11a442cc542247a668dee39dc

SHA256
62c333e609dc0311065404a7af460cb927051865cab8a3ad5e7ff576a596f59b

SHA512
39500c806189faa7bb5eb9ad8de32e93f121942e6681d1a6f980937e96a2694a72bc712de05a634bdec47ae533b0bd3f3190de12f25c62426c1ffe08706377b8

Download Submit
C:\Program Files\²âÊÔ\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files\²âÊÔ\XPFarmer.bpl

Filesize
1.5MB

MD5
56e4471fd4eb35e5eda4537bdf5b9b17

SHA1
8437cbb230195463d7e543d45908927022f95f21

SHA256
b8d383284ee56e69af969aeb332a3efc5a1318552925962ec9bbcd85fa6deaec

SHA512
77979fc6b9d2ffd225efcf202d7dc61132dd1efc755069ce0121b59d4ac58102e8cf932add16721589f4085ce1408513ed1ff0df4fa508bc98a17621be5cb44d

Download Submit
C:\Program Files\²âÊÔ\name.ini

Filesize
46B

MD5
f1625db3af364efed52b56d8b32d8b08

SHA1
fc96caaed307ad2113fb93964eed10ed7f0349bd

SHA256
1d1cfe2c77125266b3d11899023772b18e6226c09faac7fe338c13d76dbbc215

SHA512
089b27b985d22fb0e41baac7e53336cef26d470dca878c2edb24701dc24f688985e1ec69e05b6b1b4efa4c0faff995caf0b292b401dbd3f8448c2f13fef3e020

Download Submit
C:\Program Files\²âÊÔ\path.ini

Filesize
92B

MD5
14f5819ee91324e11979be356f297744

SHA1
daa54231b13ad12a97cbfe687b4cccf6c762b66e

SHA256
b133165dd89e2102b868937a226bc67f2840b1068f2025b4237997210cd426af

SHA512
924aff3cdf20a995da07a501e17c2641c47e75c10dac5dd5be63f21d9ea1ae49227e460e95bbbd6c73b7a9dbbc2c4aa6ca4736916440f088cb344b0a02fe072b

Download Submit
C:\Program Files\²âÊÔ\rtl70.bpl

Filesize
640KB

MD5
ea8738b2908a2dd7d15df834d6008d26

SHA1
1ccfdb3f2647bbfa4fb638bc17ae01092b287bf1

SHA256
b8c41a8e2824c21b4e3eaa901e1af8c772ab0e68d1bf07580da62969792af5a2

SHA512
4091c1f21d08e5d37694ce9b395f38b6f07c9f2dd466a268ee4feae42743ac02c420abd631977f75f41b9d461234e690283979934a66f9e52bccd61dfc3b3981

Download Submit
C:\Program Files\²âÊÔ\ttttt.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Program Files\²âÊÔ\vcl70.bpl

Filesize
1.3MB

MD5
16a1c27ed415d1816f8888ea2cefb3f6

SHA1
80db800b805d548f6df4eb2cb37ba2064dc37c05

SHA256
a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390

SHA512
68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

Download Submit
C:\Program Files\²âÊÔ\winos.exe

Filesize
216KB

MD5
5ac2deb3ceb9e32fe681483373c2d4c7

SHA1
ed4e9af7c4f3e462e41f542c1ef7d0c3c0613769

SHA256
a937d9295271cc131a2e019dd41ce4ead3bca2d5115fb7d7482508297971b17e

SHA512
43d4ce96a3c5b5f3e234df70e365e05cdf416f57e262ae70ea1b04450eb397f38ed8db45a8d5df630e759c8e4a3642ad26c9d897d312085c5fcf8703e20162b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240613015130369~YingInstall-TopFramePicture.bmp

Filesize
563KB

MD5
a528a1efb19f5bee2fa74cd8650dab24

SHA1
51b72c994283ec899a32732bc60655d3039138a8

SHA256
d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608

SHA512
bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

Download Submit
memory/116-185-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/116-186-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/964-164-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/964-163-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1004-189-0x00000000008C0000-0x0000000000A3B000-memory.dmp

Filesize
1.5MB

Download
memory/1644-106-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1644-102-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1644-111-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1644-105-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1644-103-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1644-100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1644-110-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2248-178-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2248-175-0x0000000000860000-0x00000000009DB000-memory.dmp

Filesize
1.5MB

Download
memory/2248-182-0x0000000000860000-0x00000000009DB000-memory.dmp

Filesize
1.5MB

Download
memory/2248-180-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/3312-139-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3312-141-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/3312-140-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3312-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3584-108-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/3584-107-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3584-109-0x0000000000AC0000-0x0000000000C3B000-memory.dmp

Filesize
1.5MB

Download
memory/3584-98-0x0000000000AC0000-0x0000000000C3B000-memory.dmp

Filesize
1.5MB

Download
memory/3588-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3588-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4020-161-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4020-160-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4020-162-0x00000000008F0000-0x0000000000A6B000-memory.dmp

Filesize
1.5MB

Download
memory/4020-152-0x00000000008F0000-0x0000000000A6B000-memory.dmp

Filesize
1.5MB

Download
memory/4244-136-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4244-138-0x00000000009F0000-0x0000000000B6B000-memory.dmp

Filesize
1.5MB

Download
memory/4244-137-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4244-128-0x00000000009F0000-0x0000000000B6B000-memory.dmp

Filesize
1.5MB

Download