gh0strat | 240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Size

5.9MB
MD5

00cc9132003c0c5a282013898577b795
SHA1

cf9024e742e69b7715a7cdcac7363743ca226cb6
SHA256

240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c
SHA512

08e21f1112eb2aafb9622011da229eb72ee86f907f77a64a17be8702257bc92fb0e709e65aa81e15702f1005b32f929f83be9b574f3b6a6b4432b36f05165595
SSDEEP

98304:KvWCz5kKLknWxK9yE9Br8UWJUd+ctE9Br8UWJUd+c0p+Okci3wVS3oHzdiTH:GWCzB4ME9VpWJ7ctE9VpWJ7c0p+vcD7c

Score

10^/10

gh0strat discovery rat upx

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/3752-112-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3752-111-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3752-116-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3752-117-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2960-142-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2960-143-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3180-165-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3180-166-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3804-188-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/3804-187-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral2/memory/3752-112-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3752-111-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3752-109-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3752-116-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3752-117-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/2960-142-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/2960-143-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/2960-144-0x0000000000400000-0x000000000044D000-memory.dmp	UPX
behavioral2/memory/3180-165-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3180-166-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3804-188-0x0000000010000000-0x000000001018F000-memory.dmp	UPX
behavioral2/memory/3804-187-0x0000000010000000-0x000000001018F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	tt.exe

Executes dropped EXE 62 IoCs

pid	Process
3656	ttttt.exe
5048	tt.exe
832	Client.exe
4584	Client.exe
4016	EP.exe
3132	Client.exe
3752	EP.exe
3472	Client.exe
1632	EP.exe
2424	Client.exe
2960	EP.exe
1144	Client.exe
392	EP.exe
2452	Client.exe
3180	EP.exe
4344	Client.exe
1808	EP.exe
4716	Client.exe
3804	EP.exe
4684	Client.exe
4404	EP.exe
4472	Client.exe
2292	EP.exe
3828	Client.exe
2760	EP.exe
3332	Client.exe
4140	EP.exe
1420	Client.exe
4492	EP.exe
1548	Client.exe
2340	EP.exe
2592	Client.exe
2120	EP.exe
4888	Client.exe
1656	EP.exe
3376	Client.exe
1664	EP.exe
760	Client.exe
2988	EP.exe
1508	Client.exe
3832	EP.exe
4016	Client.exe
3272	EP.exe
4040	Client.exe
1948	EP.exe
3780	Client.exe
692	EP.exe
2552	Client.exe
3084	EP.exe
4032	Client.exe
4324	EP.exe
4596	Client.exe
4820	EP.exe
5072	Client.exe
3060	EP.exe
2468	Client.exe
4052	EP.exe
1856	Client.exe
4676	EP.exe
4312	Client.exe
5064	EP.exe
3732	EP.exe

Loads dropped DLL 64 IoCs

pid	Process
3656	ttttt.exe
3656	ttttt.exe
5048	tt.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
4016	EP.exe
1632	EP.exe
1632	EP.exe
1632	EP.exe
1632	EP.exe
392	EP.exe
392	EP.exe
392	EP.exe
392	EP.exe
392	EP.exe
392	EP.exe
1808	EP.exe
1808	EP.exe
1808	EP.exe
1808	EP.exe
4404	EP.exe
4404	EP.exe
4404	EP.exe
4404	EP.exe
2760	EP.exe
2760	EP.exe
2760	EP.exe
2760	EP.exe
4492	EP.exe
4492	EP.exe
4492	EP.exe
4492	EP.exe
2120	EP.exe
2120	EP.exe
2120	EP.exe
2120	EP.exe
1664	EP.exe
1664	EP.exe
1664	EP.exe
1664	EP.exe
3832	EP.exe
3832	EP.exe
3832	EP.exe
3832	EP.exe
1948	EP.exe
1948	EP.exe
1948	EP.exe
1948	EP.exe
3084	EP.exe
3084	EP.exe
3084	EP.exe
3084	EP.exe
4820	EP.exe
4820	EP.exe
4820	EP.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3752-112-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3752-111-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3752-109-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3752-116-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3752-117-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2960-142-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2960-143-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3180-165-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3180-166-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3804-188-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/3804-187-0x0000000010000000-0x000000001018F000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ying-UnInstall.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Windows\SysWOW64\Ying-UnInstall.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 3752	4016	EP.exe	96
PID 1632 set thread context of 2960	1632	EP.exe	100
PID 392 set thread context of 3180	392	EP.exe	104
PID 1808 set thread context of 3804	1808	EP.exe	108
PID 4404 set thread context of 2292	4404	EP.exe	112
PID 2760 set thread context of 4140	2760	EP.exe	116
PID 4492 set thread context of 2340	4492	EP.exe	120
PID 2120 set thread context of 1656	2120	EP.exe	124
PID 1664 set thread context of 2988	1664	EP.exe	128
PID 3832 set thread context of 3272	3832	EP.exe	132
PID 1948 set thread context of 692	1948	EP.exe	136
PID 3084 set thread context of 4324	3084	EP.exe	140
PID 4820 set thread context of 3060	4820	EP.exe	144
PID 4052 set thread context of 4676	4052	EP.exe	148
PID 5064 set thread context of 3732	5064	EP.exe	151

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\²âÊÔ\msvcr71.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\vcl70.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\XPFarmer.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File created	C:\Program Files\²âÊÔ\ttttt.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\XPFarmer.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\12345678.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\DTLUI.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\msvcp71.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\path.ini	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\206 1.0.UIF	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\rtl70.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\ttttt.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\1.txt	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\EP.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\tt.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\206 1.0.UIF	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\12345678.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\EP.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcp71.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\path.ini	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\rtl70.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\ÐÂ½¨ÎÄ±¾ÎÄµµ.txt	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\name.ini	ttttt.exe
File created	C:\Program Files\²âÊÔ\1.txt	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\DTLUI.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\msvcr71.dll	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\tt.exe	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\vcl70.bpl	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File created	C:\Program Files\²âÊÔ\ÐÂ½¨ÎÄ±¾ÎÄµµ.txt	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
File opened for modification	C:\Program Files\²âÊÔ\log\UpdateNotice.log	tt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	3656	WerFault.exe	84

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF\ = "YingUnInstall2"	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\ = "Uninstall File"	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command\ = "\"C:\\Windows\\system32\\Ying-UnInstall.exe\" %1"	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon\ = "C:\\Windows\\SysWow64\\Ying-UnInstall.exe,0"	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe
5048	tt.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	EP.exe
Token: SeDebugPrivilege	2960	EP.exe
Token: SeDebugPrivilege	3180	EP.exe
Token: SeDebugPrivilege	3804	EP.exe
Token: SeDebugPrivilege	2292	EP.exe
Token: SeDebugPrivilege	4140	EP.exe
Token: SeDebugPrivilege	2340	EP.exe
Token: SeDebugPrivilege	1656	EP.exe
Token: SeDebugPrivilege	2988	EP.exe
Token: SeDebugPrivilege	3272	EP.exe
Token: SeDebugPrivilege	692	EP.exe
Token: SeDebugPrivilege	4324	EP.exe
Token: SeDebugPrivilege	3060	EP.exe
Token: SeDebugPrivilege	4676	EP.exe
Token: SeDebugPrivilege	3732	EP.exe
Token: 33	3752	EP.exe
Token: SeIncBasePriorityPrivilege	3752	EP.exe
Token: 33	3752	EP.exe
Token: SeIncBasePriorityPrivilege	3752	EP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
4584	Client.exe
3472	Client.exe
1144	Client.exe
4344	Client.exe
4684	Client.exe
3828	Client.exe
1420	Client.exe
2592	Client.exe
3376	Client.exe
1508	Client.exe
4040	Client.exe
2552	Client.exe
4596	Client.exe
2468	Client.exe
4312	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3656	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	84
PID 4512 wrote to memory of 3656	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	84
PID 4512 wrote to memory of 3656	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	84
PID 4512 wrote to memory of 1868	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	88
PID 4512 wrote to memory of 1868	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	88
PID 4512 wrote to memory of 1868	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	88
PID 4512 wrote to memory of 5048	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	89
PID 4512 wrote to memory of 5048	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	89
PID 4512 wrote to memory of 5048	4512	240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe	89
PID 5048 wrote to memory of 832	5048	tt.exe	90
PID 5048 wrote to memory of 832	5048	tt.exe	90
PID 5048 wrote to memory of 832	5048	tt.exe	90
PID 5048 wrote to memory of 4016	5048	tt.exe	94
PID 5048 wrote to memory of 4016	5048	tt.exe	94
PID 5048 wrote to memory of 4016	5048	tt.exe	94
PID 5048 wrote to memory of 3132	5048	tt.exe	95
PID 5048 wrote to memory of 3132	5048	tt.exe	95
PID 5048 wrote to memory of 3132	5048	tt.exe	95
PID 4016 wrote to memory of 3752	4016	EP.exe	96
PID 4016 wrote to memory of 3752	4016	EP.exe	96
PID 4016 wrote to memory of 3752	4016	EP.exe	96
PID 4016 wrote to memory of 3752	4016	EP.exe	96
PID 4016 wrote to memory of 3752	4016	EP.exe	96
PID 5048 wrote to memory of 1632	5048	tt.exe	98
PID 5048 wrote to memory of 1632	5048	tt.exe	98
PID 5048 wrote to memory of 1632	5048	tt.exe	98
PID 5048 wrote to memory of 2424	5048	tt.exe	99
PID 5048 wrote to memory of 2424	5048	tt.exe	99
PID 5048 wrote to memory of 2424	5048	tt.exe	99
PID 1632 wrote to memory of 2960	1632	EP.exe	100
PID 1632 wrote to memory of 2960	1632	EP.exe	100
PID 1632 wrote to memory of 2960	1632	EP.exe	100
PID 1632 wrote to memory of 2960	1632	EP.exe	100
PID 1632 wrote to memory of 2960	1632	EP.exe	100
PID 5048 wrote to memory of 392	5048	tt.exe	102
PID 5048 wrote to memory of 392	5048	tt.exe	102
PID 5048 wrote to memory of 392	5048	tt.exe	102
PID 5048 wrote to memory of 2452	5048	tt.exe	103
PID 5048 wrote to memory of 2452	5048	tt.exe	103
PID 5048 wrote to memory of 2452	5048	tt.exe	103
PID 392 wrote to memory of 3180	392	EP.exe	104
PID 392 wrote to memory of 3180	392	EP.exe	104
PID 392 wrote to memory of 3180	392	EP.exe	104
PID 392 wrote to memory of 3180	392	EP.exe	104
PID 392 wrote to memory of 3180	392	EP.exe	104
PID 5048 wrote to memory of 1808	5048	tt.exe	106
PID 5048 wrote to memory of 1808	5048	tt.exe	106
PID 5048 wrote to memory of 1808	5048	tt.exe	106
PID 5048 wrote to memory of 4716	5048	tt.exe	107
PID 5048 wrote to memory of 4716	5048	tt.exe	107
PID 5048 wrote to memory of 4716	5048	tt.exe	107
PID 1808 wrote to memory of 3804	1808	EP.exe	108
PID 1808 wrote to memory of 3804	1808	EP.exe	108
PID 1808 wrote to memory of 3804	1808	EP.exe	108
PID 1808 wrote to memory of 3804	1808	EP.exe	108
PID 1808 wrote to memory of 3804	1808	EP.exe	108
PID 5048 wrote to memory of 4404	5048	tt.exe	110
PID 5048 wrote to memory of 4404	5048	tt.exe	110
PID 5048 wrote to memory of 4404	5048	tt.exe	110
PID 5048 wrote to memory of 4472	5048	tt.exe	111
PID 5048 wrote to memory of 4472	5048	tt.exe	111
PID 5048 wrote to memory of 4472	5048	tt.exe	111
PID 4404 wrote to memory of 2292	4404	EP.exe	112
PID 4404 wrote to memory of 2292	4404	EP.exe	112

C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
"C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\²âÊÔ\ttttt.exe
  "C:\Program Files\²âÊÔ\ttttt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:3656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 600
    3⤵
    - Program crash
    PID:2576
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\²âÊÔ\ÐÂ½¨ÎÄ±¾ÎÄµµ.txt
  2⤵
  PID:1868
- C:\Program Files\²âÊÔ\tt.exe
  "C:\Program Files\²âÊÔ\tt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:832
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3132
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2424
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3180
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3804
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4716
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2292
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2760
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4492
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2340
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2120
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4888
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1664
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2988
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3832
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3272
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4016
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1948
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:692
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:3780
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3084
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4820
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4052
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4676
- - C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
    "C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:1856
- - C:\Program Files\²âÊÔ\EP.exe
    "C:\Program Files\²âÊÔ\EP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5064
  - - C:\Program Files\²âÊÔ\EP.exe
      "C:\Program Files\²âÊÔ\EP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656
1⤵
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:2344

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" "[wÐNÀó/T"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" "X7NX¤Q"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" "¬ó/yw"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Ö¥Xmô/ôó/x/M¼Çw "
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe
"C:\Program Files (x86)\rWkiB9tw\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\²âÊÔ\1.txt

Filesize
897KB

MD5
8fc1359886925ed139a86cff4c41ab5c

SHA1
d0ec508e063cd424294a387e36e7b29125cbc3bd

SHA256
37baa8b4c908b98bcf12fb44fdaef688096f2e645ee5ef81c4f50ac8e0f0b264

SHA512
ae9f7ab2f3e3aa09701e1e5aece466682dd588d31973b0fbc7b73672bdfe80afa378e92cd7eb709583f96fb8998d1638008e33df6db7537bb34488f95f4642ba

Download Submit
C:\Program Files\²âÊÔ\12345678.exe

Filesize
302KB

MD5
570fb4a8e2736f584ecb71fce7b66a0d

SHA1
1e41a32a754a0dc02e33f79693358f88240d3993

SHA256
f8b93502b5d4a2d8180acd6bdf0a855146df0eeec437dfa3b5ee35059d8791a3

SHA512
678180dc0c63abf26abcd1ea4fbd9babbefb34ed74032ec67a667ce0597186ae11669d7b3961d1dfece881163f8bf6ed7877c31e823b2e422e66538cab9529a3

Download Submit
C:\Program Files\²âÊÔ\206 1.0.UIF

Filesize
9KB

MD5
49f9f9355aa77457e2bf0185e72beefb

SHA1
a9fc3fa84a01855fb0fbb75487bca7886f03cb0b

SHA256
74e9bd6886390498d64f3439e799183bf4fa67fec063a691f6cf12f92a777c79

SHA512
f1b74c861383c371811e4ad407a3bbdae48655edcd6e986ef24ba5f3f71b02e2ec2d5b882d3c56a31d9f045e354f80256ea44337420be4a8185f5d80b5e27d64

Download Submit
C:\Program Files\²âÊÔ\DTLUI.dll

Filesize
2.4MB

MD5
79a06179c7ba2d804b70cadfaa384185

SHA1
783cb52771bf7e5be2c25df07b3fe5ca4e1182a1

SHA256
a8260b318d4b14171e14c512f1628e6e66008216f8cd0dc37cfa874a5b14cd30

SHA512
4bd4496c47ee3472923e42a52d8fd02cd97e76a87dd46ea1b9be6a80deb0c1b80632df365559c63f53b12d06a00b0d5db228c3a80bd9c566d05439878f296057

Download Submit
C:\Program Files\²âÊÔ\EP.exe

Filesize
1.1MB

MD5
4ddce14e5c6c09bbe5154167a74d271e

SHA1
3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad

SHA256
37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a

SHA512
f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

Download Submit
C:\Program Files\²âÊÔ\MSVCP71.dll

Filesize
2.4MB

MD5
b88acff9179dca5fe1a50bd2d6062370

SHA1
8553c2eb5edd71a11a442cc542247a668dee39dc

SHA256
62c333e609dc0311065404a7af460cb927051865cab8a3ad5e7ff576a596f59b

SHA512
39500c806189faa7bb5eb9ad8de32e93f121942e6681d1a6f980937e96a2694a72bc712de05a634bdec47ae533b0bd3f3190de12f25c62426c1ffe08706377b8

Download Submit
C:\Program Files\²âÊÔ\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files\²âÊÔ\XPFarmer.bpl

Filesize
1.5MB

MD5
b6b5969b658b647fa0c6ec11de139c96

SHA1
87b0e1176b5d5cae31bee708c8daa383da4adf02

SHA256
a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e

SHA512
28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

Download Submit
C:\Program Files\²âÊÔ\name.ini

Filesize
29B

MD5
a576a10c3e79334e7027f7c49cfd1f74

SHA1
a70b65d31e04fe605d5006a8709dc41186afe70d

SHA256
e4eb9d7b0609608d2240a60e792bdae20a8eda301d5132f327ba3184a3964e62

SHA512
28ee5bf5cdca330742ce0e086f6ad6ced3b4ba5895983f4d5117dfc934e7a81a6b76331335c8e5bd1fc444bd7e60520427b22e228f3b87387c88e159c3f3266c

Download Submit
C:\Program Files\²âÊÔ\path.ini

Filesize
75B

MD5
0bb3c274a8591889b2f78ce2842acd2a

SHA1
e16ada81d3e7e54c0fcf823f51956c99e86e3ebe

SHA256
c33326ff5b751237a51b8c34550732e8bc103fb0652034cb27901f9693c013b4

SHA512
281f3bc76e3be45fbb7ec44ba5aaed36abdc6a23303e65b8865100f867033cdaab9efd3bceb5afbc5197b58fa82aa4bef35595b20e4a101c95851f91993cb6cf

Download Submit
C:\Program Files\²âÊÔ\rtl70.bpl

Filesize
644KB

MD5
7c2d803f476369c33fb787c90aeefb93

SHA1
1b356f65277e9d829df7be66a0d018cdc66d8c9b

SHA256
93a3621887d9d9844aec291dda1ec77820943f2059936474b211ae228263d4ec

SHA512
9d9cef32252a16d3ededa48da6ae0d6a2a6120748aeb2a0d8fefe28357994314bf5ea854d808f7aa3eebcb56cae1c20faf7ba93b9dfcda57fc44bfd90d1d89f1

Download Submit
C:\Program Files\²âÊÔ\tt.exe

Filesize
216KB

MD5
5ac2deb3ceb9e32fe681483373c2d4c7

SHA1
ed4e9af7c4f3e462e41f542c1ef7d0c3c0613769

SHA256
a937d9295271cc131a2e019dd41ce4ead3bca2d5115fb7d7482508297971b17e

SHA512
43d4ce96a3c5b5f3e234df70e365e05cdf416f57e262ae70ea1b04450eb397f38ed8db45a8d5df630e759c8e4a3642ad26c9d897d312085c5fcf8703e20162b7

Download Submit
C:\Program Files\²âÊÔ\ttttt.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Program Files\²âÊÔ\vcl70.bpl

Filesize
1.3MB

MD5
16a1c27ed415d1816f8888ea2cefb3f6

SHA1
80db800b805d548f6df4eb2cb37ba2064dc37c05

SHA256
a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390

SHA512
68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240613010551340~YingInstall-TopFramePicture.bmp

Filesize
563KB

MD5
a528a1efb19f5bee2fa74cd8650dab24

SHA1
51b72c994283ec899a32732bc60655d3039138a8

SHA256
d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608

SHA512
bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

Download Submit
memory/392-154-0x0000000000A10000-0x0000000000B8A000-memory.dmp

Filesize
1.5MB

Download
memory/392-163-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/392-162-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/392-164-0x0000000000A10000-0x0000000000B8A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-141-0x0000000000990000-0x0000000000B0A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-139-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1632-140-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/1632-131-0x0000000000990000-0x0000000000B0A000-memory.dmp

Filesize
1.5MB

Download
memory/1808-186-0x0000000000940000-0x0000000000ABA000-memory.dmp

Filesize
1.5MB

Download
memory/1808-184-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1808-176-0x0000000000940000-0x0000000000ABA000-memory.dmp

Filesize
1.5MB

Download
memory/1808-185-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2960-144-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2960-143-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2960-142-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3180-167-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/3180-165-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3180-166-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3656-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3656-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3752-111-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3752-109-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3752-112-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3752-108-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3752-117-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3752-116-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3752-106-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3804-188-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3804-187-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/4016-113-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4016-104-0x0000000000B10000-0x0000000000C8A000-memory.dmp

Filesize
1.5MB

Download
memory/4016-115-0x0000000000B10000-0x0000000000C8A000-memory.dmp

Filesize
1.5MB

Download
memory/4016-114-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4404-196-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4404-198-0x00000000008E0000-0x0000000000A5A000-memory.dmp

Filesize
1.5MB

Download
memory/4404-197-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4404-193-0x00000000008E0000-0x0000000000A5A000-memory.dmp

Filesize
1.5MB

Download