Malware Analysis Report

2024-09-11 08:40

Sample ID 240613-satm2atcnh
Target 240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
SHA256 240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c
Tags
gh0strat discovery rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c

Threat Level: Known bad

The file 240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery rat upx

Gh0st RAT payload

Gh0strat

Executes dropped EXE

Checks computer location settings

UPX packed file

Loads dropped DLL

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:55

Reported

2024-06-13 14:58

Platform

win7-20240220-en

Max time kernel

147s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\H: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\W: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\Y: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\U: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\J: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\K: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\P: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\Q: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\R: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\V: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\X: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\G: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\M: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\O: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\S: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\T: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\E: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\I: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\L: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\N: C:\Program Files\²âÊÔ\EP.exe N/A
File opened (read-only) \??\Z: C:\Program Files\²âÊÔ\EP.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 340 set thread context of 3048 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2868 set thread context of 2556 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1960 set thread context of 1796 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2728 set thread context of 2724 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2744 set thread context of 784 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2460 set thread context of 888 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1896 set thread context of 2312 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1068 set thread context of 1844 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1428 set thread context of 2660 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 2776 set thread context of 2896 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2200 set thread context of 2056 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1360 set thread context of 2624 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2584 set thread context of 868 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 800 set thread context of 1552 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2552 set thread context of 1728 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\²âÊÔ\12345678.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\msvcr71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\tt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\name.ini C:\Program Files\²âÊÔ\ttttt.exe N/A
File opened for modification C:\Program Files\²âÊÔ\1.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\12345678.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\msvcr71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\tt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\ttttt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\msvcp71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\path.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\path.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\206 1.0.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\1.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\ttttt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\name.ini C:\Program Files\²âÊÔ\ttttt.exe N/A
File opened for modification C:\Program Files\²âÊÔ\log\UpdateNotice.log C:\Program Files\²âÊÔ\tt.exe N/A
File opened for modification C:\Program Files\²âÊÔ\EP.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\msvcp71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\DTLUI.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\DTLUI.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\EP.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\206 1.0.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files\²âÊÔ\ttttt.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\²âÊÔ\EP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\²âÊÔ\EP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.UIF\ = "YingUnInstall2" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2 C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\ = "Uninstall File" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\ C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon\ = "C:\\Windows\\SysWow64\\Ying-UnInstall.exe,0" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command\ = "\"C:\\Windows\\system32\\Ying-UnInstall.exe\" %1" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: 33 N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2192 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2192 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2192 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2384 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\ttttt.exe C:\Windows\SysWOW64\WerFault.exe
PID 2384 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\ttttt.exe C:\Windows\SysWOW64\WerFault.exe
PID 2384 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\ttttt.exe C:\Windows\SysWOW64\WerFault.exe
PID 2384 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\ttttt.exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2192 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 1736 wrote to memory of 376 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 376 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 376 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 376 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 340 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 340 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 340 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 340 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2868 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2868 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2868 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2868 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1952 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1952 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1952 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1952 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1960 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1960 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1960 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1960 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1944 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1944 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1944 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1944 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2728 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2728 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2728 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 2728 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 528 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 528 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 528 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 528 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 1896 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1896 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1896 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 1896 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 1736 wrote to memory of 3016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 3016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 3016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 3016 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1736 wrote to memory of 2776 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe

"C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe"

C:\Program Files\²âÊÔ\ttttt.exe

"C:\Program Files\²âÊÔ\ttttt.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 460

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt

C:\Program Files\²âÊÔ\tt.exe

"C:\Program Files\²âÊÔ\tt.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "ÍUw"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "¸nb"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Ú˜ƒu…÷G´"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Ú˜ƒu…÷G´"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "¼ò9"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Ú˜ƒu÷G´"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "¸nb"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Èò9"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "¸nb"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\DalKqKrg\WeGameApps\ÄæÕ½\TCLS\Client.exe" "Ú˜ƒuµ÷G´"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

Network

Country Destination Domain Proto
HK 206.238.220.206:7777 tcp

Files

C:\Users\Admin\AppData\Local\Temp\20240613145550390~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

C:\Program Files\²âÊÔ\DTLUI.dll

MD5 79a06179c7ba2d804b70cadfaa384185
SHA1 783cb52771bf7e5be2c25df07b3fe5ca4e1182a1
SHA256 a8260b318d4b14171e14c512f1628e6e66008216f8cd0dc37cfa874a5b14cd30
SHA512 4bd4496c47ee3472923e42a52d8fd02cd97e76a87dd46ea1b9be6a80deb0c1b80632df365559c63f53b12d06a00b0d5db228c3a80bd9c566d05439878f296057

C:\Program Files\²âÊÔ\206 1.0.UIF

MD5 49f9f9355aa77457e2bf0185e72beefb
SHA1 a9fc3fa84a01855fb0fbb75487bca7886f03cb0b
SHA256 74e9bd6886390498d64f3439e799183bf4fa67fec063a691f6cf12f92a777c79
SHA512 f1b74c861383c371811e4ad407a3bbdae48655edcd6e986ef24ba5f3f71b02e2ec2d5b882d3c56a31d9f045e354f80256ea44337420be4a8185f5d80b5e27d64

\Program Files\²âÊÔ\ttttt.exe

MD5 9f1d3dfac55080c712c0281fb2eeeb47
SHA1 9109f9457f811d8d0e887469ffc9c2af793e8090
SHA256 a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b
SHA512 7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

memory/2192-62-0x0000000003E10000-0x0000000003E66000-memory.dmp

memory/2384-68-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Program Files\²âÊÔ\MSVCP71.dll

MD5 b88acff9179dca5fe1a50bd2d6062370
SHA1 8553c2eb5edd71a11a442cc542247a668dee39dc
SHA256 62c333e609dc0311065404a7af460cb927051865cab8a3ad5e7ff576a596f59b
SHA512 39500c806189faa7bb5eb9ad8de32e93f121942e6681d1a6f980937e96a2694a72bc712de05a634bdec47ae533b0bd3f3190de12f25c62426c1ffe08706377b8

C:\Program Files\²âÊÔ\MSVCR71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\Program Files\²âÊÔ\path.ini

MD5 0bb3c274a8591889b2f78ce2842acd2a
SHA1 e16ada81d3e7e54c0fcf823f51956c99e86e3ebe
SHA256 c33326ff5b751237a51b8c34550732e8bc103fb0652034cb27901f9693c013b4
SHA512 281f3bc76e3be45fbb7ec44ba5aaed36abdc6a23303e65b8865100f867033cdaab9efd3bceb5afbc5197b58fa82aa4bef35595b20e4a101c95851f91993cb6cf

C:\Program Files\²âÊÔ\1.txt

MD5 8fc1359886925ed139a86cff4c41ab5c
SHA1 d0ec508e063cd424294a387e36e7b29125cbc3bd
SHA256 37baa8b4c908b98bcf12fb44fdaef688096f2e645ee5ef81c4f50ac8e0f0b264
SHA512 ae9f7ab2f3e3aa09701e1e5aece466682dd588d31973b0fbc7b73672bdfe80afa378e92cd7eb709583f96fb8998d1638008e33df6db7537bb34488f95f4642ba

memory/2192-82-0x0000000003E10000-0x0000000003E66000-memory.dmp

memory/2384-83-0x0000000000400000-0x0000000000456000-memory.dmp

\Program Files\²âÊÔ\tt.exe

MD5 5ac2deb3ceb9e32fe681483373c2d4c7
SHA1 ed4e9af7c4f3e462e41f542c1ef7d0c3c0613769
SHA256 a937d9295271cc131a2e019dd41ce4ead3bca2d5115fb7d7482508297971b17e
SHA512 43d4ce96a3c5b5f3e234df70e365e05cdf416f57e262ae70ea1b04450eb397f38ed8db45a8d5df630e759c8e4a3642ad26c9d897d312085c5fcf8703e20162b7

C:\Program Files\²âÊÔ\name.ini

MD5 38bdf4a1b154f8042ab1096d4c6cfc39
SHA1 7e1332339fe536661b721e355c6c11482896d46c
SHA256 37893ca269183afc3469a723fef1540ad8b21847a06b1752979492695a6f5ef6
SHA512 6c8d04d461fbf6d0460796b8256c4192b8c81c57569f8e440d8963447582ada316a941b581d61ca4a2fd50724d8e8f7beb49602f776bb5ffe6f799c0a6e26729

\Program Files\²âÊÔ\EP.exe

MD5 4ddce14e5c6c09bbe5154167a74d271e
SHA1 3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA256 37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512 f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

\Program Files\²âÊÔ\vcl70.bpl

MD5 16a1c27ed415d1816f8888ea2cefb3f6
SHA1 80db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256 a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA512 68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

\Program Files\²âÊÔ\rtl70.bpl

MD5 7c2d803f476369c33fb787c90aeefb93
SHA1 1b356f65277e9d829df7be66a0d018cdc66d8c9b
SHA256 93a3621887d9d9844aec291dda1ec77820943f2059936474b211ae228263d4ec
SHA512 9d9cef32252a16d3ededa48da6ae0d6a2a6120748aeb2a0d8fefe28357994314bf5ea854d808f7aa3eebcb56cae1c20faf7ba93b9dfcda57fc44bfd90d1d89f1

memory/340-111-0x0000000000530000-0x00000000006AA000-memory.dmp

\Program Files\²âÊÔ\XPFarmer.bpl

MD5 b6b5969b658b647fa0c6ec11de139c96
SHA1 87b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256 a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA512 28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

memory/2728-138-0x00000000005A0000-0x000000000071A000-memory.dmp

memory/1896-145-0x0000000000220000-0x000000000039A000-memory.dmp

memory/3048-156-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2200-157-0x0000000000710000-0x000000000088A000-memory.dmp

memory/3048-161-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1360-171-0x00000000006B0000-0x000000000082A000-memory.dmp

memory/2584-172-0x0000000000770000-0x00000000008EA000-memory.dmp

memory/2552-174-0x00000000006A0000-0x000000000081A000-memory.dmp

memory/1796-204-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1960-197-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/2556-191-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2556-189-0x0000000000450000-0x00000000004B7000-memory.dmp

memory/2556-190-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2556-188-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2868-182-0x0000000000730000-0x00000000008AA000-memory.dmp

memory/2868-181-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/2868-180-0x0000000000400000-0x0000000000528000-memory.dmp

memory/3048-164-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3048-163-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3048-160-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3048-158-0x0000000010000000-0x000000001018F000-memory.dmp

memory/340-155-0x0000000000530000-0x00000000006AA000-memory.dmp

memory/340-154-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/340-153-0x0000000000400000-0x0000000000528000-memory.dmp

memory/3048-152-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3048-150-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3048-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/800-148-0x00000000007A0000-0x000000000091A000-memory.dmp

memory/1068-147-0x00000000006E0000-0x000000000085A000-memory.dmp

memory/2776-146-0x00000000006C0000-0x000000000083A000-memory.dmp

memory/2868-120-0x0000000000730000-0x00000000008AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:55

Reported

2024-06-13 14:58

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Program Files\²âÊÔ\tt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\ttttt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A
N/A N/A C:\Program Files\²âÊÔ\EP.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Windows\SysWOW64\YingInstall\409.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2828 set thread context of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 5104 set thread context of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4912 set thread context of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 set thread context of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4404 set thread context of 3068 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2624 set thread context of 4896 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1548 set thread context of 4656 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4892 set thread context of 2284 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2896 set thread context of 4860 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2160 set thread context of 1752 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 748 set thread context of 1108 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4916 set thread context of 3352 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 3384 set thread context of 4596 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 set thread context of 1592 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4256 set thread context of 3068 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\²âÊÔ\1.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\EP.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\msvcr71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\msvcr71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\path.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\tt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\206 1.0.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\log\UpdateNotice.log C:\Program Files\²âÊÔ\tt.exe N/A
File created C:\Program Files\²âÊÔ\12345678.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\msvcp71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\path.ini C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\tt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\ttttt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\name.ini C:\Program Files\²âÊÔ\ttttt.exe N/A
File opened for modification C:\Program Files\²âÊÔ\12345678.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\DTLUI.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\name.ini C:\Program Files\²âÊÔ\ttttt.exe N/A
File opened for modification C:\Program Files\²âÊÔ\msvcp71.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\206 1.0.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\DTLUI.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\EP.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File created C:\Program Files\²âÊÔ\1.txt C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\ttttt.exe C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
File opened for modification C:\Program Files\²âÊÔ\DTLUI - ¸±±¾.dll C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files\²âÊÔ\ttttt.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\ C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\ = "Uninstall File" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.UIF\ = "YingUnInstall2" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2 C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon\ = "C:\\Windows\\SysWow64\\Ying-UnInstall.exe,0" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command\ = "\"C:\\Windows\\system32\\Ying-UnInstall.exe\" %1" C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.UIF C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A
N/A N/A C:\Program Files\²âÊÔ\tt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: 33 N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: 33 N/A C:\Program Files\²âÊÔ\EP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\²âÊÔ\EP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A
N/A N/A C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2372 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2372 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\ttttt.exe
PID 2372 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2372 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2372 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2372 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2372 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 2372 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe C:\Program Files\²âÊÔ\tt.exe
PID 3724 wrote to memory of 5052 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 5052 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 5052 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 2828 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 2828 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 2828 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 3392 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 3392 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 3392 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 2828 wrote to memory of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2828 wrote to memory of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2828 wrote to memory of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2828 wrote to memory of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 2828 wrote to memory of 3088 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 5104 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 5104 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 5104 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 3452 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 3452 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 3452 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 5104 wrote to memory of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 5104 wrote to memory of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 5104 wrote to memory of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 5104 wrote to memory of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 5104 wrote to memory of 3708 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4912 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4912 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4912 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4992 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 4992 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 4992 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 4912 wrote to memory of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4912 wrote to memory of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4912 wrote to memory of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4912 wrote to memory of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4912 wrote to memory of 2064 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 1480 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 1480 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 1480 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 5024 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 5024 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 5024 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 1480 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 1480 wrote to memory of 2256 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4404 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4404 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4404 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files\²âÊÔ\EP.exe
PID 3724 wrote to memory of 4472 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 4472 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 3724 wrote to memory of 4472 N/A C:\Program Files\²âÊÔ\tt.exe C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe
PID 4404 wrote to memory of 3068 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe
PID 4404 wrote to memory of 3068 N/A C:\Program Files\²âÊÔ\EP.exe C:\Program Files\²âÊÔ\EP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe

"C:\Users\Admin\AppData\Local\Temp\240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe"

C:\Program Files\²âÊÔ\ttttt.exe

"C:\Program Files\²âÊÔ\ttttt.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 596

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\²âÊÔ\н¨Îı¾Îĵµ.txt

C:\Program Files\²âÊÔ\tt.exe

"C:\Program Files\²âÊÔ\tt.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" "[wК"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" "x2š"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" "‡${iàôv"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe

"C:\Program Files (x86)\KJV33zGF\WeGameApps\ÄæÕ½\TCLS\Client.exe" ""

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

C:\Program Files\²âÊÔ\EP.exe

"C:\Program Files\²âÊÔ\EP.exe"

Network

Country Destination Domain Proto
HK 206.238.220.206:7777 tcp
HK 206.238.220.206:7777 tcp
HK 206.238.220.206:7777 tcp
NL 52.111.243.31:443 tcp
HK 206.238.220.206:7777 tcp
HK 206.238.220.206:7777 tcp
HK 206.238.220.206:7777 tcp

Files

C:\Users\Admin\AppData\Local\Temp\20240613145552327~YingInstall-TopFramePicture.bmp

MD5 a528a1efb19f5bee2fa74cd8650dab24
SHA1 51b72c994283ec899a32732bc60655d3039138a8
SHA256 d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512 bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

C:\Program Files\²âÊÔ\DTLUI.dll

MD5 79a06179c7ba2d804b70cadfaa384185
SHA1 783cb52771bf7e5be2c25df07b3fe5ca4e1182a1
SHA256 a8260b318d4b14171e14c512f1628e6e66008216f8cd0dc37cfa874a5b14cd30
SHA512 4bd4496c47ee3472923e42a52d8fd02cd97e76a87dd46ea1b9be6a80deb0c1b80632df365559c63f53b12d06a00b0d5db228c3a80bd9c566d05439878f296057

C:\Program Files\²âÊÔ\206 1.0.UIF

MD5 49f9f9355aa77457e2bf0185e72beefb
SHA1 a9fc3fa84a01855fb0fbb75487bca7886f03cb0b
SHA256 74e9bd6886390498d64f3439e799183bf4fa67fec063a691f6cf12f92a777c79
SHA512 f1b74c861383c371811e4ad407a3bbdae48655edcd6e986ef24ba5f3f71b02e2ec2d5b882d3c56a31d9f045e354f80256ea44337420be4a8185f5d80b5e27d64

memory/1596-63-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Program Files\²âÊÔ\ttttt.exe

MD5 9f1d3dfac55080c712c0281fb2eeeb47
SHA1 9109f9457f811d8d0e887469ffc9c2af793e8090
SHA256 a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b
SHA512 7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

C:\Program Files\²âÊÔ\MSVCR71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\Program Files\²âÊÔ\MSVCP71.dll

MD5 b88acff9179dca5fe1a50bd2d6062370
SHA1 8553c2eb5edd71a11a442cc542247a668dee39dc
SHA256 62c333e609dc0311065404a7af460cb927051865cab8a3ad5e7ff576a596f59b
SHA512 39500c806189faa7bb5eb9ad8de32e93f121942e6681d1a6f980937e96a2694a72bc712de05a634bdec47ae533b0bd3f3190de12f25c62426c1ffe08706377b8

C:\Program Files\²âÊÔ\path.ini

MD5 0bb3c274a8591889b2f78ce2842acd2a
SHA1 e16ada81d3e7e54c0fcf823f51956c99e86e3ebe
SHA256 c33326ff5b751237a51b8c34550732e8bc103fb0652034cb27901f9693c013b4
SHA512 281f3bc76e3be45fbb7ec44ba5aaed36abdc6a23303e65b8865100f867033cdaab9efd3bceb5afbc5197b58fa82aa4bef35595b20e4a101c95851f91993cb6cf

C:\Program Files\²âÊÔ\1.txt

MD5 8fc1359886925ed139a86cff4c41ab5c
SHA1 d0ec508e063cd424294a387e36e7b29125cbc3bd
SHA256 37baa8b4c908b98bcf12fb44fdaef688096f2e645ee5ef81c4f50ac8e0f0b264
SHA512 ae9f7ab2f3e3aa09701e1e5aece466682dd588d31973b0fbc7b73672bdfe80afa378e92cd7eb709583f96fb8998d1638008e33df6db7537bb34488f95f4642ba

memory/1596-73-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Program Files\²âÊÔ\tt.exe

MD5 5ac2deb3ceb9e32fe681483373c2d4c7
SHA1 ed4e9af7c4f3e462e41f542c1ef7d0c3c0613769
SHA256 a937d9295271cc131a2e019dd41ce4ead3bca2d5115fb7d7482508297971b17e
SHA512 43d4ce96a3c5b5f3e234df70e365e05cdf416f57e262ae70ea1b04450eb397f38ed8db45a8d5df630e759c8e4a3642ad26c9d897d312085c5fcf8703e20162b7

C:\Program Files\²âÊÔ\name.ini

MD5 a1096c56b09baae7693b93f303ae2c96
SHA1 9a8e7773b2166e1291a9ff66cb8eae34e527e691
SHA256 77903035438d7dea71dc2a1d95d4ea65b3dcede702492161582cd46b635a74a0
SHA512 c49278e0c2b8ff6934aade123d7fe9ac5944f7b457e586bef3e674d0efc372215fd48c899f99efad4516d919d6b6ab187dcdfd84ae09c586fc0503cd74f392f1

C:\Program Files\²âÊÔ\EP.exe

MD5 4ddce14e5c6c09bbe5154167a74d271e
SHA1 3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA256 37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512 f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

C:\Program Files\²âÊÔ\vcl70.bpl

MD5 16a1c27ed415d1816f8888ea2cefb3f6
SHA1 80db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256 a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA512 68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

C:\Program Files\²âÊÔ\XPFarmer.bpl

MD5 b6b5969b658b647fa0c6ec11de139c96
SHA1 87b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256 a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA512 28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

memory/2828-103-0x0000000000AF0000-0x0000000000C6A000-memory.dmp

memory/3088-107-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3088-111-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2828-114-0x0000000000AF0000-0x0000000000C6A000-memory.dmp

memory/3088-116-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3088-115-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2828-113-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/2828-112-0x0000000000400000-0x0000000000528000-memory.dmp

memory/3088-110-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3088-108-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3088-105-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Program Files\²âÊÔ\12345678.exe

MD5 570fb4a8e2736f584ecb71fce7b66a0d
SHA1 1e41a32a754a0dc02e33f79693358f88240d3993
SHA256 f8b93502b5d4a2d8180acd6bdf0a855146df0eeec437dfa3b5ee35059d8791a3
SHA512 678180dc0c63abf26abcd1ea4fbd9babbefb34ed74032ec67a667ce0597186ae11669d7b3961d1dfece881163f8bf6ed7877c31e823b2e422e66538cab9529a3

C:\Program Files\²âÊÔ\rtl70.bpl

MD5 7c2d803f476369c33fb787c90aeefb93
SHA1 1b356f65277e9d829df7be66a0d018cdc66d8c9b
SHA256 93a3621887d9d9844aec291dda1ec77820943f2059936474b211ae228263d4ec
SHA512 9d9cef32252a16d3ededa48da6ae0d6a2a6120748aeb2a0d8fefe28357994314bf5ea854d808f7aa3eebcb56cae1c20faf7ba93b9dfcda57fc44bfd90d1d89f1

memory/5104-131-0x0000000000B10000-0x0000000000C8A000-memory.dmp

memory/5104-134-0x0000000000400000-0x0000000000528000-memory.dmp

memory/5104-136-0x0000000000B10000-0x0000000000C8A000-memory.dmp

memory/5104-135-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/3708-144-0x0000000000450000-0x0000000000519000-memory.dmp

memory/3708-145-0x0000000000400000-0x000000000044D000-memory.dmp

memory/3708-143-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3708-142-0x0000000010000000-0x000000001018F000-memory.dmp

memory/4912-153-0x00000000009F0000-0x0000000000B6A000-memory.dmp

memory/4912-163-0x00000000009F0000-0x0000000000B6A000-memory.dmp

memory/4912-162-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/4912-161-0x0000000000400000-0x0000000000528000-memory.dmp

memory/2064-164-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2064-165-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1480-175-0x00000000009E0000-0x0000000000B5A000-memory.dmp

memory/2256-183-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2256-187-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1480-185-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/1480-186-0x00000000009E0000-0x0000000000B5A000-memory.dmp

memory/1480-184-0x0000000000400000-0x0000000000528000-memory.dmp

memory/4404-195-0x0000000000990000-0x0000000000B0A000-memory.dmp