310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b

Analysis

max time kernel
13s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
Size

1.5MB
MD5

a8ba72b6dce10f3945a8686880aac327
SHA1

7ea869abc0c95e69f96ac78dd9e1f60f651ed10b
SHA256

310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b
SHA512

69ca1d483bdc0ed8aff2cfedac93e1701372300e5d52eb6eee6e02ce015e096d0cdd2933eea596c2b423670f651f83882eaeca63e850f0a43d28405fa9b6503c
SSDEEP

24576:xFI1TpU8Coi4HaX45fQPYkuHxRXg2EogkYx5a6RuWbotiI5APO0JteTui5k6hPFL:bIt2MHn5Y8Uodf6RuI/bPOPkAFL

Score

8^/10

execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe

Executes dropped EXE 2 IoCs

pid	Process
3876	update.exe
1644	crash_reporter.exe

Loads dropped DLL 6 IoCs

pid	Process
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
964	bcdedit.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wegame\vcruntime140.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\XLauncherKernelX64.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\locale.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\locale2.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\locale4.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\logs\XBoot\2024_07_13\XBoot_2024_07_13_08_36_04.log	update.exe
File opened for modification	C:\Program Files (x86)\Wegame\msvcp140.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\locale3.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\INIT.DAT	update.exe
File created	C:\Program Files (x86)\Wegame\update.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\update.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\vcruntime140_1.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\locale.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\locale3.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\tProtect.dll	crash_reporter.exe
File opened for modification	C:\Program Files (x86)\Wegame\vcruntime140.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\vcruntime140_1.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\crash_reporter.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\queryex.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\queryex.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\msvcp140.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\XLauncherKernelX64.dll	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\locale4.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\crash_reporter.exe	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File opened for modification	C:\Program Files (x86)\Wegame\locale2.dat	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
File created	C:\Program Files (x86)\Wegame\tProtect.dll	crash_reporter.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3608	sc.exe
5096	sc.exe
4496	sc.exe
3976	sc.exe
2604	sc.exe
2600	sc.exe
2868	sc.exe
1620	sc.exe
2108	sc.exe
1808	sc.exe
3356	sc.exe
1956	sc.exe
3628	sc.exe
380	sc.exe
1688	sc.exe
1636	sc.exe
4304	sc.exe
1984	sc.exe
3212	sc.exe
4128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "207"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2280	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe
3876	update.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
Token: SeRestorePrivilege	1644	crash_reporter.exe
Token: 35	1644	crash_reporter.exe
Token: SeSecurityPrivilege	1644	crash_reporter.exe
Token: SeSecurityPrivilege	1644	crash_reporter.exe
Token: SeShutdownPrivilege	4520	shutdown.exe
Token: SeRemoteShutdownPrivilege	4520	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	LogonUI.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3876	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe	86
PID 1784 wrote to memory of 3876	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe	86
PID 1784 wrote to memory of 868	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe	88
PID 1784 wrote to memory of 868	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe	88
PID 1784 wrote to memory of 868	1784	310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe	88
PID 3952 wrote to memory of 964	3952	cmd.exe	91
PID 3952 wrote to memory of 964	3952	cmd.exe	91
PID 1972 wrote to memory of 1956	1972	cmd.exe	94
PID 1972 wrote to memory of 1956	1972	cmd.exe	94
PID 3876 wrote to memory of 444	3876	update.exe	95
PID 3876 wrote to memory of 444	3876	update.exe	95
PID 444 wrote to memory of 1644	444	cmd.exe	98
PID 444 wrote to memory of 1644	444	cmd.exe	98
PID 868 wrote to memory of 2280	868	cmd.exe	100
PID 868 wrote to memory of 2280	868	cmd.exe	100
PID 868 wrote to memory of 2280	868	cmd.exe	100
PID 3480 wrote to memory of 3212	3480	cmd.exe	101
PID 3480 wrote to memory of 3212	3480	cmd.exe	101
PID 2996 wrote to memory of 4128	2996	cmd.exe	104
PID 2996 wrote to memory of 4128	2996	cmd.exe	104
PID 412 wrote to memory of 4496	412	cmd.exe	107
PID 412 wrote to memory of 4496	412	cmd.exe	107
PID 3112 wrote to memory of 3976	3112	cmd.exe	111
PID 3112 wrote to memory of 3976	3112	cmd.exe	111
PID 3464 wrote to memory of 1620	3464	cmd.exe	114
PID 3464 wrote to memory of 1620	3464	cmd.exe	114
PID 4880 wrote to memory of 3628	4880	cmd.exe	117
PID 4880 wrote to memory of 3628	4880	cmd.exe	117
PID 3084 wrote to memory of 3608	3084	cmd.exe	120
PID 3084 wrote to memory of 3608	3084	cmd.exe	120
PID 4104 wrote to memory of 380	4104	cmd.exe	123
PID 4104 wrote to memory of 380	4104	cmd.exe	123
PID 2012 wrote to memory of 1688	2012	cmd.exe	126
PID 2012 wrote to memory of 1688	2012	cmd.exe	126
PID 2608 wrote to memory of 1808	2608	cmd.exe	129
PID 2608 wrote to memory of 1808	2608	cmd.exe	129
PID 1828 wrote to memory of 5096	1828	cmd.exe	132
PID 1828 wrote to memory of 5096	1828	cmd.exe	132
PID 4528 wrote to memory of 3356	4528	cmd.exe	135
PID 4528 wrote to memory of 3356	4528	cmd.exe	135
PID 4148 wrote to memory of 1636	4148	cmd.exe	138
PID 4148 wrote to memory of 1636	4148	cmd.exe	138
PID 2040 wrote to memory of 2108	2040	cmd.exe	141
PID 2040 wrote to memory of 2108	2040	cmd.exe	141
PID 1496 wrote to memory of 4304	1496	cmd.exe	144
PID 1496 wrote to memory of 4304	1496	cmd.exe	144
PID 1684 wrote to memory of 2604	1684	cmd.exe	147
PID 1684 wrote to memory of 2604	1684	cmd.exe	147
PID 3016 wrote to memory of 1984	3016	cmd.exe	150
PID 3016 wrote to memory of 1984	3016	cmd.exe	150
PID 1524 wrote to memory of 2600	1524	cmd.exe	153
PID 1524 wrote to memory of 2600	1524	cmd.exe	153
PID 5020 wrote to memory of 2868	5020	cmd.exe	156
PID 5020 wrote to memory of 2868	5020	cmd.exe	156
PID 1036 wrote to memory of 4520	1036	cmd.exe	159
PID 1036 wrote to memory of 4520	1036	cmd.exe	159

C:\Users\Admin\AppData\Local\Temp\310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe
"C:\Users\Admin\AppData\Local\Temp\310a148ec30dacbb8e49fb04e9c6a54356b38e677c443b607684a2dc4920380b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files (x86)\Wegame\update.exe
  "C:\Program Files (x86)\Wegame\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c crash_reporter.exe x -y locale3.dat -pdo8cb1rto813y7e21e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Program Files (x86)\Wegame\crash_reporter.exe
      crash_reporter.exe x -y locale3.dat -pdo8cb1rto813y7e21e
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~9829.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2280

C:\Windows\system32\cmd.exe
cmd /c start bcdedit / set hypervisorlaunchtype auto
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\system32\bcdedit.exe
  bcdedit / set hypervisorlaunchtype auto
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:964

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:1956

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3212

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:4128

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4496

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:3976

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1620

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:3628

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3608

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:380

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1688

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:1808

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:5096

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3356

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:1636

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2108

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:4304

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2604

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:1984

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Wegame\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:2600

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2868

C:\Windows\system32\cmd.exe
cmd /c start shutdown -f -r -t 00
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\shutdown.exe
  shutdown -f -r -t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3964055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wegame\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Program Files (x86)\Wegame\XLauncherKernelX64.dll

Filesize
179KB

MD5
3b1c61b1826f4266406517f277f574cd

SHA1
f2c7cc23530ab206642a87b8430f8b19c9504387

SHA256
68fe58f17191f7c726aad0d77949060312226525c301cc504d660192a1b92073

SHA512
be281f42613bfec30647d4aa49d233ff73e760b4bb76edf8324c3e899995a626654321329d633bf924b047cc99cfb46b0ead20e271bc8ae6e960967e53771163

Download Submit
C:\Program Files (x86)\Wegame\crash_reporter.exe

Filesize
1.1MB

MD5
8329f69fae5718f4df8640cf5e9d8fea

SHA1
6e1282b4000e7cd52a9321fd088b660e54433bfa

SHA256
69672e28a42c6915ed5a04da16e9cf2af1fbdd71042232291578857f7d6dd1ae

SHA512
98e5525f6936412be186b2d1e3de8a626320ce87594f3bdef939ef38146ac250a77419ae19f1c0ed6a2fefff0f0aa69c00863e3a301b9c85a59d32262c7d3652

Download Submit
C:\Program Files (x86)\Wegame\locale3.dat

Filesize
29KB

MD5
64ad5121b7f4ef1176d3064699a34f44

SHA1
4ef0c062b0b121186be4a83d425c5445c2497481

SHA256
3777d0cc04dd5c38799abd15f2b601b4569cc2bf36ece29b347d91d1f8efc241

SHA512
7bbcdecc2812c6d632cedd001cd300ad26cb3de7ab59a8f6e132efc570f01a5fe40396dbb588e3289e0c0b8f273bc0a10f2bf1cb86a0d056f7d677b02225375f

Download Submit
C:\Program Files (x86)\Wegame\update.exe

Filesize
257KB

MD5
074b9f52c8ed5e2ea1380557284e1e70

SHA1
0e730c1bda817a3ecd822e65f2ba9ded219c81b0

SHA256
f6946d7fcb79b7bb76c3795b03ce94c502e0c235b0e359c718d416f3abf359d5

SHA512
b9c0cafd23b542e73bda688296009bd5835f306dd1fcda3f41ba57f4d5bf76f1b27846b4546a81533b008da0ea86acfa9e96e19a5025f391054d65c7e101101c

Download Submit
C:\Program Files (x86)\Wegame\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Program Files (x86)\Wegame\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~9829.tmp.bat

Filesize
266B

MD5
492c5d4455480f41b2e30af206a597d3

SHA1
55c060c56d736a49655118f29551efbe113a4529

SHA256
f11c1c793832706961818cdaf0f2336a9a2909ae1d2effde19ed0ad58d678c06

SHA512
acee0cc0b78344c4dc0657bfea4372d86641c33f0d75f6750c6ece16d7fa6a0a5dab6b73e14a5a36175c5b3767c892961db910d92a607be76a10f37f6f2b4b8e

Download Submit