Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 17:45 UTC

General

  • Target

    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

  • Size

    13.7MB

  • MD5

    a714ddc6076916b1c688b86338a43336

  • SHA1

    d73fd48a4e7db3f44b001c54dff63b9258e6dfaa

  • SHA256

    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75

  • SHA512

    a0c7c9bade112f518d2db56eb3b6ad6a6cbbb3b118d7a6e41832264c552553288312b44f0682566a0e567a945591581a1ae8112741cfd5a05b4d79e2d0831bdc

  • SSDEEP

    196608:8MD+cpvJ/4H3nmghWoa/fsysMF4JD85l3kjiFJlzLJZzoFWe4fyGsnIRHqrB7XLI:8MFgXnU7sEl3yiLzMwRxnsxJ72

Score
9/10

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    "C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
      C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3848

Network

  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.113.22.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.113.22.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    Remote address:
    8.8.8.8:53
    Request
    config.yunjiasu.kkidc.com
    IN A
    Response
    config.yunjiasu.kkidc.com
    IN CNAME
    config.yunjiasu.youxidun.com
    config.yunjiasu.youxidun.com
    IN A
    45.117.11.105
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.21.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.21.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.11.117.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.11.117.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    Remote address:
    8.8.8.8:53
    Request
    config.yunjiasu.kkidc.com
    IN A
    Response
    config.yunjiasu.kkidc.com
    IN CNAME
    config.yunjiasu.youxidun.com
    config.yunjiasu.youxidun.com
    IN A
    45.117.11.105
  • flag-us
    DNS
    106.134.80.110.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.134.80.110.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.15.24.117.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.15.24.117.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.92.159.27.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.92.159.27.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.1.85.104.in-addr.arpa
    IN PTR
    Response
    198.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    135.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    135.1.85.104.in-addr.arpa
    IN PTR
    Response
    135.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-135deploystaticakamaitechnologiescom
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.208.253.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.208.253.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.202.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.248.87.in-addr.arpa
    IN PTR
    Response
    1.202.248.87.in-addr.arpa
    IN PTR
    https-87-248-202-1amsllnwnet
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301634_10VKNY6NZN82LU9UT&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301634_10VKNY6NZN82LU9UT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 316678
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EC6A561D5662483FA1A49925239A3A72 Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:26Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301727_159BWLGFMENWVBHQV&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301727_159BWLGFMENWVBHQV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 410629
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0147EFD82D274455A3709B128BBA2960 Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:26Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 365925
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FE61B4D9AF594EF5AC7B4B4FC34CA4C0 Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:26Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301318_1C2BO4PEAXMAW3R9U&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301318_1C2BO4PEAXMAW3R9U&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 409991
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D03AC9E14C514DE898C20D22A4BB9F8B Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:26Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301225_1DZROXCI1NKORI8W4&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301225_1DZROXCI1NKORI8W4&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 463110
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3DBDE1128338453E9AE0E049F5F0F16A Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:26Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 239387
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8BFBF6827E5E41C98E304C6E93958D7C Ref B: BRU30EDGE0519 Ref C: 2023-11-15T17:46:27Z
    date: Wed, 15 Nov 2023 17:46:26 GMT
  • flag-us
    DNS
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    Remote address:
    8.8.8.8:53
    Request
    config.yunjiasu.kkidc.com
    IN A
    Response
    config.yunjiasu.kkidc.com
    IN CNAME
    config.yunjiasu.youxidun.com
    config.yunjiasu.youxidun.com
    IN A
    45.117.11.105
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.92.159.27.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.92.159.27.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    144.15.24.117.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    144.15.24.117.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.217.129.123.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.217.129.123.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.178.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.178.89.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    Remote address:
    8.8.8.8:53
    Request
    config.yunjiasu.kkidc.com
    IN A
    Response
    config.yunjiasu.kkidc.com
    IN CNAME
    config.yunjiasu.youxidun.com
    config.yunjiasu.youxidun.com
    IN A
    45.117.11.105
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    335 B
    265 B
    5
    5
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    482 B
    1.4kB
    6
    5
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    355 B
    345 B
    5
    5
  • 117.24.15.28:31016
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    5.3kB
    2.9kB
    97
    52
  • 110.80.134.106:39070
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    4.2kB
    2.3kB
    76
    40
  • 27.159.92.14:34001
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    5.6kB
    3.1kB
    102
    55
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    939 B
    128 B
    5
    3
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    87.6kB
    2.3MB
    1660
    1656

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301634_10VKNY6NZN82LU9UT&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301727_159BWLGFMENWVBHQV&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301318_1C2BO4PEAXMAW3R9U&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301225_1DZROXCI1NKORI8W4&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    497 B
    550 B
    6
    5
  • 125.77.158.194:11400
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    156 B
    3
  • 27.159.92.146:54021
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    1.0kB
    469 B
    15
    9
  • 117.24.15.144:36705
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    2.3kB
    1.2kB
    40
    20
  • 123.129.217.138:52209
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    1.6kB
    933 B
    28
    16
  • 110.80.134.106:39070
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    1.5kB
    809 B
    25
    14
  • 45.117.11.105:9501
    config.yunjiasu.kkidc.com
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    445 B
    550 B
    5
    5
  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    133.113.22.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.113.22.20.in-addr.arpa

  • 8.8.8.8:53
    config.yunjiasu.kkidc.com
    dns
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    71 B
    126 B
    1
    1

    DNS Request

    config.yunjiasu.kkidc.com

    DNS Response

    45.117.11.105

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    254.21.238.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    254.21.238.8.in-addr.arpa

  • 8.8.8.8:53
    105.11.117.45.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    105.11.117.45.in-addr.arpa

  • 8.8.8.8:53
    config.yunjiasu.kkidc.com
    dns
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    71 B
    126 B
    1
    1

    DNS Request

    config.yunjiasu.kkidc.com

    DNS Response

    45.117.11.105

  • 8.8.8.8:53
    106.134.80.110.in-addr.arpa
    dns
    73 B
    126 B
    1
    1

    DNS Request

    106.134.80.110.in-addr.arpa

  • 8.8.8.8:53
    28.15.24.117.in-addr.arpa
    dns
    71 B
    124 B
    1
    1

    DNS Request

    28.15.24.117.in-addr.arpa

  • 8.8.8.8:53
    14.92.159.27.in-addr.arpa
    dns
    71 B
    124 B
    1
    1

    DNS Request

    14.92.159.27.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    198.1.85.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    198.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    135.1.85.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    135.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    113.208.253.8.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    113.208.253.8.in-addr.arpa

  • 8.8.8.8:53
    1.202.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    1.202.248.87.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    config.yunjiasu.kkidc.com
    dns
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    71 B
    126 B
    1
    1

    DNS Request

    config.yunjiasu.kkidc.com

    DNS Response

    45.117.11.105

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    146.92.159.27.in-addr.arpa
    dns
    72 B
    125 B
    1
    1

    DNS Request

    146.92.159.27.in-addr.arpa

  • 8.8.8.8:53
    144.15.24.117.in-addr.arpa
    dns
    72 B
    125 B
    1
    1

    DNS Request

    144.15.24.117.in-addr.arpa

  • 8.8.8.8:53
    138.217.129.123.in-addr.arpa
    dns
    74 B
    132 B
    1
    1

    DNS Request

    138.217.129.123.in-addr.arpa

  • 8.8.8.8:53
    27.178.89.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    27.178.89.13.in-addr.arpa

  • 8.8.8.8:53
    config.yunjiasu.kkidc.com
    dns
    869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
    71 B
    126 B
    1
    1

    DNS Request

    config.yunjiasu.kkidc.com

    DNS Response

    45.117.11.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

    Filesize

    27KB

    MD5

    a4db9ccf43c0d361c99255091be684a0

    SHA1

    073e82d4e325d6f5d7b14638ef2cce50fdadc181

    SHA256

    36272e829db2cfbec2d33a8d1f5ef6004454f513921e64406e5f343eacf84578

    SHA512

    acff520e9da5d56309ac5606aa3235f832faccabb19841de674bdae7f95c9c3f43d6f0b95100555b9295e9e56373d4b0d067c8a5863f95a68897fc7b24274b29

  • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

    Filesize

    32KB

    MD5

    6dfed3d17627244147b6fb19cb0577cc

    SHA1

    a6c0deeb8b8491ad6afce1cbfe45631d4ba10d7d

    SHA256

    11b2e4bb75bf9776ac776b4c201b8ca1f52f559c02c808ef62b79fccfb35c525

    SHA512

    01fa024923d115be9cd6790c6112c3cfa21705cbec16e24e1f782a22f58014ae240c2d78c4569829cb48ed4e4642f85b5d8669e52a188edc988eae742383f15a

  • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

    Filesize

    308B

    MD5

    4ac55e95e3b40750ac81edc530b189be

    SHA1

    03c8a05dffa337b6093426d37f6fdf58e775cc12

    SHA256

    1514e6fcba6161c81c80da821c4a1dbb1622cd0426d790ce174d971dddbbb55b

    SHA512

    3f1ad127ac2d45a09c26579806bc1b02d710610a61901336b0cd44a45b8d932819020809066544e1fe71d81629e5f68bffefe7785ea7084353367d2bc024c075

  • C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

    Filesize

    8.0MB

    MD5

    0f79956e611a733dbd438dc8a9bed0df

    SHA1

    2a83a037ac20d30879d831e9007e2d35e7ec98ba

    SHA256

    49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

    SHA512

    5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

  • C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

    Filesize

    8.0MB

    MD5

    0f79956e611a733dbd438dc8a9bed0df

    SHA1

    2a83a037ac20d30879d831e9007e2d35e7ec98ba

    SHA256

    49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

    SHA512

    5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

  • memory/3848-544-0x00000000018B0000-0x00000000018B1000-memory.dmp

    Filesize

    4KB

  • memory/3848-542-0x0000000000400000-0x00000000013D0000-memory.dmp

    Filesize

    15.8MB

  • memory/3848-543-0x00000000018A0000-0x00000000018A1000-memory.dmp

    Filesize

    4KB

  • memory/3848-540-0x00000000013E0000-0x00000000013E1000-memory.dmp

    Filesize

    4KB

  • memory/3848-545-0x00000000018C0000-0x00000000018C1000-memory.dmp

    Filesize

    4KB

  • memory/3848-546-0x0000000003180000-0x0000000003181000-memory.dmp

    Filesize

    4KB

  • memory/3848-541-0x0000000001860000-0x0000000001861000-memory.dmp

    Filesize

    4KB

  • memory/3848-547-0x0000000003190000-0x0000000003191000-memory.dmp

    Filesize

    4KB

  • memory/3848-548-0x00000000031A0000-0x00000000031A1000-memory.dmp

    Filesize

    4KB

  • memory/3848-550-0x0000000000400000-0x00000000013D0000-memory.dmp

    Filesize

    15.8MB

  • memory/3848-553-0x0000000010000000-0x0000000010114000-memory.dmp

    Filesize

    1.1MB

  • memory/3848-559-0x0000000000400000-0x00000000013D0000-memory.dmp

    Filesize

    15.8MB

  • memory/3848-560-0x0000000000400000-0x00000000013D0000-memory.dmp

    Filesize

    15.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.