Analysis Overview
SHA256
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de
Threat Level: Likely malicious
The file a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 11:28
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 11:28
Reported
2023-12-07 11:30
Platform
win7-20231020-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Runn\Yloux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\N: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\R: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\U: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\E: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\G: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\O: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\X: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\H: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\J: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\K: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Q: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\S: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Y: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\B: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\I: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\L: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\P: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\T: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\V: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\W: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Z: | C:\windows\Runn\Yloux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\Runn\DuiLib_u.dll | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\sqlite3.dll | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\Yloux.exe | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\1.bin | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\WindowsTask.exe | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1701948509" | C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Runn\Yloux.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 372 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
| PID 372 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
| PID 372 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
| PID 372 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"
C:\windows\Runn\Yloux.exe
"C:\windows\Runn\Yloux.exe"
C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe
"C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{5B3B6B6D-180D-4e89-AC5F-7762A6993DDE}"
Network
| Country | Destination | Domain | Proto |
| US | 38.54.101.34:80 | tcp | |
| US | 38.60.205.234:52361 | 38.60.205.234 | tcp |
| HK | 43.249.31.126:18759 | tcp | |
| HK | 43.249.31.126:18759 | tcp | |
| HK | 43.249.31.126:18759 | tcp | |
| N/A | 192.168.1.2:6341 | udp | |
| N/A | 192.168.1.2:6341 | udp | |
| N/A | 192.168.1.2:6341 | udp |
Files
memory/372-2-0x0000000000E40000-0x00000000016D5000-memory.dmp
memory/372-0-0x0000000000080000-0x0000000000081000-memory.dmp
memory/372-3-0x0000000000080000-0x0000000000081000-memory.dmp
memory/372-5-0x0000000000E40000-0x00000000016D5000-memory.dmp
memory/372-7-0x0000000000080000-0x0000000000081000-memory.dmp
memory/372-9-0x0000000077D80000-0x0000000077D81000-memory.dmp
memory/372-11-0x0000000002FB0000-0x0000000003300000-memory.dmp
memory/372-12-0x0000000010000000-0x0000000010354000-memory.dmp
\Windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
C:\Windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
C:\windows\Runn\1.bin
| MD5 | e8d22da772001f5b8e4036d8c0673e5f |
| SHA1 | 2dd5d03dad6e75e3c082b774a31a35ef7775a6cf |
| SHA256 | 98de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447 |
| SHA512 | 62ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10 |
memory/2708-28-0x0000000000260000-0x000000000028D000-memory.dmp
memory/2708-29-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-36-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-35-0x0000000180000000-0x0000000180033000-memory.dmp
\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe
| MD5 | 217dc98e219a340cb09915244c992a52 |
| SHA1 | a04f101ca7180955d62e4a1aaeccdcca489209da |
| SHA256 | 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c |
| SHA512 | dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85 |
memory/372-42-0x0000000000E40000-0x00000000016D5000-memory.dmp
memory/2708-43-0x0000000180000000-0x0000000180033000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe
| MD5 | 217dc98e219a340cb09915244c992a52 |
| SHA1 | a04f101ca7180955d62e4a1aaeccdcca489209da |
| SHA256 | 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c |
| SHA512 | dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85 |
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
| MD5 | ff0c7c2667dff4f3ed588f40d047c642 |
| SHA1 | 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf |
| SHA256 | 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7 |
| SHA512 | 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3 |
C:\Users\Admin\AppData\Local\Temp\{5B3B6B6D-180D-4e89-AC5F-7762A6993DDE}
| MD5 | cd4478ae7de2e99792473c749b6045f1 |
| SHA1 | 1ed7d4ddbebfd55b53a87ee9bec241c400f25154 |
| SHA256 | cf34fcddacd611b4fc813d1548a2828082c5b70ca78efe9aaee1b62d6b763dda |
| SHA512 | 2df19b5922efb368f41dc23815fa3b64a28a530aac48f94a6a77c795fa8ed62cc4df1752950f997e581f7761941c99319d8c25bac96da8e01abe191d8d4916a5 |
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
| MD5 | ff0c7c2667dff4f3ed588f40d047c642 |
| SHA1 | 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf |
| SHA256 | 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7 |
| SHA512 | 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3 |
memory/2708-186-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-187-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-188-0x0000000001DB0000-0x0000000001DEE000-memory.dmp
memory/2708-189-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-191-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-192-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2708-193-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/372-196-0x0000000000E40000-0x00000000016D5000-memory.dmp
memory/2708-197-0x0000000001EF0000-0x0000000001F34000-memory.dmp
C:\windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
memory/2708-199-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-202-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-203-0x0000000003E50000-0x0000000003ECF000-memory.dmp
memory/2708-217-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-219-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-221-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-222-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2708-223-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-229-0x0000000001EF0000-0x0000000001F34000-memory.dmp
memory/2708-231-0x0000000001EF0000-0x0000000001F34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 11:28
Reported
2023-12-07 11:30
Platform
win10v2004-20231127-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Runn\Yloux.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\N: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\O: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\T: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\U: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\X: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\B: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\E: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Q: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Z: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\H: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\L: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\S: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\V: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\W: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\G: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\I: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\J: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\K: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\P: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\R: | C:\windows\Runn\Yloux.exe | N/A |
| File opened (read-only) | \??\Y: | C:\windows\Runn\Yloux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\Runn\WindowsTask.exe | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\DuiLib_u.dll | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\sqlite3.dll | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\Yloux.exe | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
| File created | C:\windows\Runn\1.bin | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Runn\Yloux.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 180 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
| PID 180 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe | C:\windows\Runn\Yloux.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"
C:\windows\Runn\Yloux.exe
"C:\windows\Runn\Yloux.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 38.54.101.34:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.101.54.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 38.60.205.234:52361 | 38.60.205.234 | tcp |
| US | 8.8.8.8:53 | 234.205.60.38.in-addr.arpa | udp |
| HK | 43.249.31.126:18759 | tcp | |
| US | 8.8.8.8:53 | 126.31.249.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| HK | 43.249.31.126:18759 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.194.19.2.in-addr.arpa | udp |
| HK | 43.249.31.126:18759 | tcp | |
| N/A | 192.168.1.2:6341 | udp | |
| US | 8.8.8.8:53 | 2.1.168.192.in-addr.arpa | udp |
| N/A | 192.168.1.2:6341 | udp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 192.168.1.2:6341 | udp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/180-0-0x0000000001310000-0x0000000001311000-memory.dmp
memory/180-1-0x00000000000D0000-0x0000000000965000-memory.dmp
memory/180-3-0x00000000000D0000-0x0000000000965000-memory.dmp
memory/180-5-0x0000000003530000-0x0000000003880000-memory.dmp
memory/180-6-0x0000000010000000-0x0000000010354000-memory.dmp
C:\Windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
C:\Windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
C:\windows\Runn\1.bin
| MD5 | e8d22da772001f5b8e4036d8c0673e5f |
| SHA1 | 2dd5d03dad6e75e3c082b774a31a35ef7775a6cf |
| SHA256 | 98de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447 |
| SHA512 | 62ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10 |
memory/2964-27-0x00000000000C0000-0x00000000000ED000-memory.dmp
memory/2964-32-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-38-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-39-0x0000000180000000-0x0000000180033000-memory.dmp
memory/180-43-0x00000000000D0000-0x0000000000965000-memory.dmp
memory/2964-44-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-45-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2964-46-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-47-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-48-0x0000000002C20000-0x0000000002C5E000-memory.dmp
memory/2964-50-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-51-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-52-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-53-0x0000000002E60000-0x0000000002EA4000-memory.dmp
C:\windows\Runn\Yloux.exe
| MD5 | fff86732dd49317db08c940f362f5023 |
| SHA1 | 79e1ff08ccde6ea37cf84617e2ada8e86672730e |
| SHA256 | ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0 |
| SHA512 | e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9 |
memory/2964-57-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-59-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-60-0x0000000004BE0000-0x0000000004C5F000-memory.dmp
memory/2964-74-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-75-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-77-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2964-78-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-80-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-86-0x0000000002E60000-0x0000000002EA4000-memory.dmp
memory/2964-87-0x0000000002E60000-0x0000000002EA4000-memory.dmp