Malware Analysis Report

2025-01-22 12:51

Sample ID 240521-rp3c2sha8s
Target 2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c
SHA256 2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c
Tags
evasion vmprotect
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c

Threat Level: Likely malicious

The file 2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c was found to be: Likely malicious.

Malicious Activity Summary

evasion vmprotect

Looks for VirtualBox Guest Additions in registry

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 14:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 14:22

Reported

2024-05-21 14:25

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 1300 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 1300 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 1300 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 1300 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 1300 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 1300 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 1300 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 2772 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2772 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2772 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2772 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 1808 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 1808 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 1808 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 1808 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe" "C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe

"C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 www.baidu.com udp
CN 183.2.172.42:89 www.baidu.com tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 httpbin.org udp
US 52.206.26.65:80 httpbin.org tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 www.xcjh888.cn udp
CN 183.2.172.185:89 www.baidu.com tcp

Files

\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

MD5 f27cd54364aa7a4fd7970a70b889f30b
SHA1 98b3e18ddf34fd17569581cb977107fe245332b0
SHA256 c8d43be0c027caf8f8adfcbe861c5e82d25eb6c3f942c33bb264a85a22eb4c20
SHA512 8de57d3987d797832b8cd132fdd65726ecd6a47d1be17cdfceebb87e5fda52223664967847c30137275e66ee333b1a44a480915c9c45df6f8a3cf805a2556b15

\Users\Admin\AppData\Local\Temp\雄霸江湖.exe

MD5 94c498da8916168fb109326495778213
SHA1 fe313e2632c6967c717a0c0e5e9565cc1d4d3b1b
SHA256 c712f9e092e0e43ee176a97ee1b5b459f7c18da390ea64c7e62ce80a0114192e
SHA512 9a144b307b25ebbe2be20f2ea0e29df931f12035c016d402195e0cab37dd40d6d04a6b1b84a7610f036cbdeeecf17f8af3c9c00ad028a77f0eeb2a63dc6d308a

memory/1300-22-0x00000000036C0000-0x0000000003B75000-memory.dmp

memory/2772-24-0x0000000000400000-0x00000000008B5000-memory.dmp

memory/2772-34-0x0000000000400000-0x00000000008B5000-memory.dmp

memory/2772-32-0x0000000075610000-0x0000000075611000-memory.dmp

memory/2772-28-0x0000000077160000-0x0000000077161000-memory.dmp

memory/2772-26-0x0000000077160000-0x0000000077161000-memory.dmp

\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 8ebcc234749fec7201af50ad7da19b41
SHA1 695d2314170e7bb035f69c3bd855d565209ca708
SHA256 6e2b2ac4b15cec4d8240872f60e28fe7bdfa1046857d6ee8ac5f0498fddbf1e3
SHA512 8c516491fe23f50a2249a9422b06122918c36869e97a9d7e9261c1aa5db58573299370ac88ff3b396b7979de21b19fbde3f0dc8985542027955c95e4dddd5a5b

memory/2772-66-0x0000000000400000-0x00000000008B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 14:22

Reported

2024-05-21 14:25

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 3224 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 3224 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 3224 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 3224 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 3224 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe
PID 4196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 4196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 4196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

"C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe" "C:\Users\Admin\AppData\Local\Temp\2a4a12623bf8237a900b36b80dc78c7da5c15d6c8420f418dab233615b122d1c.exe"

C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe

"C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 httpbin.org udp
US 52.206.26.65:80 httpbin.org tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.40:89 www.baidu.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 65.26.206.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.xcjh888.cn udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

MD5 f27cd54364aa7a4fd7970a70b889f30b
SHA1 98b3e18ddf34fd17569581cb977107fe245332b0
SHA256 c8d43be0c027caf8f8adfcbe861c5e82d25eb6c3f942c33bb264a85a22eb4c20
SHA512 8de57d3987d797832b8cd132fdd65726ecd6a47d1be17cdfceebb87e5fda52223664967847c30137275e66ee333b1a44a480915c9c45df6f8a3cf805a2556b15

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 273ea344873afaf28397dda6c113e437
SHA1 22fcc69871081ef11f60f876bd831c9961e4ddf1
SHA256 2bc2d8375c0cf1ef2a12e32399e07a97ddd28776c9dfa15c9e60f997738b33b9
SHA512 273a6df6f0f4a61eee7c053a52c9c529cb77a5c04b7b04e71a89d999f4fb8753be0d2607490b264479b4661f0e0bcd20834d429ef50a3a864864febaa2493659

C:\Users\Admin\AppData\Local\Temp\雄霸江湖.exe

MD5 94c498da8916168fb109326495778213
SHA1 fe313e2632c6967c717a0c0e5e9565cc1d4d3b1b
SHA256 c712f9e092e0e43ee176a97ee1b5b459f7c18da390ea64c7e62ce80a0114192e
SHA512 9a144b307b25ebbe2be20f2ea0e29df931f12035c016d402195e0cab37dd40d6d04a6b1b84a7610f036cbdeeecf17f8af3c9c00ad028a77f0eeb2a63dc6d308a

memory/4196-21-0x0000000000400000-0x00000000008B5000-memory.dmp

memory/4196-22-0x0000000000400000-0x00000000008B5000-memory.dmp

memory/4196-24-0x0000000077480000-0x0000000077481000-memory.dmp

memory/4196-29-0x0000000076160000-0x0000000076161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 eda13c8ed610ff058ad5718ab41955fc
SHA1 aa452f27a81ad1e910f81fe688f941d7cfb8e9de
SHA256 10cc66e0f2f6ad92ef3c51ff12a1de0736130999c57c90f4ad15f0e6aa377e43
SHA512 00877ed7f297c3f67cb6e653bf2606ed96a828849e4ddfacc3dada3d2b91d00219451712cc8ff7aa57ce88a3e0b649e6fc8d99cbe21925ea630adc47bd7eb018

memory/4196-58-0x0000000000400000-0x00000000008B5000-memory.dmp