Malware Analysis Report

2024-11-16 10:45

Sample ID 240603-kkanxahc6w
Target 2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil
SHA256 c3cb8369cf13f5233afb5a8cceb557f7bfcfc9f9098e03bfa0550604cc257a3e
Tags
evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3cb8369cf13f5233afb5a8cceb557f7bfcfc9f9098e03bfa0550604cc257a3e

Threat Level: Known bad

The file 2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil was found to be: Known bad.

Malicious Activity Summary

evasion

Detects executables packed with VMProtect.

Looks for VirtualBox Guest Additions in registry

Detects executables packed with VMProtect.

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:39

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:39

Reported

2024-06-03 08:41

Platform

win7-20240508-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe
PID 2576 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe
PID 2576 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe
PID 2576 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe

"C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 52.204.69.97:80 httpbin.org tcp
US 8.8.8.8:53 dlq.fqjh888.com udp
CN 111.223.15.248:3719 dlq.fqjh888.com tcp
CN 125.77.158.194:11400 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 103.219.177.29:47194 tcp
CN 103.88.32.177:55146 tcp
CN 110.42.5.82:33603 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.69:23447 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 45.251.9.148:54274 tcp
CN 110.80.134.123:37610 tcp
CN 27.159.66.78:54021 tcp
CN 103.219.177.29:47194 tcp
CN 27.159.66.207:34001 tcp
CN 45.248.10.79:50878 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.205:16966 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 103.88.32.130:31606 tcp
CN 103.88.32.21:35656 tcp
CN 110.80.134.106:39070 tcp
CN 125.77.158.194:11400 tcp
CN 103.88.32.69:23447 tcp
CN 125.77.166.105:55091 tcp
CN 110.80.137.104:9501 tcp
CN 45.251.9.148:54274 tcp
CN 27.159.66.205:25707 tcp
CN 45.248.10.143:14111 tcp
CN 27.159.66.78:54021 tcp
CN 103.88.32.130:31606 tcp
CN 125.77.166.105:55091 tcp
CN 45.248.10.79:50878 tcp
CN 45.248.8.194:27223 tcp
CN 110.80.134.123:37610 tcp
CN 110.80.134.146:36820 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:35656 tcp
CN 110.80.137.104:9501 tcp
CN 110.80.134.146:36820 tcp
CN 27.159.66.207:34001 tcp
CN 45.117.11.205:16966 tcp
CN 27.159.66.205:25707 tcp
CN 110.80.134.106:39070 tcp
CN 45.117.11.54:52730 tcp
US 8.8.8.8:53 dlq1.fqjh888.com udp
US 8.8.8.8:53 dlq12.fqjh888.com udp
CN 125.77.158.194:11400 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 103.219.177.29:47194 tcp
CN 110.80.137.104:9501 tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.69:23447 tcp
CN 110.80.134.123:37610 tcp
CN 45.251.9.148:54274 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 27.159.66.78:54021 tcp
CN 103.219.177.29:47194 tcp
CN 45.117.11.205:16966 tcp
CN 45.117.11.54:52730 tcp
CN 45.248.10.79:50878 tcp
CN 27.159.66.207:34001 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 103.88.32.130:31606 tcp
CN 103.88.32.21:35656 tcp
CN 125.77.166.105:55091 tcp
CN 103.88.32.69:23447 tcp
CN 125.77.158.194:11400 tcp
CN 110.80.134.106:39070 tcp
CN 110.80.137.104:9501 tcp
CN 45.251.9.148:54274 tcp
CN 27.159.66.205:25707 tcp
CN 125.77.166.105:55091 tcp
CN 103.88.32.130:31606 tcp
CN 27.159.66.78:54021 tcp
CN 45.248.10.143:14111 tcp
CN 45.248.10.79:50878 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:35656 tcp
CN 45.248.8.194:27223 tcp
CN 110.80.134.146:36820 tcp
CN 110.80.134.123:37610 tcp
CN 110.80.134.146:36820 tcp
CN 27.159.66.207:34001 tcp
CN 45.117.11.54:52730 tcp
CN 110.80.134.106:39070 tcp
CN 27.159.66.205:25707 tcp
CN 45.117.11.205:16966 tcp
CN 125.77.158.194:11400 tcp
CN 110.42.5.82:33603 tcp
CN 103.219.177.29:47194 tcp
CN 103.88.32.177:55146 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.69:23447 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 45.251.9.148:54274 tcp
CN 110.80.134.123:37610 tcp
CN 27.159.66.78:54021 tcp
CN 103.219.177.29:47194 tcp
CN 27.159.66.207:34001 tcp
CN 45.248.10.79:50878 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.205:16966 tcp
CN 103.88.32.130:31606 tcp
CN 103.88.32.21:35656 tcp
CN 110.80.134.106:39070 tcp
CN 125.77.158.194:11400 tcp
CN 103.88.32.69:23447 tcp
CN 125.77.166.105:55091 tcp
CN 45.251.9.148:54274 tcp
CN 27.159.66.205:25707 tcp
CN 45.248.10.143:14111 tcp
CN 27.159.66.78:54021 tcp
CN 103.88.32.130:31606 tcp
CN 125.77.166.105:55091 tcp
CN 45.248.10.79:50878 tcp
CN 45.248.8.194:27223 tcp
CN 110.80.134.123:37610 tcp
CN 110.80.134.146:36820 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:35656 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp

Files

\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe

MD5 f00a8add1e4d6f097601ef226ca4b2f5
SHA1 8c8c5fb8c5a7b6045fd50af09648996c14825cc9
SHA256 8b47b994eee7b63cf85762171d39254a4190a9c78e62a09c3e18e4a0997d1d52
SHA512 b2c022c6bada4b1b23fc1ff652414c7218732cb41f099e5e6f499da1c38cb014a68f25a0f33cf1a05134789fb4e527831a7120556ae96023f80192022ef38965

\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe

MD5 013ad31abdf8feb0aa2c945a5caa918c
SHA1 6ec8570950ae6549fa21b61a17117f0aff9ba659
SHA256 f03a74ad67167ab4e9ac01760192ca3857c8765fb49124c2617852f952e858ac
SHA512 6e0f68e29aba2cbb80471f3ddae44ddfa3f04b5ee5a55bcd606083a652d2e181b9004b885cb66b0d40f40218ed61c01a1fcc174a039a1ba8f8e1f4406cab1f8b

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 ecad5d78f86d8458b87df70a1a219f0f
SHA1 f53292ca9c5c608cb6445059356d7afc78d27ed1
SHA256 98a1f44c5f71147a799f287c251facc5a85c36dbe625588743a111648cb43fcd
SHA512 4737a0706798659d7ebcac6a0819ab7a53fb05eea213bfa42cdad6c49adda815e50b70379864bb8114d3d07fc1ca38486375b9184d88fe07beb9d675cf0ffd4e

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 855e9cc9a4bd27587b7f99791646c288
SHA1 978d177e88952efa070c0834eb82db674a95ebb9
SHA256 ae8eb751faf15877476527f7798c575e077f2fe18dfe824237298833689561f8
SHA512 df75c72926c2fda62fd3d42c195fabf69dcc1864b7c546d31fdd036a613d9ab4662d4747f3a024f105f6ff9c75900781e94af4ec736dca68240833f7b59c68f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 08:39

Reported

2024-06-03 08:41

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-03_ffec7970cc2b4bc85e434f7d343887f3_avoslocker_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe

"C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4420 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 httpbin.org udp
US 18.210.208.126:80 httpbin.org tcp
CN 125.77.158.194:11400 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 103.219.177.29:47194 tcp
CN 103.88.32.177:55146 tcp
CN 110.42.5.82:33603 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 dlq.fqjh888.com udp
CN 111.223.15.248:3719 dlq.fqjh888.com tcp
US 8.8.8.8:53 126.208.210.18.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.69:23447 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 45.251.9.148:54274 tcp
CN 110.80.134.123:37610 tcp
CN 27.159.66.78:54021 tcp
CN 27.159.66.207:34001 tcp
CN 103.219.177.29:47194 tcp
CN 45.117.11.205:16966 tcp
CN 45.248.10.79:50878 tcp
CN 45.117.11.54:52730 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 207.66.159.27.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 103.88.32.130:31606 tcp
CN 125.77.158.194:11400 tcp
CN 103.88.32.21:35656 tcp
CN 103.88.32.69:23447 tcp
CN 110.80.134.106:39070 tcp
CN 110.80.137.104:9501 tcp
CN 125.77.166.105:55091 tcp
CN 45.251.9.148:54274 tcp
CN 27.159.66.205:25707 tcp
CN 45.248.10.143:14111 tcp
CN 27.159.66.78:54021 tcp
CN 125.77.166.105:55091 tcp
CN 103.88.32.130:31606 tcp
CN 110.80.137.104:9501 tcp
US 13.107.253.64:443 tcp
CN 45.248.10.79:50878 tcp
CN 45.248.8.194:27223 tcp
CN 110.80.134.123:37610 tcp
CN 110.80.134.146:36820 tcp
CN 45.248.8.194:27223 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
CN 103.88.32.21:35656 tcp
CN 45.117.11.205:16966 tcp
CN 27.159.66.205:25707 tcp
CN 110.80.134.146:36820 tcp
CN 27.159.66.207:34001 tcp
CN 45.117.11.54:52730 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CN 110.80.134.106:39070 tcp
CN 125.77.158.194:11400 tcp
CN 103.88.32.177:55146 tcp
CN 110.42.5.82:33603 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
US 8.8.8.8:53 dlq1.fqjh888.com udp
US 8.8.8.8:53 dlq12.fqjh888.com udp
CN 110.80.137.104:9501 tcp
CN 103.219.177.29:47194 tcp
CN 45.248.10.143:14111 tcp
CN 45.251.9.148:54274 tcp
CN 103.88.32.69:23447 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 110.80.134.123:37610 tcp
CN 45.117.11.54:52730 tcp
CN 27.159.66.78:54021 tcp
CN 45.117.11.205:16966 tcp
CN 103.219.177.29:47194 tcp
CN 45.248.10.79:50878 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 27.159.66.207:34001 tcp
CN 103.88.32.130:31606 tcp
CN 125.77.158.194:11400 tcp
CN 103.88.32.69:23447 tcp
CN 110.80.134.106:39070 tcp
CN 103.88.32.21:35656 tcp
CN 110.80.137.104:9501 tcp
CN 125.77.166.105:55091 tcp
CN 45.251.9.148:54274 tcp
CN 125.77.166.105:55091 tcp
CN 27.159.66.205:25707 tcp
CN 27.159.66.78:54021 tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.130:31606 tcp
CN 110.80.134.146:36820 tcp
CN 45.248.8.194:27223 tcp
CN 45.248.10.79:50878 tcp
CN 110.80.134.123:37610 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:35656 tcp
CN 27.159.66.207:34001 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.205:16966 tcp
CN 110.80.134.146:36820 tcp
CN 27.159.66.205:25707 tcp
CN 110.80.134.106:39070 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
CN 125.77.158.194:11400 tcp
CN 110.42.5.82:33603 tcp
CN 103.88.32.177:55146 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 103.219.177.29:47194 tcp
CN 117.24.12.219:34650 tcp
CN 117.24.12.219:34650 tcp
CN 45.248.10.143:14111 tcp
CN 103.88.32.69:23447 tcp
CN 45.251.9.148:54274 tcp
CN 110.80.134.123:37610 tcp
CN 103.219.177.29:47194 tcp
CN 45.248.10.79:50878 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.205:16966 tcp
CN 27.159.66.78:54021 tcp
CN 27.159.66.207:34001 tcp
CN 110.80.134.106:39070 tcp
CN 103.88.32.21:35656 tcp
CN 103.88.32.130:31606 tcp
CN 103.88.32.69:23447 tcp
CN 125.77.158.194:11400 tcp
CN 125.77.166.105:55091 tcp
CN 27.159.66.78:54021 tcp
CN 45.248.10.143:14111 tcp
CN 45.251.9.148:54274 tcp
CN 27.159.66.205:25707 tcp
CN 125.77.166.105:55091 tcp
CN 103.88.32.130:31606 tcp
CN 110.80.134.123:37610 tcp
CN 45.248.8.194:27223 tcp
CN 110.80.134.146:36820 tcp
CN 45.248.10.79:50878 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:35656 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\iVddQiup5bx6lbW.exe

MD5 f00a8add1e4d6f097601ef226ca4b2f5
SHA1 8c8c5fb8c5a7b6045fd50af09648996c14825cc9
SHA256 8b47b994eee7b63cf85762171d39254a4190a9c78e62a09c3e18e4a0997d1d52
SHA512 b2c022c6bada4b1b23fc1ff652414c7218732cb41f099e5e6f499da1c38cb014a68f25a0f33cf1a05134789fb4e527831a7120556ae96023f80192022ef38965

C:\Users\Admin\AppData\Local\Temp\龙腾虎啸.exe

MD5 013ad31abdf8feb0aa2c945a5caa918c
SHA1 6ec8570950ae6549fa21b61a17117f0aff9ba659
SHA256 f03a74ad67167ab4e9ac01760192ca3857c8765fb49124c2617852f952e858ac
SHA512 6e0f68e29aba2cbb80471f3ddae44ddfa3f04b5ee5a55bcd606083a652d2e181b9004b885cb66b0d40f40218ed61c01a1fcc174a039a1ba8f8e1f4406cab1f8b

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 8e42bf491ac475bbb5ede330a18ef9bb
SHA1 5ecf49f3b028fcc5a3a90b7ce95143346103d6b3
SHA256 e455eb9300e6a0ec3e594876e81271973904059790876c94de73a30c0f734a0d
SHA512 92b8ec12fe2579de9265b1ce429b8cb46e5dc6925a2da17a63b8d39195d19d76d916e5cd68076e3924696452fed05e727b8b46c092b635fb23069476ae58b3ab

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 e1e751a3c71cd6a2b817bac36c435b63
SHA1 a7d25ee79c905f59ee8555bdbfc50a5fa4b5b010
SHA256 c0a83259593b019e79e1219ba293a3d1732817001c0b8bf0bacb6516135e3a08
SHA512 5658a9324e7cfa58d6027c449bce9118a43fb38e3b193acece5e5401cb38fe81b502d606a9326dd7533cb73915a8dc0150ef7e3c9c4ebf07686c86cbe81da276

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 246e77155ed340bdf3194bde3d77fb33
SHA1 ea55a802bd2894fe4fef559b6cd5b1901d7ad8b6
SHA256 e8c6cb5661f54f86a0c4f618ee4251bf1716afe56eb792967a0fdc4ab5b3eae6
SHA512 1958787f8ff83a479d8cee93582c5ed3bce6b46493acca93a63a58a973d68d8b3501824c0e43154aa8958c1dc43f6b541e03c8fb84b92d8383dc2e04e243fae3