Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-kcemwsvfqd
Target 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693
SHA256 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693
Tags
evasion vmprotect
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693

Threat Level: Likely malicious

The file 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693 was found to be: Likely malicious.

Malicious Activity Summary

evasion vmprotect

Looks for VirtualBox Guest Additions in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

VMProtect packed file

Enumerates connected drives

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:27

Reported

2024-06-26 08:29

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 2336 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 2336 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 2336 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 2336 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 2336 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 2336 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 2336 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 2544 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2544 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2544 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2544 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe" "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe

"C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 820

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 44.206.219.79:80 httpbin.org tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 117.24.15.28:31016 tcp
CN 150.242.80.20:57224 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:89 www.baidu.com tcp
US 8.8.8.8:53 www.xcjh888.cn udp
CN 27.159.92.146:54021 tcp
CN 117.24.12.219:34650 tcp
CN 110.80.134.106:39070 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
HK 103.235.46.96:89 www.baidu.com tcp

Files

\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

MD5 120f116cfcdaad584b09e7f13e2fc208
SHA1 18572eedde71cd344e023227221805f5c51bd585
SHA256 3e614f163a061f8cc7e864b2304d407675f80952b5a870b2ab427782eec2ec5d
SHA512 e1246094012b6cfac0902153d905be907a9c0feb8a4907235b3e2c0153837421410a3c1d6891bf1d11421b9b2fcc332c6c3a45aa3ec2d8e7a6657830504b1ea9

\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe

MD5 d7481b8835ad1b833a29a47cc98335e5
SHA1 b0549680b5324da5e6f1d73bc35454ce68f8d216
SHA256 02fb70a3aec6d52cb1070883d5f3bcfeba3713d39a1cb71149f9ab852e54b7b2
SHA512 49f1aa7dcf00b330bd7d84fa6a177e6409b58abf4d3c2ed92cfddbd66f88fb85098005eac57c54024eb50fc01c05cd06434d6d54ec255a57e6284089207cd272

memory/2544-23-0x0000000000400000-0x00000000008B3000-memory.dmp

memory/2544-25-0x00000000778D0000-0x00000000778D1000-memory.dmp

memory/2544-27-0x00000000778D0000-0x00000000778D1000-memory.dmp

memory/2544-31-0x0000000076E90000-0x0000000076E91000-memory.dmp

memory/2544-33-0x0000000000400000-0x00000000008B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 03b6e5e3624c8128a401dca21d4a95b1
SHA1 cd4f8e55b8db920502d59929f780a41e9fc32e64
SHA256 9d5b4d1a193f82dd325a540af5ba06a5ef5a16ec5aa787fdc975b55f13e032b4
SHA512 2409b80e9e32a7d60f9a1f307d6cd42f6c63fe3007cef512cd3348ac2984045bf77f59e80e3a55628acff1a7807f44c773033aa8c3c5909335dbfc4f4770fe01

\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

memory/2544-153-0x0000000000400000-0x00000000008B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:27

Reported

2024-06-26 08:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 4060 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 4060 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
PID 4060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 4060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 4060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
PID 3024 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 3024 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 3024 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Processes

C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe" "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"

C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe

"C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 44.195.190.188:80 httpbin.org tcp
CN 117.24.15.28:31016 tcp
CN 150.242.80.20:57224 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:89 www.baidu.com tcp
US 8.8.8.8:53 188.190.195.44.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 www.xcjh888.cn udp
CN 27.159.92.146:54021 tcp
CN 117.24.12.219:34650 tcp
CN 110.80.134.106:39070 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 117.24.15.26:36497 tcp
CN 110.80.137.104:9501 tcp
HK 103.235.47.188:89 www.baidu.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

MD5 120f116cfcdaad584b09e7f13e2fc208
SHA1 18572eedde71cd344e023227221805f5c51bd585
SHA256 3e614f163a061f8cc7e864b2304d407675f80952b5a870b2ab427782eec2ec5d
SHA512 e1246094012b6cfac0902153d905be907a9c0feb8a4907235b3e2c0153837421410a3c1d6891bf1d11421b9b2fcc332c6c3a45aa3ec2d8e7a6657830504b1ea9

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 dedceb9fc25dc8604e9b270159741a76
SHA1 41cfac0a2c2d9d3d77a4c9faa5f5f92d2b2e067e
SHA256 21bfed0b7b222ff3f19140084f95632c486d13a38f1ec8677cc11171fbd99440
SHA512 060cd72f86ee98e8dd53f8231a03201d07bc91dbf491ea7dbff96ce553bd5ea7ce4ef5b0825a43a4d95241d3174da400b8c869ca6acee75ecffbd66122566820

C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe

MD5 d7481b8835ad1b833a29a47cc98335e5
SHA1 b0549680b5324da5e6f1d73bc35454ce68f8d216
SHA256 02fb70a3aec6d52cb1070883d5f3bcfeba3713d39a1cb71149f9ab852e54b7b2
SHA512 49f1aa7dcf00b330bd7d84fa6a177e6409b58abf4d3c2ed92cfddbd66f88fb85098005eac57c54024eb50fc01c05cd06434d6d54ec255a57e6284089207cd272

memory/3024-21-0x0000000000400000-0x00000000008B3000-memory.dmp

memory/3024-22-0x0000000000400000-0x00000000008B3000-memory.dmp

memory/3024-24-0x0000000077C60000-0x0000000077C61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 52e964c9096dda6922cb6083cc63a5a5
SHA1 a673f80efebde15eaab17f3c65e2b9bb748376a4
SHA256 3f9d74fc0dea67e952c6df4e2c365b4a211a9583266efc526a28ae08d5b243bc
SHA512 d297afeafffd13cee93b0a2627bfd7c898595ff9c8ca79d337fca63030f4e5bec66af3154a4c61a9ceb5626099822a6eb6d9485418b2db53ae7888fa67c5727e

memory/3024-37-0x0000000077430000-0x0000000077431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 606ce41f3cf8ccfab8050f40c0b4b7e5
SHA1 58da7c301a9645fc8343b835ffc696d3032fe261
SHA256 751bf8e91cd08ad7f01a1c38254b6d97ecc1e555e92ba41d16d04fc56016190d
SHA512 ab5157bc32636bf7238ba470bdee60edde02ae0cde900b6dd205ecdad42c7b6fec6fbed5ca3d2b6878e222a55fbecd391095dbaae0bfb3366225069a0c7f7b6c

memory/3024-146-0x0000000000400000-0x00000000008B3000-memory.dmp