Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-l5vegsscmk
Target 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil
SHA256 6a9ca3b9310f2e3afb7937aa579bce78043f1dedd680db0e2581003cd193d25e
Tags
evasion vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a9ca3b9310f2e3afb7937aa579bce78043f1dedd680db0e2581003cd193d25e

Threat Level: Known bad

The file 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil was found to be: Known bad.

Malicious Activity Summary

evasion vmprotect

Detects executables packed with VMProtect.

Looks for VirtualBox Guest Additions in registry

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:07

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:07

Reported

2024-06-26 10:10

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 2868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 2868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 2868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 2868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 3060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\请勿点击.exe

"C:\Users\Admin\AppData\Local\Temp\请勿点击.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 44.206.219.79:80 httpbin.org tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 103.88.32.21:36018 tcp
CN 110.42.5.137:60307 tcp
CN 103.88.32.69:23447 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.42.5.82:33603 tcp
CN 117.24.12.219:34650 tcp
CN 45.248.8.194:27223 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp

Files

\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe

MD5 631cbea327373843c7193404da2f7b49
SHA1 a1743aeb4d79877ed831617b733a41b477d16481
SHA256 7c887a2b87da1faa449896903127b70b904430b2d9f123d811821e3ea720c49a
SHA512 5fb96abde331e0e85c3f0b61326e26f4d336ef36e587f423e0202d9d74f076425bd9dc521425a4c63c4d53d81c62713e16b975f5ca0eb5209b2f54e0793f3f77

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 5cefad007afabe7f77758610cb3a4561
SHA1 5b0cff15ffbdb7317287b7575cfda241e8e34e3b
SHA256 d85b0e0c7bbdfecab6154759d13c24f620a51d14d4bd6980e35266e7d55059e1
SHA512 dc2a4a55809331beeaf261762d313b21daf739259994fb870ed9d01da820b3944368e46a2ee9320c4c83a5106a5a165c2c38bc589ec9fcb4c18723a8cab2cc13

\Users\Admin\AppData\Local\Temp\请勿点击.exe

MD5 5a716b52188c8226cf75fc626844b4c5
SHA1 3ea374fe53812157b72922b548a68374794644d2
SHA256 1c349bcb071020e192ddadd8e02b0daa611dfa661cc0d5a8ea6ba6122412424a
SHA512 9264ed289f4e627f501a0cf4987ad802502daa9fa8ee8a74a8771161f9a19fc3025b46bdac6fab7c33f9d0688eb5380c1932f50172c75a8cb6dbba62bdc29a4d

memory/3060-24-0x0000000000400000-0x00000000009EA000-memory.dmp

memory/2868-22-0x0000000003090000-0x000000000367A000-memory.dmp

memory/3060-25-0x0000000000400000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ISocket.dll

MD5 6db6dcfe126984a341cecfc5be783f48
SHA1 98309871ad417694bafd93d44eb71180b79cdd45
SHA256 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac
SHA512 d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 d6ff5fb46185e783e042d0f1498ee8b9
SHA1 6c2717706a64fd0050c03eb7d08de6c49cd853e3
SHA256 5a376e346175b2a5527e34af42562be78b842cce9bd3e2936d46954623a5275f
SHA512 671d979969b3470445a9200eb68ee42dc125ee0d0fd62f3cc33b396c47b54ed71c639fb10c763891bf0944566010245610a47b36b0cf768118ba956316fe57a8

memory/3060-406-0x0000000000400000-0x00000000009EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:07

Reported

2024-06-26 10:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 4424 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 4424 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
PID 4424 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 4424 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 4424 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
PID 2296 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\请勿点击.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\请勿点击.exe

"C:\Users\Admin\AppData\Local\Temp\请勿点击.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 105.11.117.45.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 44.195.190.188:80 httpbin.org tcp
CN 103.88.32.21:36018 tcp
CN 110.42.5.137:60307 tcp
CN 103.88.32.69:23447 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 188.190.195.44.in-addr.arpa udp
CN 110.42.5.82:33603 tcp
CN 117.24.12.219:34650 tcp
CN 45.248.8.194:27223 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 45.251.8.120:43755 tcp
CN 117.24.15.144:36705 tcp
CN 45.248.10.79:50878 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.205:16966 tcp
CN 45.251.9.148:54274 tcp
CN 45.248.10.174:14021 tcp
CN 110.80.137.104:9501 tcp
CN 45.117.11.54:52730 tcp
CN 103.88.32.21:36018 tcp
CN 103.88.32.69:23447 tcp
CN 110.80.137.104:9501 tcp
CN 110.42.5.137:60307 tcp
CN 110.42.5.82:33603 tcp
CN 45.248.8.194:27223 tcp
CN 117.24.12.219:34650 tcp
CN 45.251.8.120:43755 tcp
CN 45.248.10.79:50878 tcp
CN 117.24.15.144:36705 tcp
CN 45.117.11.205:16966 tcp
CN 45.248.10.174:14021 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
CN 45.251.9.148:54274 tcp
CN 45.117.11.54:52730 tcp
CN 103.88.32.69:23447 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 103.88.32.21:36018 tcp
CN 110.42.5.137:60307 tcp
CN 45.248.8.194:27223 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.42.5.82:33603 tcp
CN 117.24.12.219:34650 tcp
CN 45.248.10.79:50878 tcp
CN 110.80.137.104:9501 tcp
CN 45.251.8.120:43755 tcp
CN 117.24.15.144:36705 tcp
CN 45.248.10.174:14021 tcp
CN 45.117.11.205:16966 tcp
CN 45.251.9.148:54274 tcp
CN 103.88.32.69:23447 tcp
CN 45.117.11.54:52730 tcp
CN 103.88.32.21:36018 tcp
CN 45.248.8.194:27223 tcp
CN 110.42.5.137:60307 tcp
CN 110.42.5.82:33603 tcp
CN 45.248.10.79:50878 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 117.24.12.219:34650 tcp
US 8.8.8.8:53 79.10.248.45.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CN 45.251.8.120:43755 tcp
CN 45.248.10.174:14021 tcp
CN 117.24.15.144:36705 tcp
CN 45.117.11.205:16966 tcp
CN 103.88.32.69:23447 tcp
CN 45.251.9.148:54274 tcp
CN 45.117.11.54:52730 tcp
CN 45.248.8.194:27223 tcp
CN 103.88.32.21:36018 tcp
CN 45.248.10.79:50878 tcp
CN 110.42.5.137:60307 tcp
CN 110.42.5.82:33603 tcp
CN 117.24.12.219:34650 tcp
CN 45.251.8.120:43755 tcp
CN 45.248.10.174:14021 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe

MD5 631cbea327373843c7193404da2f7b49
SHA1 a1743aeb4d79877ed831617b733a41b477d16481
SHA256 7c887a2b87da1faa449896903127b70b904430b2d9f123d811821e3ea720c49a
SHA512 5fb96abde331e0e85c3f0b61326e26f4d336ef36e587f423e0202d9d74f076425bd9dc521425a4c63c4d53d81c62713e16b975f5ca0eb5209b2f54e0793f3f77

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 e6736f4020355906932d79092ae7a86e
SHA1 5b7aed66234a6eaa335abf5ccdbc1cdbf47483c1
SHA256 265917add7da5bcec955d7ee764b74637a34d165e2ae11735a516ea13ad3fe34
SHA512 167ca9bf24b9368975b0ff07b0642edc68e12dd7d073ff3aad02b284ca9407494218d81ace24790775f1195ab374126b6d7546ac2644c7605fbd4c4184d2cc73

C:\Users\Admin\AppData\Local\Temp\请勿点击.exe

MD5 5a716b52188c8226cf75fc626844b4c5
SHA1 3ea374fe53812157b72922b548a68374794644d2
SHA256 1c349bcb071020e192ddadd8e02b0daa611dfa661cc0d5a8ea6ba6122412424a
SHA512 9264ed289f4e627f501a0cf4987ad802502daa9fa8ee8a74a8771161f9a19fc3025b46bdac6fab7c33f9d0688eb5380c1932f50172c75a8cb6dbba62bdc29a4d

memory/2296-20-0x0000000000400000-0x00000000009EA000-memory.dmp

memory/2296-21-0x0000000000400000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ISocket.dll

MD5 6db6dcfe126984a341cecfc5be783f48
SHA1 98309871ad417694bafd93d44eb71180b79cdd45
SHA256 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac
SHA512 d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 298ec1d57504e254eb6b3974adc315d1
SHA1 f48f0674519c1722d961f418664d2f22707bc753
SHA256 3e7d0cd1443bd5738effbf61f01e27022cc469c7187adfb71734617a83bbb601
SHA512 8ce93d2a3bb4563b3b2166d8e3b45100f7ef9ca908596383766055c61b21f2851cc9aa1cc7f92b510023a90e66e91ae448a85c1149cba4f9758ba20b0843540e

memory/2296-39-0x0000000000400000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 2fc54e49f5935480bf7d766d26e08578
SHA1 490cca149c5a8799ff64fc035e4589c72d245bf2
SHA256 7d8f4cd8e08cdcc8a4d3c9232699a9c3f2ffe26eb3d993f4f6e504c04a539952
SHA512 9e760d9f58d20c3ec394068ccf39382f98e5e5031922a7971249718b00ff796dd3ede785a43e5e1f13f8a56143480fe167b52ac0f81eec934034f9ea054b4a47