Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-mk4cbstbjk
Target fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365
SHA256 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365
Tags
evasion vmprotect
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365

Threat Level: Likely malicious

The file fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365 was found to be: Likely malicious.

Malicious Activity Summary

evasion vmprotect

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Checks computer location settings

VMProtect packed file

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:32

Reported

2024-06-26 10:34

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 1392 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 1392 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 1392 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 1392 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 1392 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 1392 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 1392 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 2120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 2472 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe" "C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

C:\Users\Admin\AppData\Local\Temp\京都江湖.exe

"C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://xkt.cac88.cn/...................

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 824

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 44.206.219.79:80 httpbin.org tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 103.88.32.177:55146 tcp
CN 45.117.11.211:670 tcp
CN 106.126.0.134:35705 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 xkt.cac88.cn udp
HK 154.215.179.222:80 xkt.cac88.cn tcp
US 8.8.8.8:53 cd.xiangqin8.cn udp
CN 110.80.137.104:9501 tcp
CN 27.159.92.123:670 tcp
CN 45.117.11.205:16966 tcp
CN 103.8.222.51:670 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp

Files

\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe

MD5 bd071dbab6417cb317d50d1b62fe082c
SHA1 ca84d0d018a4b4017cd641d1fc36a47b4348f4df
SHA256 11418cd83df43b5f6be435040f2d4242195df5a24dbe295ae26f2dcc5e430b7c
SHA512 89bac3f5542399f6c33ba350afc62a36e102bff2650b5ced36eb5f92a1cabfa8d26e19af1fc168b71d48a1c675028042a6d552e78ad64bdf946d14b798820437

\Users\Admin\AppData\Local\Temp\京都江湖.exe

MD5 a579211b81cb5fa0f786a238469c51dc
SHA1 a3fc7a95bf080e592ebbcc5a6b7986db87fa58f0
SHA256 e3e84526ad020930059828bb03abe7cf3b22870ddf888a7cf5b5397d0fa508bf
SHA512 9dcab2dd1b6fdb142b495de12dd9bc149e43e7c49d63481598d349d3b96308e5b04b4739d6407ef8057fd8c9ac92932c3d9119e3211de5ca853f830ca842c642

memory/2120-19-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2120-17-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2120-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2120-22-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2120-24-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2120-26-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2120-29-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2120-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2120-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2120-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2120-39-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2120-41-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2120-44-0x0000000001030000-0x0000000001031000-memory.dmp

memory/2120-46-0x0000000001030000-0x0000000001031000-memory.dmp

memory/2120-47-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2120-49-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2120-51-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2120-52-0x0000000000400000-0x0000000001015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 ee2165cd3e7b5976c3121746f2fe94cf
SHA1 999d620e7b2e5035cf652d5358ce26214326b2f0
SHA256 b6e143e6d9060fd8dddb81e8b59954136634456005008c7b2c726cf846e74f87
SHA512 50aa5e38f4d5fb3a7e4bd3f74960999f7fa7f665c3dfeb178172472d121cd353a7ab4c1cb38a562b22176ebd8b1791ddb0caf1582796c00c7935e54fd5d90629

\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 c3a3fe4e9c8980687ee8ff574629c362
SHA1 d8bc3e2363eddf4c148f8d4922956ff506807998
SHA256 45f8639091a9c281efe5920c45f2e8a0e4739ae8f92e2c02f0adba9b2e3ca946
SHA512 bb7cedac6b4d194924d2c99445b74c992ab7e5e31d24fc1b4d4d9ee0f714318f81f0917b354631fc47f83107dc00f8edea16db1ecf1f4b5f053c2327b7d34153

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:32

Reported

2024-06-26 10:35

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 4848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 4848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe
PID 4848 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 4848 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 4848 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe C:\Users\Admin\AppData\Local\Temp\京都江湖.exe
PID 956 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 956 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
PID 956 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\京都江湖.exe C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe

"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe" "C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"

C:\Users\Admin\AppData\Local\Temp\京都江湖.exe

"C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://xkt.cac88.cn/...................

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1384

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 httpbin.org udp
US 44.206.219.79:80 httpbin.org tcp
CN 103.88.32.177:55146 tcp
CN 45.117.11.211:670 tcp
CN 106.126.0.134:35705 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 8.8.8.8:53 xkt.cac88.cn udp
HK 154.215.179.222:80 xkt.cac88.cn tcp
US 8.8.8.8:53 79.219.206.44.in-addr.arpa udp
US 8.8.8.8:53 222.179.215.154.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 cd.xiangqin8.cn udp
CN 27.159.92.123:670 tcp
CN 45.117.11.205:16966 tcp
CN 103.8.222.51:670 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 125.77.166.115:670 tcp
CN 110.42.5.82:670 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe

MD5 bd071dbab6417cb317d50d1b62fe082c
SHA1 ca84d0d018a4b4017cd641d1fc36a47b4348f4df
SHA256 11418cd83df43b5f6be435040f2d4242195df5a24dbe295ae26f2dcc5e430b7c
SHA512 89bac3f5542399f6c33ba350afc62a36e102bff2650b5ced36eb5f92a1cabfa8d26e19af1fc168b71d48a1c675028042a6d552e78ad64bdf946d14b798820437

C:\Users\Admin\AppData\Local\Temp\京都江湖.exe

MD5 a579211b81cb5fa0f786a238469c51dc
SHA1 a3fc7a95bf080e592ebbcc5a6b7986db87fa58f0
SHA256 e3e84526ad020930059828bb03abe7cf3b22870ddf888a7cf5b5397d0fa508bf
SHA512 9dcab2dd1b6fdb142b495de12dd9bc149e43e7c49d63481598d349d3b96308e5b04b4739d6407ef8057fd8c9ac92932c3d9119e3211de5ca853f830ca842c642

memory/956-14-0x0000000001150000-0x0000000001151000-memory.dmp

memory/956-18-0x0000000001640000-0x0000000001641000-memory.dmp

memory/956-21-0x0000000001660000-0x0000000001661000-memory.dmp

memory/956-20-0x0000000000486000-0x000000000096F000-memory.dmp

memory/956-19-0x0000000001650000-0x0000000001651000-memory.dmp

memory/956-15-0x00000000015E0000-0x00000000015E1000-memory.dmp

memory/956-17-0x0000000001630000-0x0000000001631000-memory.dmp

memory/956-16-0x00000000015F0000-0x00000000015F1000-memory.dmp

memory/956-25-0x0000000000400000-0x0000000001015000-memory.dmp

memory/956-26-0x0000000000400000-0x0000000001015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe

MD5 64a4ea2a47e049fc907279bde7a54b52
SHA1 66322364a9dc2156179de7fea5f1d0b930675670
SHA256 f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA512 4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 95f9219fbc6c6d09949c8f29b1fc97ea
SHA1 b1e904a31be37c3536977b444761bb59d3c364bd
SHA256 07660db85797bb7071abd7b6b5c94074b299fade4c66a65ebbd307ea50072f7a
SHA512 edb87f90dbf217788709c6b480c0c126883492e2403bcb3b1672e393eacad1362b81f64ee173224078c77ce1df960cab6f45365596597f363c3455f4f3d596e4

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 3dd33ed93947a334c7e3dfcd0bbc96f9
SHA1 6dd2b488ae0eedf4a3fda00af071c293b2240017
SHA256 f2f6e12be2c01e4fc6695cfb2e193bf0dcbf7267d1edc6693a8e14671464deff
SHA512 f7839de6564f0df4830aebb00a7e1904c20dac3e93420dc60a6346f590089f5658406adfc5b96c74a3e3a6ac1f5f99c0c37a35b91621e23a5a8a7f3d13ac8e01

memory/956-115-0x0000000000486000-0x000000000096F000-memory.dmp

memory/956-116-0x0000000000400000-0x0000000001015000-memory.dmp