Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 09:20

General

  • Target

    209abf5674723414fea9b155223cbc40_NEAS.exe

  • Size

    434KB

  • MD5

    209abf5674723414fea9b155223cbc40

  • SHA1

    34ae49fc1c885a4b2914ee68d1a64f2bb540c2f8

  • SHA256

    6c7456eee52d013b21e1ac0bc1fb7c909cef3707cc27d9dfc618f1a15664fca2

  • SHA512

    9a581b0d320fd9a796f8d25341ae0b1b7e9b0667a280aba6f32b738063544c8419da858b3f63bdd5d2a8b58f9b8cd9518851f898aed739c1ff3da94ef107c8f9

  • SSDEEP

    6144:tQqDnQA7HMC3/IanKyooC2rmR0oABEON7cJk2idNDFaacc/LIL/HPaWbwTPrwL8Q:F7Hr0wCOmR4EON7+khg1cw/vTt8Zq

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 45 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 6 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe
        "C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://f.handanxinyuan.com/MjA5YWJmNTY3NDcyMzQxNGZlYTliMTU1MjIzY2JjNDBfTkVBUy5leGU=/40.html
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8822a46f8,0x7ff8822a4708,0x7ff8822a4718
            4⤵
              PID:3484
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
              4⤵
                PID:5048
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4436
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
                4⤵
                  PID:3524
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                  4⤵
                    PID:2680
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                    4⤵
                      PID:4812
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                      4⤵
                        PID:4356
                    • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe
                      9377mycs_Y_mgaz2_01.exe
                      3⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in Program Files directory
                      PID:708
                      • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
                        "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll"
                        4⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetWindowsHookEx
                        PID:2420
                        • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
                          "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" "1"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:3136
                      • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
                        "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 2
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetWindowsHookEx
                        PID:5092
                      • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
                        "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 1
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:3572
                    • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe
                      yx_dts.exe
                      3⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4856
                      • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
                        "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" SW_SHOWNORMAL
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:3596
                      • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
                        "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /ShowDeskTop
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of FindShellTrayWindow
                        PID:3772
                      • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
                        "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /setupsucc
                        4⤵
                        • Executes dropped EXE
                        • Writes to the Master Boot Record (MBR)
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3020
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4384
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3188

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

                            Filesize

                            377KB

                            MD5

                            e62edf270beee5820e781404b6792cbc

                            SHA1

                            b4a31e93ee812786deeab21fc990e1fa72d18f20

                            SHA256

                            cc6d069c6e4ce7da54901094753cd9df36dcb095b9ead758e809887c2643a5ba

                            SHA512

                            d0a208e4e692114e0ecfce35c9e33ab69296484b632446f04e8cebd3fef52b4e7fed5877f2321e179a1cb6a822161a6d31370a68b19cc5277819cbbc350c159a

                          • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.ini

                            Filesize

                            230B

                            MD5

                            5413850ca9697181194085be89378aac

                            SHA1

                            ddd35a3d412cec8e64a09604c62ce9bbb19a906f

                            SHA256

                            9945f0da338f87469d3a5f94e99bd108cd136c20d941631d57e99b967b8a1c77

                            SHA512

                            dabc1ff7d4fc07d85859120f28ed4fa78ee7895cb36e95bc8c05538c22f31b73cf088ebe4c7ded313ea52cd6297d323c8278fbc875f56838c41107df939a052b

                          • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll

                            Filesize

                            463KB

                            MD5

                            b383bf5a47c46d6a22b1c3d383edc87c

                            SHA1

                            abfac8a4beb27df27fe9353ed70a30677f7bcaed

                            SHA256

                            aab3e362c47d454e48f265213bab6e582c3b5c6b7167e54d477c68b9d3dc5b8e

                            SHA512

                            92618f2db31110bdcb2937a8dc44a81640be8ff589266ade343c9301ee7bf1479995c6b14b6f06e52c2b1e52c4c91f254ca58d664a1cea10e1a1b2d1cf292d29

                          • C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\uninstall.exe

                            Filesize

                            76KB

                            MD5

                            1d4b24538bde98104eda1b5d3cff1fc5

                            SHA1

                            2f766c1fbdd8632ec9784d9631a5c74dcaf77f4a

                            SHA256

                            68237bdfcda9fdf8747e65df044a8b3668ea5dd26451335e78bf311999cf05e5

                            SHA512

                            985e0f01e8c186767b2025e5b0b253ac1aec8bf7145028f7737315998d0ec92ab42c80fd4722ac98873dd2ac1a3bbc3f8b6a4164cfe10865efec7b15c56215f6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            fbe1ce4d182aaffb80de94263be1dd35

                            SHA1

                            bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

                            SHA256

                            0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

                            SHA512

                            3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            2a70f1bd4da893a67660d6432970788d

                            SHA1

                            ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

                            SHA256

                            c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

                            SHA512

                            26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            96B

                            MD5

                            f0c05d6d52b1a0701c84e8d751d74e3a

                            SHA1

                            260a2ee8a90f99236837ffd96c43ba6788828a43

                            SHA256

                            78691a41173a18b280ebbcef4acd16e3d7ab54c09e73a11499212beef76d9c9b

                            SHA512

                            a6e45d70710ae3eaa41b7ef79bc7e564b4346cc69fab7522fe93afcafa7cce206b1930bc03c96d26106bf402d4df74a1e41873dbe4b4551d5c1ec1a392cecc96

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            559B

                            MD5

                            3fc72262b701eae63b393781e9e3c864

                            SHA1

                            209320d33791dc8d76739419664a7935051692d9

                            SHA256

                            6ef8b01741059187b1689d5a6b8587baa21e3a45015adbe11ec1a3753a0f27aa

                            SHA512

                            7735747ed005be40aeb5fd59ee52eb59b662ea01b559ef6ad4f3d4af577f8cb5038efb67f9a016b53425b3206570af50bfe7a7affc155000b128e4a614a9b138

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            401c5576a58a3e10de5c32d001e331ad

                            SHA1

                            c4e9c0d5134babb46d5f8c4eeadd40cab18b5450

                            SHA256

                            2b1d9d7fcc1d46f4b60207f197c9fad2c559f9dce2aa0fd09239883147ea5f36

                            SHA512

                            1b1d76144c6030ac1390a15acd096f13505f62eb2a92745eab5264a25609de8f957d338de00c584ed8d7339525d40aeee3ec592af4168e3035ae068c6901cc7e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            6f5fa860c6a0898b6344a57c9acd611d

                            SHA1

                            47208ea7f9013f383e72c7aa2606b5cc57b122bd

                            SHA256

                            db432964f4da38c94596164ea3a4580ddcac3bef6152ce483b470418ca7429f1

                            SHA512

                            5a437e74b157c51a55ef773c1b7a2e58d6ac70c8be0c10db2b02f303143ea412117bb40ce7db1dbdbaa3b9feac26f82b958e445f7c785e443f5fec1fece29359

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            3fd735f29837197eb90397d25a1301d0

                            SHA1

                            3ca6c6f78aaac6d88ac42db884fbbee252acc83f

                            SHA256

                            3cd8cc60c4bb62645b7e5c72e9ee4da287d190e0be9e7c6f34b49f5bd1827e6e

                            SHA512

                            c3827a420735871bfb7d5049bb3f0a1aa869866c454760b076c1feee7077f31f847074cfc18b72f6cd4a7625316294da10f195f12d85a31dee971c0e65c93fc6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            11KB

                            MD5

                            57d937098fb80a2e87abf8b8d9bf9fa9

                            SHA1

                            14a756edf3ca46f770371680607516348cd8acf7

                            SHA256

                            6a5deb7603c67afee175fdc93e3f3ae1328e231f6f4c54afc4d28a91e4ebc57a

                            SHA512

                            589994f6bf78a222332736de1ad27618a148686dbd41ffcb329f58d8805045839b77cf069dafac742a9bcb3f0057710113b58e03bc381f902ec888af50e4d9d7

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e9b2ae8f-2967-46c5-acd5-5533c3bb73fb.tmp

                            Filesize

                            11KB

                            MD5

                            5d22636bd5c24893369218d8f7330eaf

                            SHA1

                            55fb67844da3ef98d07b05fd1c5f7dce1fc5587a

                            SHA256

                            8ad476a4f0f080068bdb5b0591e448aa587bf1cca8b5eb3b60de96171abe35f7

                            SHA512

                            46f1069ab4684b9ffcf305c1c6233a8ba88d6dcd77503004cadab0a237df6d741a1aa35663a03b0b4dcaa3ff87529da621ec630d05fe2d7781a8ea9adbd097f6

                          • C:\Users\Admin\AppData\Local\Temp\nsb3A13.tmp\FindProcDLL.dll

                            Filesize

                            3KB

                            MD5

                            8614c450637267afacad1645e23ba24a

                            SHA1

                            e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

                            SHA256

                            0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

                            SHA512

                            af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe

                            Filesize

                            649KB

                            MD5

                            11a03edd815fdfde672df5e0c9db1ecd

                            SHA1

                            3612f55ae04e0f937d797f9c818a507e5b46011d

                            SHA256

                            dc0ddb5f676959234ec39c703187a741af91d8e6e17d084dfa256f3770336366

                            SHA512

                            6f82ad5153f501ff294371a12c7e82a9c15b3c0012bb2c39b04aa71ee2b2d4548b1e3c3418cd8e9a9d3eea048befabfd7a9ed8cd949eef53d86a3567814f6a12

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\Base64.dll

                            Filesize

                            4KB

                            MD5

                            f0e3845fefd227d7f1101850410ec849

                            SHA1

                            3067203fafd4237be0c186ddab7029dfcbdfb53e

                            SHA256

                            7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

                            SHA512

                            584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\Inetc.dll

                            Filesize

                            20KB

                            MD5

                            50fdadda3e993688401f6f1108fabdb4

                            SHA1

                            04a9ae55d0fb726be49809582cea41d75bf22a9a

                            SHA256

                            6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

                            SHA512

                            e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\System.dll

                            Filesize

                            11KB

                            MD5

                            00a0194c20ee912257df53bfe258ee4a

                            SHA1

                            d7b4e319bc5119024690dc8230b9cc919b1b86b2

                            SHA256

                            dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

                            SHA512

                            3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\f1.ico

                            Filesize

                            320KB

                            MD5

                            5858df8bc0d6ed1d6e0320cacc2e3e08

                            SHA1

                            01b4c25cb1cb049dc45c0cc4e12b772bda52c48d

                            SHA256

                            91d0c4f8d8e49b84673ef2c8c9c05cc14b4fbfcdb17489612aad4e382a4eebaf

                            SHA512

                            cd708ae1b464c6de21e4819601055bf7fc6c16dca14180f4ea8f3f97097aceb7e6f2e0264da4415ccbe7b03fe468991c894a7a41cb690e5941ba9f9ee3e69d47

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\nsProcess.dll

                            Filesize

                            4KB

                            MD5

                            05450face243b3a7472407b999b03a72

                            SHA1

                            ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

                            SHA256

                            95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

                            SHA512

                            f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

                          • C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe

                            Filesize

                            930KB

                            MD5

                            d3f054de4c81b4d02c5dba5ab7c97b76

                            SHA1

                            6e8f39ddc425a7badc66e2e03e813a68e75ca772

                            SHA256

                            439641179cf715d946321bfb60d8fa0fbabf7a166c8aac941815571401edb489

                            SHA512

                            f0da7eb8b3b4622897b15c230d7f4b60f0d87ae19e0b32ead3f80f7c497cf6629cac9d047a9efae2e330e65e9d60dbe1997602674eb91759c7b29a544286a406

                          • C:\Users\Admin\AppData\Local\Temp\nsw3CA8.tmp\System.dll

                            Filesize

                            11KB

                            MD5

                            c17103ae9072a06da581dec998343fc1

                            SHA1

                            b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

                            SHA256

                            dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

                            SHA512

                            d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

                          • C:\Users\Admin\AppData\Local\Temp\nsw3CA8.tmp\ip.dll

                            Filesize

                            16KB

                            MD5

                            4df6320e8281512932a6e86c98de2c17

                            SHA1

                            ae6336192d27874f9cd16cd581f1c091850cf494

                            SHA256

                            7744a495ceacf8584d4f6786699e94a09935a94929d4861142726562af53faa4

                            SHA512

                            7c468de59614f506a2ce8445ef00267625e5a8e483913cdd18636cea543be0ca241891e75979a55bb67eecc11a7ac0649b48b55a10e9a01362a0250839462d3b

                          • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

                            Filesize

                            883KB

                            MD5

                            b5d09fd991b640cd198f9c32ca01e25e

                            SHA1

                            1a312c68d92c13dff436f951af1a1ad56c0fbfcc

                            SHA256

                            4cca4410d6559adc5b6f81ee2641132220fbc0fb75bf4ead6722ee8a9b2d9bb6

                            SHA512

                            ba0793bed656c3fdc9aa075eb26dbb52c9bfcdf012231bb5c1bb80ad6857825065ba433cbb0d34fc2dd3f0972bed37e59e74f3eeda60d659561c57a0069831e7

                          • C:\Users\Admin\AppData\Roaming\dts\mydts\lander.ini

                            Filesize

                            380B

                            MD5

                            c099269a0b569024a13ea5944f8c6d49

                            SHA1

                            f06abf2efd5e4b506d4f028683a10bc59e03fa15

                            SHA256

                            cc12d6aea0a462719635c2fa315e4fb0bbca96b78a4de5bdadb96b1f4bc90988

                            SHA512

                            65e14632a75bd4e29c3e868bda8ee0c1cf7ef5ddadc7f5f21e566a3c2e8cafc3f095e2c88acf0aea72bbab0e07ae023a0cf94b23f7a980251b9de944a5798f98

                          • memory/4856-363-0x00000000021B0000-0x00000000021B3000-memory.dmp

                            Filesize

                            12KB