Malware Analysis Report

2025-08-10 18:08

Sample ID 240507-la2kbaab31
Target 209abf5674723414fea9b155223cbc40_NEAS
SHA256 6c7456eee52d013b21e1ac0bc1fb7c909cef3707cc27d9dfc618f1a15664fca2
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6c7456eee52d013b21e1ac0bc1fb7c909cef3707cc27d9dfc618f1a15664fca2

Threat Level: Likely malicious

The file 209abf5674723414fea9b155223cbc40_NEAS was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 09:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 224

Network

N/A

Files

memory/280-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/280-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/280-3-0x0000000010001000-0x0000000010002000-memory.dmp

memory/280-2-0x0000000010000000-0x0000000010003000-memory.dmp

memory/280-1-0x0000000010000000-0x0000000010003000-memory.dmp

memory/280-5-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

143s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\replay.htm C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\0101\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
File opened for modification C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.ini C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2EAA14E1-0C53-11EF-9201-6EAD7206CC74} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421235556" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1524 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1524 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1524 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1664 wrote to memory of 1968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 1524 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 592 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe
PID 1076 wrote to memory of 1244 N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe C:\Windows\Explorer.EXE
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 1524 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
PID 2564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://f.handanxinyuan.com/MjA5YWJmNTY3NDcyMzQxNGZlYTliMTU1MjIzY2JjNDBfTkVBUy5leGU=/40.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe

9377mycs_Y_mgaz2_01.exe

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 2

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 1

C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe

yx_dts.exe

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

"C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /ShowDeskTop

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

"C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 xn--sesz3ik91bknc.xn--fiqs8s udp
CN 218.241.105.10:27 xn--sesz3ik91bknc.xn--fiqs8s tcp
US 8.8.8.8:53 show.man1234.com udp
US 8.8.8.8:53 download.re58.cn udp
US 8.8.8.8:53 down.yinyue.fm udp
US 8.8.8.8:53 shadu.baidu.com udp
US 8.8.8.8:53 f.handanxinyuan.com udp
CN 153.37.235.114:80 shadu.baidu.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 8.8.8.8:53 at.alicdn.com udp
US 8.8.8.8:53 vvvv.1036.xyz udp
US 8.8.8.8:53 h.pztwyx.com udp
US 8.8.8.8:53 gp.tuku.fit udp
HK 103.75.47.227:443 vvvv.1036.xyz tcp
HK 103.75.47.227:443 vvvv.1036.xyz tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 172.67.71.74:443 gp.tuku.fit tcp
US 172.67.71.74:443 gp.tuku.fit tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 8.8.8.8:53 tk2.zaojiao365.net udp
HK 16.163.95.68:4949 tk2.zaojiao365.net tcp
HK 16.163.95.68:4949 tk2.zaojiao365.net tcp
US 163.181.154.233:80 at.alicdn.com tcp
US 163.181.154.233:80 at.alicdn.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
GB 2.21.81.30:80 x2.c.lencr.org tcp
US 8.8.8.8:53 98062375716.com udp
US 8.8.8.8:53 hm.baidu.com udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 8.8.8.8:53 tk.tuku.fit udp
US 8.8.8.8:53 tu.tuku.fit udp
US 104.26.4.225:443 tu.tuku.fit tcp
US 104.26.4.225:443 tu.tuku.fit tcp
US 172.67.71.74:443 tu.tuku.fit tcp
US 172.67.71.74:443 tu.tuku.fit tcp
US 104.26.4.225:443 tu.tuku.fit tcp
US 172.67.71.74:443 tu.tuku.fit tcp
US 104.26.4.225:443 tu.tuku.fit tcp
US 172.67.71.74:443 tu.tuku.fit tcp
US 104.26.4.225:443 tu.tuku.fit tcp
US 192.151.240.26:443 98062375716.com tcp
US 192.151.240.26:443 98062375716.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 8.8.8.8:53 ziyuan-css.cdn.bcebos.com udp
US 8.8.8.8:53 lf9-cdn-tos.bytecdntp.com udp
US 8.8.8.8:53 lf6-cdn-tos.bytecdntp.com udp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
HK 103.198.200.50:443 lf6-cdn-tos.bytecdntp.com tcp
HK 103.198.200.50:443 lf6-cdn-tos.bytecdntp.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
HK 103.198.200.50:443 lf6-cdn-tos.bytecdntp.com tcp
US 8.8.8.8:53 w.x.baidu.com udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
US 8.8.8.8:53 xiazai.9377.com udp
GB 163.171.146.42:80 xiazai.9377.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
US 8.8.8.8:53 dl.p2sp.baidu.com udp
US 8.8.8.8:53 g.quwen320.com udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
US 8.8.8.8:53 www.9377.com udp
US 163.181.154.241:80 www.9377.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
US 8.8.8.8:53 wdl1.cache.wps.cn udp
CN 36.99.183.84:80 wdl1.cache.wps.cn tcp
US 8.8.8.8:53 client.9377.com udp
CN 47.113.43.102:80 client.9377.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 36.99.183.88:80 wdl1.cache.wps.cn tcp
CN 8.129.26.245:80 client.9377.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 36.99.183.86:80 wdl1.cache.wps.cn tcp
CN 47.113.43.102:80 client.9377.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 125.74.1.35:443 ziyuan-css.cdn.bcebos.com tcp
US 8.8.8.8:53 d.qq66699.com udp
GB 174.35.118.63:80 d.qq66699.com tcp
CN 8.129.26.245:80 client.9377.com tcp
US 8.8.8.8:53 down2.uc.cn udp
CN 120.241.3.133:80 down2.uc.cn tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\Inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\f1.ico

MD5 5858df8bc0d6ed1d6e0320cacc2e3e08
SHA1 01b4c25cb1cb049dc45c0cc4e12b772bda52c48d
SHA256 91d0c4f8d8e49b84673ef2c8c9c05cc14b4fbfcdb17489612aad4e382a4eebaf
SHA512 cd708ae1b464c6de21e4819601055bf7fc6c16dca14180f4ea8f3f97097aceb7e6f2e0264da4415ccbe7b03fe468991c894a7a41cb690e5941ba9f9ee3e69d47

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\Base64.dll

MD5 f0e3845fefd227d7f1101850410ec849
SHA1 3067203fafd4237be0c186ddab7029dfcbdfb53e
SHA256 7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554
SHA512 584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\Local\Temp\Cab25D9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar260E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a896c7cddcfc367ded7e487a2623a9eb
SHA1 3a09bca177948c7fb6d8564c040e84fa1416d293
SHA256 df05d6f925def3563a4df71c24532dd9306ae313d52ae95fc57cc45f833484ee
SHA512 1ec8696e9203b264d3c5f32660377b97b277a91262348cbc9c108dc3b30a6a3ddd12db7644996383c82e200009f37b6c32631a28fa733e8e96bea2f8ccdeb6ea

C:\Users\Admin\AppData\Local\Temp\Tar27B6.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb8d625a94455fb1e46f9fb557facd76
SHA1 3a31115564aac73836c3fa59fff295300afba284
SHA256 5ab36b15e7d6b8a733f00eceae3616c86831cf6be85e1afc199be1fbdae7cace
SHA512 6110efbf5476d101e74de8dc23c88f1467248339a409bb6b7b9cc195cfcf31628986d96c89f5960042f5919a26df1746d407740859cf4623810cd3937a739b28

C:\Users\Admin\AppData\Local\Temp\Cab2790.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63cc28f5083760af520f272be96716d4
SHA1 d8931d14ae4ef796a987089d2542f32680664376
SHA256 5c3caf04a1400a4231bfeb70bb2e114855daa46fd5a4656f18dd0b6edcfa124c
SHA512 3c5540be43fe58d25fe27dbf8c0eb28be70ffe7f282326cf01bc947e755fbf54b32af0afb5ff2fbfd5ed098fd1ced6ccb22317f373665ca7cf19cc69e2c7dd9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 3213e3234795a83ee9959a1a49b8ebb9
SHA1 651cdee5db7069fa637458c5785a2b9ec7c747e6
SHA256 057b364d554d91e78f2e55fda2a6dcb4ab83391f6d33f147ee522e6c4e96e3a4
SHA512 90c9170cb713e3d997644c13b4079f49f982615f3c0b90080709640d5d5b2a82efdd38f69177e84d4fe9c4b71374f44e4407166b79a60cb8c849f90f835fe4e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d10f3a7748b5ddc1d988aa5a5b918942
SHA1 3f78c60166a0ef15b541d266a3bbbf06dd49a06a
SHA256 a8d7bc8b11de33e99c9deb6c1b45be0be4a4f7127420fded458ade9f4fd2bda2
SHA512 365b297832e8a968309cbb405f8ce3c10b4d92b1a83f68c54c52adeafc564837eae2a75e4832087c959689601d80e2cbc5e5dc014f4daec940f20f3322f4d93a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5afb119744f226fae62112870d835ee8
SHA1 a3a0fa61d5eb3bc2cf98d9153143fa4bd172ab9a
SHA256 de307c0442592b4b2051cd511f1b1b1256c6f951bc2568c49ddc76275e87b0af
SHA512 dfd6fe208a3dd71bfb8eff191f586d03c892fc7532423aec94b3deed5ea85a8dcb978c2280d7695c58c06eba4a4f0d63fd2bdc741a98edfc59f27161244138ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5ae8478af8dd6eec7ad4edf162dd3df1
SHA1 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256 fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512 a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0da2787f1c2a6aba0fec0bf4cfe59d48
SHA1 fc480d0fe3cb528ea931596051790252b8ed54f6
SHA256 48c6f7508eaede37c623dfd9c07d04ac9f56efdd0109f59df99b285577ecac05
SHA512 e8acd1ac6543fba28120a48418917d34884a5e3323c5c8d15851cc65de686ff11176cb387c492ae50dd073774a541cd9aa72bdb1daf2244c4da5bb212a6aac94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4eb6face2ad5901fa6adb7d684aad4cf
SHA1 5f394a8dc3f7bd5cfc598b63eb8c8d1a0adcb0b2
SHA256 d83967eee75bc961fa283ccc31734e8d59f5e6ccbcd6c77816fabe665ddbe899
SHA512 046bfc8e28af9a263adf381269a29c4f3b87d51d95680c9627c278674924d31ea72febd7fed7a4aa4b676ddde5e5418fe0995b2d4186764c31cd7c0031c3da78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6505d05e85d04947758f0c9ecc0292e2
SHA1 4f6e570b2b5d3f92d73c8b424a4fa5b36afb6c80
SHA256 33764af9551e713803a6b2037580f73851b54018fcbc3f1eecd976f652c326e6
SHA512 436d216f329e52850413b33ce0133e7afc18e13f9327240ce3d41f6ee80cb7ae292286d9cc6d1ae7f366c52264b85fb358766a72bfe9c041d65edb39ed87eb17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38cb368977123237dabf026d16f61ce5
SHA1 903b3e83d656e9fc169f0a1a4e730482e2f1ba11
SHA256 0a72afc3facfd0231d351d6b5b3be96d01dd144eb4957143a09d2ca9d4f72b1f
SHA512 4c116f363995283047a6311348e313350444b7b66126d4e353ff37b1c5b25a0990f5e47019cd48c0393a710719d0f5d2b1e15bc3fb9fcd39d197c2a7eeb369a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17e6d3781b98ade8b1da95f17f35723b
SHA1 2aa92b7739dde9edfb39540ffff389a51c69c06f
SHA256 8dbf96da8db8ee56415ddb71647c12b2e8bb829605cb97d9364c7a267efcd8a5
SHA512 ae5a056a038ef7b60364072845fb6fb6570d0abd5db408ec6a721d95ac392dea02c3ce7c90bb7b720cb6ef9d0a9b04daf8ced6b7f1d8c2b6c6ad61be2ba1323f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e077f4dc04525bc1a43c30144ecfcebb
SHA1 60358f12b13d0463d19524f8fd38b184e859879b
SHA256 8424883b92e1aebddf78cdde956871d0dca27ce7e19b07da0f5f67f0ca1bba1e
SHA512 fd6fcccf2a7815f2f14b8da5da51921d0f41774ae90b85b0ed183fc0cf09887e900ac816aca73c9133936481979969b889d8a59e3cf8138fcd03574a5a6ee683

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38160392a3ccc1dc26d11d304b7407d7
SHA1 494baf1ffb63bd006278164fd4a409203d04bde4
SHA256 602d32f9a1edd140dc08a06e26c0146cc219e276a6968161544c910f2301a904
SHA512 5fe1ce3dcbb7a097694c8eb45839b6abcff03b5842659ad37c79270ff180afda42b0e12f1034b777a6e8f25290fa162e359147c87493ff79e2b1b2c13824323e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ff0b8b7ebb0dd243973231df0bfacd8
SHA1 b9d31490f19e5a9a16372b7201ba0425783c24d0
SHA256 e1fed175edae1401ecc98e1c35f2a4d698163102adb324edb85657573ebe4f33
SHA512 41e14a4ca15f4a8ba9acbe361913d317039da97b097dc9eeb24218fd3980034dbeffdec9b479b976bf4cc562864e778e67b0cb30585acb0642c2cd0bc516743c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00f6fb35c1a974a513e4f10b415f0c27
SHA1 22bb487dc56e47b0fc7e8a1d656a9e13e0297a69
SHA256 1719d2913e8d0a169cf45efdf6e5e26281503e14c363541ca5a6face7c981ca1
SHA512 9eb5bd3bfea7702361e2411f8ce5ed22120a4d45e43ace102ac783556064b7a66ecd1e15b85861e41617c06229115e3469b0ab2098bf7fd6773442bcb7a9a8c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faafa46a21de2436ac36c22d7876cc89
SHA1 361b7e5d00522c197f4dbe03af33cc97f9da9f78
SHA256 5bf2426cd65135a4441933dade06d2c857297389bab75f084f9fc9ca37ce225f
SHA512 5847a16f9098de4125e6f8e15f620307a443ea2ecfd9ccd0f8e13fc7ab3bae3ae409df8bfeff0c3d06adab004eebd63b130b9013a927a40bc44bf5573302c310

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20d041dadc976be3cb2265c4f4f80421
SHA1 7bf9e2d28955a76eeba1421e6b7b0633312cfffa
SHA256 6f71cbb34ead5fc1e69874cd74baff9f5fb9562095db9fbe6a34e5d97c4cfac7
SHA512 2f13042ffc33dc71fde08e17b6a2f8984d6a7b79ac556789e587816d90a7050bb164c47ea9778d9d5d3a383ee5c0b9fd8940dc9492e83ac82927eb0af3077b8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e27abc2927d0cb65539e0e3d8c77de
SHA1 38907b2c9d1b3238dc508a2d3f21e7bcfdf2fc1b
SHA256 04bd3f0b5f772926b4101cf18c03a2eb2b116e1da6a132f943d7b640ae513ba2
SHA512 98a8a9236b97f55024b6faa026f9db746815927e813895449d670c703b53d6939fdd4fcbfe95bfff4d9b559837eda5c87a12284afed626817c92705b113086c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85553fbbdedc9e2a2fb9ffe53bb21471
SHA1 86a2fbd47d13ceb2f80101209e77313ee6034280
SHA256 ba9619b21ee943861ddb354ddaf21e7c7fe30a1523a24ff46fba27a9d1db61a2
SHA512 e5e9707314e249a2eebaeb6b1ced131717285ffcda5e1d60df09e84cde51c517e7e48a33c1b820cbc817cca03561908d681d948fa6d51b3a5d10348bcfb235fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48f6ab2c487b2272a33be79fe4405648
SHA1 2957f40be4cc0c066d16935a2d48e1fe45b1557f
SHA256 e35702e68b8343ce63a132aa9653248499e922895fd4fd7ec4a5d6c5930d03fc
SHA512 d7f4123ff9002675b8db5bf23ba816b58369a1e12a7a4c0a46734ad5748cc07fccb80219ec9d0551865528b493cd1a1c002fa808c685273be08a8ac54edc8c88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6456dd14cfcc64bc00bb9eae2f4c0ce
SHA1 cc57a37f6e1b71977ae2256130239e1598bb8523
SHA256 d605a20b139623e97c25043f71c3c9886bbebb7c2862447a2bcc1578c7cfd2ad
SHA512 5212a3b967db9a171a050bbcbc351e47edecd01b420724df1e44687165043ec430e04401562a5686dd1ba4fff3c8ca737cb872add1f1645dc8cd065876856236

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e9611e628323d15ff29f553c4782f21
SHA1 a94b5888ce757e1375926d435a71d8e8804f49f0
SHA256 6f229bb82787e4836cc5806a8ad6dd63d4c233d55ca3f5a0c590012c003aa0e1
SHA512 d22962c10d0690d089f150ec9343f67c346fa347ca95a7eac7edfaa7d47f5acdcdc8fc171b488b795ade0ac747aa6714207bc60c4a7aef2c0fa531cdaa654f35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e5cc49c1a68bfaef1173a04f843e305
SHA1 4abce5a39e38039407f070da5fca42ecc1a043ea
SHA256 fbee48031807cf16b487e198eb2c3b249b9e335fc08f0f6a7867326b4d8d32bc
SHA512 603ac5e00740387e9b5d542e1c3c72d4358d76caf57c7e08bc8ef861303456e3d62e708eecb4e35edc18897a081cb387cd201167b6925a3b861d20da1588c828

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b2c8ad0fefdeb954af6ae8e1ea90bc7
SHA1 c61bec7904b706902d66edf1e4ba2c5ed862fdff
SHA256 f7767216109d6e96043937794eca16f61f6cef5248e1a755c015b3fb2824ec53
SHA512 8685cb54ec09f5276e6fde85b3b3ee7f3fdb56c0cc0e27f8639e9d8ba3ae0e9578a7d8cacd0a35dde2371030ac90bc0790005099d66f6c3686dbfd050b4e3a25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f7cf0c0551111641e755a1d20f6b379
SHA1 76e035d1e39c96c0cc11f2fcb7d16ee7a87d0684
SHA256 bfda9cf021f59f06787f1f11d39439d4e83d58926dfdb1664b844881ea2987e1
SHA512 842b03506589eaf1a26925cf0cd34f131e265ba7218a9deeb5b93381f95a4668a947896e68e4c6d1c1c4fda49dff0394c814440e699186c98817a5bd4ccb44eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43aa8ce00348d030ce4b718acca7996f
SHA1 85ed43c7f10bb077f8275d8d603e81b38e5a0447
SHA256 fe3483272f3f0b41d5a91b7d112cd6dd1468a40238f8f21c9435c61b9e2e796c
SHA512 17ceb5e9c9dff327fae4b29518c47ba45ada5169f197d482f573509545a5130288ccfd1d931ba7a9b2170be7699c1b65dd57f80149eb28a309a072584f042b7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adc6382003b3d20f23bd9366b9b1d63a
SHA1 cd54b87e4cbc98643504a1cbcf183e7aff24327d
SHA256 dba224841a7726c95f7f17d0aec423626f311b3d26b0f5c2210adf8360a8a2ac
SHA512 663b86730c3d62d157a058ec395a49ddc1ecb8813f94364410531430939188b8981c6500df226e74939e6898e0587935989f5116ec8e2e2276b2d7f4c7a699b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee57434e310884d7510952f99d30d405
SHA1 70e585d416e3e4e7bdfde07783304b56a015f936
SHA256 eda040e521e96df18f9b33ad6af61ea8987e0b9114434b9b218f23cb33dd3f8a
SHA512 06fe3924cbc05de899c49e001d6876cccce0079844d3e6d5e14f0de4b7047b0e835c8716fecffbd7b161dc09c19917345152d8870e3832c22e43f2a53eaf69aa

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\9377mycs_Y_mgaz2_01.exe

MD5 11a03edd815fdfde672df5e0c9db1ecd
SHA1 3612f55ae04e0f937d797f9c818a507e5b46011d
SHA256 dc0ddb5f676959234ec39c703187a741af91d8e6e17d084dfa256f3770336366
SHA512 6f82ad5153f501ff294371a12c7e82a9c15b3c0012bb2c39b04aa71ee2b2d4548b1e3c3418cd8e9a9d3eea048befabfd7a9ed8cd949eef53d86a3567814f6a12

\Users\Admin\AppData\Local\Temp\nsj8049.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsj8049.tmp\ip.dll

MD5 4df6320e8281512932a6e86c98de2c17
SHA1 ae6336192d27874f9cd16cd581f1c091850cf494
SHA256 7744a495ceacf8584d4f6786699e94a09935a94929d4861142726562af53faa4
SHA512 7c468de59614f506a2ce8445ef00267625e5a8e483913cdd18636cea543be0ca241891e75979a55bb67eecc11a7ac0649b48b55a10e9a01362a0250839462d3b

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\uninstall.exe

MD5 1d4b24538bde98104eda1b5d3cff1fc5
SHA1 2f766c1fbdd8632ec9784d9631a5c74dcaf77f4a
SHA256 68237bdfcda9fdf8747e65df044a8b3668ea5dd26451335e78bf311999cf05e5
SHA512 985e0f01e8c186767b2025e5b0b253ac1aec8bf7145028f7737315998d0ec92ab42c80fd4722ac98873dd2ac1a3bbc3f8b6a4164cfe10865efec7b15c56215f6

\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

MD5 e62edf270beee5820e781404b6792cbc
SHA1 b4a31e93ee812786deeab21fc990e1fa72d18f20
SHA256 cc6d069c6e4ce7da54901094753cd9df36dcb095b9ead758e809887c2643a5ba
SHA512 d0a208e4e692114e0ecfce35c9e33ab69296484b632446f04e8cebd3fef52b4e7fed5877f2321e179a1cb6a822161a6d31370a68b19cc5277819cbbc350c159a

C:\Users\Public\Desktop\9377÷ÈÓ°´«Ëµ.lnk

MD5 a42fbbc5698ae72332b1236335f3559e
SHA1 3e6a0173ca57b1c143c2bd8b24905f9c4c410ed2
SHA256 bf668734fa37ff619d26d84efa5facdb6eabb00950f717398dab8b92d503cca6
SHA512 c072e91e17943c03f1a3ea80d73ac3d14b49f80f3e7581b2a53f1ebf4e99af809d08d3b2458dd25cd5d010e5cdd695b36312c6502e526de2999dd92291e30f18

memory/1244-1803-0x0000000002B70000-0x0000000002B71000-memory.dmp

\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll

MD5 b383bf5a47c46d6a22b1c3d383edc87c
SHA1 abfac8a4beb27df27fe9353ed70a30677f7bcaed
SHA256 aab3e362c47d454e48f265213bab6e582c3b5c6b7167e54d477c68b9d3dc5b8e
SHA512 92618f2db31110bdcb2937a8dc44a81640be8ff589266ade343c9301ee7bf1479995c6b14b6f06e52c2b1e52c4c91f254ca58d664a1cea10e1a1b2d1cf292d29

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.ini

MD5 909846b0545d022a50212ff8d475d7b4
SHA1 3153a875ef9c27a79611e34948d43a2d63cf2967
SHA256 0e686939a4c0c9e08461b49cb75ae4887762e578d83a53398acdc93229165597
SHA512 0059c086c1df6c12806539019406b30943d60e2ec4a95a0bbb472ca1c6ffd01d29e201a62b269601a7690596eab1ff08383879382c410cfef1b448bc52214f04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c94fb5c238ba7f10dd2f99286e827449
SHA1 b2cf47ebd2d0ce64142ea35ac1fdb93fcd4c27e7
SHA256 d5c80435bfe246879676f5d18cf6afe7c18f345c67f494b263917e45b0cff848
SHA512 6b0231314f6ff07b59c0d5d5b33377b7809062442a753a29618384311ada0d9e9a9dedfb0d235040a681038dbec8860608db8638135159f210ab34eebe2ec7fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f50cf0936cd1abd2186f86fd34fbba97
SHA1 2403348c46eac2fd2720e4489ae599d0a28363b1
SHA256 d59de3b5c7b808401bea1255d561487325e931a3dbaa950ccfc73cd8a11cddf8
SHA512 68e36bd4e69d648df230d8f95d251f7cbfe63906eff6a0f37504471e7f4aae6999197624fb3a4d6e0f5c211e3492c9ccbe71695748a672f7771f934376f3a862

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46af1839495767d29cc1b5a7f7f176cd
SHA1 88f4a714889cf35d0237942e5743f9ad4f67b650
SHA256 027d37c75dcde2156d010bc614e1798787da17d0dadb5ce973a09b33a1929c33
SHA512 f30a871395ec07ac9aa7bbe469b52a6f904bdac1e886a41e62afbe01bf77680bf5e5c510c646261e4d9e51f75f7ee6f7fb4986b69fb81d21fff825463ede7247

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef1b7b7430ea0c655c65d0d17c5cbcd1
SHA1 e7a4ca69ad91f853ffcc74495f0b881c616b6c5e
SHA256 3a720d121f281761a49ecd54cc3c2e442d7f6e6789d88dc3133ea46be02187f9
SHA512 88ea882b59f5528781e96c655d159258c5565420ca439e281a8ff6e116caf4ff54c7ee106507e5c3911bd8bc910d5f0ae4ddb1c54ec35b32d8a6be5169887600

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bae8dc890256c9dab472559f9eca652
SHA1 bdf45359a30d1e57b31f820481d97ae080e9ad91
SHA256 2a245f8af6a4dfc8c215c0b86dc4fb048ce468fd458e3c127235df795594cd85
SHA512 7608bc75418da5c6083d0e9836ba78b3dc6e586b82d42ebc30b046504ecdd14de869a1fa0621824e984191b3cbc9f975b29922e841f90bbd2477bf80d4dbd979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae8a07681f0e47cc35d78fe756e0d3b3
SHA1 6266ea6e6928827d6592e2ed3dec63a6ed1502ea
SHA256 42e477f9d0e51f7ef09ead07aee6223f4850080611a6364144a5584897ac20b4
SHA512 91e5796ec2fd8fc046efc0a59dcb1e6617fd2595ed75f82ff5adaae0114b94dca2635a9203cf89de016cc682b03838c14490a07db8838bb68bfb6e3c6de6d29f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5ae6946c25ade39cd2ae4c0d14146b8
SHA1 0e5bf0d70a5ec6adc53c441cd6bfedbbf816eed3
SHA256 8dd7fc2caca8fc17bf70f51b760f4e4897e7cabb15a2e53792feca6167c9a359
SHA512 c41c1dfc0d160bb015a34fbf4a446536d990fd99b905f9b330b44d7176355f507eec45f42c41eccc1be89a40fc29d945618b953db55f86faa257f2d626045915

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65a894b35e1fda89364f5f483d858938
SHA1 41de2166fde763d300044a39bb88a42b85b78f18
SHA256 8b12dbcc134ade61413a6a11b9ef92d2cd4a3e8686997362e18a53749a816b52
SHA512 447e44978be144d028c1530cddf8a4d2f164c77d905c459cb422e692582dd375a16044f4d6478c1c964958b4aa7376ba5f2dc7b6e8fce3ab87810a20a00ad353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 96bf58a6f9e8447a49b13f1e199b33de
SHA1 481fb3985ad55b07af94b647fac90a5c63be2b91
SHA256 419cfe002cff7197844bca8d3db22383d68022b5ae4b9c135fb0272786b43342
SHA512 1f6bda2ab033130d399b42e4c25c72c24d1b0e9b41624ad77b4a8b4b01d649949543b8aeaa45a71248702a0f0c8abe7324af781ab984cc1da3bed28d07f9ee1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea59b79ed93e227b3be69256a12f2768
SHA1 afcde1ec0b358db32684c26b337ae838c674b9fb
SHA256 348f460c6ddf333892b6f2df2b2be3b869aba5ddfffdc6ce977a3bbf41a3f59c
SHA512 2761c54fd0c08ea087643cc128f85e066f584603b795fa1ddbd6229c8e9366fceb7a4a32c9fd5291bea9ff2165541a64531c3957dafe5576276bef3f389c141f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c3f9a74f7b0ce1b42eaf1f1afdf0929
SHA1 410bbb5dc25a8fe7ccbf5c87a306f452821790d3
SHA256 08e6c30f0efed795e376daafe28403c681b1c8da426fa56662e2be5f4c0e39a0
SHA512 ce2176b2c7841a5f60aa1630b2333d8cbcc4970ae6614ddae1d513588d1747dd5a326ec297ae2c5438e1350c5756c7a28bd19c0acbe93664d0fa3ef908f495b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bfdfe4a2129d85d973a2dcdf8829b85
SHA1 558cea3e5ae2e04536c5cc34ed0a1d1d51228471
SHA256 0035350adc64f81d3ed2d8a17540219457de6f9bd7a19784e787d1cdaeca33a2
SHA512 7b0e06ace25f85a209e14bc11887cbd5b3b31be42751eef6ecb7a02bfaa24c2fe872b3ee434e47f929ea23f35339ab41726519fb9f8444d1a587ef5d8ef8c018

\Users\Admin\AppData\Local\Temp\nsd6B80.tmp\yx_dts.exe

MD5 d3f054de4c81b4d02c5dba5ab7c97b76
SHA1 6e8f39ddc425a7badc66e2e03e813a68e75ca772
SHA256 439641179cf715d946321bfb60d8fa0fbabf7a166c8aac941815571401edb489
SHA512 f0da7eb8b3b4622897b15c230d7f4b60f0d87ae19e0b32ead3f80f7c497cf6629cac9d047a9efae2e330e65e9d60dbe1997602674eb91759c7b29a544286a406

\Users\Admin\AppData\Local\Temp\nsz8799.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2564-2385-0x00000000004E0000-0x00000000004E3000-memory.dmp

\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

MD5 b5d09fd991b640cd198f9c32ca01e25e
SHA1 1a312c68d92c13dff436f951af1a1ad56c0fbfcc
SHA256 4cca4410d6559adc5b6f81ee2641132220fbc0fb75bf4ead6722ee8a9b2d9bb6
SHA512 ba0793bed656c3fdc9aa075eb26dbb52c9bfcdf012231bb5c1bb80ad6857825065ba433cbb0d34fc2dd3f0972bed37e59e74f3eeda60d659561c57a0069831e7

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk

MD5 8c3f9fbd0dd444ebaedc1ebfe7ad0eda
SHA1 04007a87aecd334cde1c9c60a031ad7a1f201933
SHA256 e408e13f9206588a52d55ed7cb4cc65cecf6f628e1f3405053311b5295ed4bf0
SHA512 456956dba15dc2edb7ad50a1d7873754f0cd2fe01d26c50c8189417ce1576a3837b1f40b39b57411bb5986e8536e86fa53b93cfc0b750817a095ae298151268d

C:\Users\Admin\AppData\Roaming\dts\mydts\Lander.ini

MD5 c099269a0b569024a13ea5944f8c6d49
SHA1 f06abf2efd5e4b506d4f028683a10bc59e03fa15
SHA256 cc12d6aea0a462719635c2fa315e4fb0bbca96b78a4de5bdadb96b1f4bc90988
SHA512 65e14632a75bd4e29c3e868bda8ee0c1cf7ef5ddadc7f5f21e566a3c2e8cafc3f095e2c88acf0aea72bbab0e07ae023a0cf94b23f7a980251b9de944a5798f98

C:\Users\Admin\AppData\Roaming\dts\mydts\lander.ini

MD5 b4de6510f8f6c5d7ae09ac3e215b86a1
SHA1 6dcefac6e834e57b4def7cdba8cb2db9810280ba
SHA256 4b3deaca51357159264728c30d2c1514f492eca266f1ac139824b9428750c9d0
SHA512 dadef8bc4d60550c35b3889f80b6d7b60466bbb2db4e0016cc6b81824edd2bc23743b1c8a47222248d8d679babb9264da89691b84790fdf150bd83d7742a4052

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1512 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1512 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2420 -ip 2420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 23.73.138.35:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
GB 23.73.138.35:443 www.bing.com tcp
US 8.8.8.8:53 35.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 624

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4356 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4356 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 23.73.138.11:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 1020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 73.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 73.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

130s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
GB 23.73.138.122:443 www.bing.com tcp
US 8.8.8.8:53 122.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsl3C11.tmp\ioSpecial.ini

MD5 5ecd361b544fe018cf3ecfbb3c593e77
SHA1 23a54f2630b9242f5d2428b2f9e48997b8fbe338
SHA256 8dc1b255df408d0fe528ffd8eb0777c556f7a74f0d0e82be7253002869ba9a69
SHA512 9e4b6d7ff7228066e4205e46fb166a06a5c8fec4562becae857d41a3d7e35d5d517dd723200ae768f1734208121a3a55dd237c6e7e176835420d623f531ea232

C:\Users\Admin\AppData\Local\Temp\nsl3C11.tmp\InstallOptions.dll

MD5 1d5c649dde35003a618b9679d5d71b92
SHA1 0409bbab3ab34f8c01289cdd847b4d1a32d05b18
SHA256 0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f
SHA512 b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\scrnsave.scr C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE N/A
File opened for modification C:\Windows\SysWOW64\ssText3d.scr C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe"

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE" /S

Network

N/A

Files

memory/1984-0-0x00000000003E0000-0x00000000003F4000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecCmd.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 23.73.138.11:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

137s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 73.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 244

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\scrnsave.scr C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe"

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4412-0-0x0000000000770000-0x0000000000784000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3408 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3408 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODEEXECUTE.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
GB 23.73.138.89:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 89.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\replay.htm C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\0101\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
File opened for modification C:\Program Files (x86)\0101\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
File opened for modification C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.ini C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A
File created C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4200 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 4436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 4436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1844 wrote to memory of 3524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\209abf5674723414fea9b155223cbc40_NEAS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://f.handanxinyuan.com/MjA5YWJmNTY3NDcyMzQxNGZlYTliMTU1MjIzY2JjNDBfTkVBUy5leGU=/40.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8822a46f8,0x7ff8822a4708,0x7ff8822a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16361673736401105839,1900626655724477544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe

9377mycs_Y_mgaz2_01.exe

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll"

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 2

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" 1

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

"C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe" "C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll" "1"

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe

yx_dts.exe

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

"C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" SW_SHOWNORMAL

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

"C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /ShowDeskTop

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

"C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 23.73.138.73:443 www.bing.com tcp
US 8.8.8.8:53 73.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 xn--sesz3ik91bknc.xn--fiqs8s udp
CN 218.241.105.10:27 xn--sesz3ik91bknc.xn--fiqs8s tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 show.man1234.com udp
US 8.8.8.8:53 download.re58.cn udp
US 8.8.8.8:53 down.yinyue.fm udp
US 8.8.8.8:53 shadu.baidu.com udp
US 8.8.8.8:53 f.handanxinyuan.com udp
CN 153.37.235.114:80 shadu.baidu.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 103.35.185.237:80 f.handanxinyuan.com tcp
US 8.8.8.8:53 at.alicdn.com udp
US 8.8.8.8:53 vvvv.1036.xyz udp
HK 103.75.47.227:443 vvvv.1036.xyz tcp
US 8.8.8.8:53 237.185.35.103.in-addr.arpa udp
HK 103.75.47.227:443 vvvv.1036.xyz tcp
US 163.181.154.233:80 at.alicdn.com tcp
US 163.181.154.233:80 at.alicdn.com tcp
US 163.181.154.233:80 at.alicdn.com tcp
US 8.8.8.8:53 h.pztwyx.com udp
US 104.21.18.74:443 h.pztwyx.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 104.21.18.74:443 h.pztwyx.com tcp
US 8.8.8.8:53 98062375716.com udp
US 8.8.8.8:53 gp.tuku.fit udp
US 104.26.4.225:443 gp.tuku.fit tcp
US 192.151.240.28:443 98062375716.com tcp
US 8.8.8.8:53 227.47.75.103.in-addr.arpa udp
US 8.8.8.8:53 233.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 74.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 225.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 216876e.com udp
US 8.8.8.8:53 https.tthc.site udp
US 8.8.8.8:53 gg.6768gg.biz udp
US 8.8.8.8:53 tk2.zaojiao365.net udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 tmeets.net udp
US 8.8.8.8:53 tk.tuku.fit udp
US 8.8.8.8:53 tu.tuku.fit udp
US 8.8.8.8:53 www.606388.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.hongtudi.org udp
HK 18.166.208.129:4949 tk2.zaojiao365.net tcp
HK 18.166.208.129:4949 tk2.zaojiao365.net tcp
US 8.8.8.8:53 www.tmeets.net udp
HK 18.166.208.129:4949 tk2.zaojiao365.net tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 8.8.8.8:53 ziyuan-css.cdn.bcebos.com udp
US 8.8.8.8:53 lf9-cdn-tos.bytecdntp.com udp
US 8.8.8.8:53 lf6-cdn-tos.bytecdntp.com udp
US 8.8.8.8:53 28.240.151.192.in-addr.arpa udp
US 8.8.8.8:53 129.208.166.18.in-addr.arpa udp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
US 38.124.43.227:443 lf9-cdn-tos.bytecdntp.com tcp
HK 103.198.200.50:443 lf6-cdn-tos.bytecdntp.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 60.188.66.35:443 ziyuan-css.cdn.bcebos.com tcp
HK 103.198.200.50:443 lf6-cdn-tos.bytecdntp.com tcp
US 8.8.8.8:53 227.43.124.38.in-addr.arpa udp
US 8.8.8.8:53 50.200.198.103.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 w.x.baidu.com udp
US 8.8.8.8:53 xiazai.9377.com udp
GB 163.171.146.42:80 xiazai.9377.com tcp
US 8.8.8.8:53 dl.p2sp.baidu.com udp
US 8.8.8.8:53 g.quwen320.com udp
US 8.8.8.8:53 wdl1.cache.wps.cn udp
US 8.8.8.8:53 www.9377.com udp
US 163.181.154.239:80 www.9377.com tcp
CN 36.99.183.85:80 wdl1.cache.wps.cn tcp
US 8.8.8.8:53 42.146.171.163.in-addr.arpa udp
US 8.8.8.8:53 239.154.181.163.in-addr.arpa udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
CN 111.170.27.1:443 ziyuan-css.cdn.bcebos.com tcp
US 8.8.8.8:53 client.9377.com udp
CN 47.113.43.102:80 client.9377.com tcp
CN 47.113.43.102:80 client.9377.com tcp
CN 36.99.183.87:80 wdl1.cache.wps.cn tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 113.219.142.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 8.129.26.245:80 client.9377.com tcp
CN 8.129.26.245:80 client.9377.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 36.99.183.84:80 wdl1.cache.wps.cn tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 124.239.243.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 47.113.43.102:80 client.9377.com tcp
CN 47.113.43.102:80 client.9377.com tcp
US 8.8.8.8:53 d.qq66699.com udp
GB 174.35.118.63:80 d.qq66699.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
US 8.8.8.8:53 63.118.35.174.in-addr.arpa udp
US 8.8.8.8:53 down2.uc.cn udp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 61.170.99.35:443 ziyuan-css.cdn.bcebos.com tcp
CN 120.241.3.133:80 down2.uc.cn tcp
CN 8.129.26.245:80 client.9377.com tcp
CN 8.129.26.245:80 client.9377.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\f1.ico

MD5 5858df8bc0d6ed1d6e0320cacc2e3e08
SHA1 01b4c25cb1cb049dc45c0cc4e12b772bda52c48d
SHA256 91d0c4f8d8e49b84673ef2c8c9c05cc14b4fbfcdb17489612aad4e382a4eebaf
SHA512 cd708ae1b464c6de21e4819601055bf7fc6c16dca14180f4ea8f3f97097aceb7e6f2e0264da4415ccbe7b03fe468991c894a7a41cb690e5941ba9f9ee3e69d47

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\Inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\Base64.dll

MD5 f0e3845fefd227d7f1101850410ec849
SHA1 3067203fafd4237be0c186ddab7029dfcbdfb53e
SHA256 7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554
SHA512 584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fbe1ce4d182aaffb80de94263be1dd35
SHA1 bc6c9827aa35a136a7d79be9e606ff359e2ac3ea
SHA256 0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51
SHA512 3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

\??\pipe\LOCAL\crashpad_1844_QQNWUCFSWPMJIUHI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2a70f1bd4da893a67660d6432970788d
SHA1 ddf4047e0d468f56ea0c0d8ff078a86a0bb62873
SHA256 c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561
SHA512 26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 401c5576a58a3e10de5c32d001e331ad
SHA1 c4e9c0d5134babb46d5f8c4eeadd40cab18b5450
SHA256 2b1d9d7fcc1d46f4b60207f197c9fad2c559f9dce2aa0fd09239883147ea5f36
SHA512 1b1d76144c6030ac1390a15acd096f13505f62eb2a92745eab5264a25609de8f957d338de00c584ed8d7339525d40aeee3ec592af4168e3035ae068c6901cc7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e9b2ae8f-2967-46c5-acd5-5533c3bb73fb.tmp

MD5 5d22636bd5c24893369218d8f7330eaf
SHA1 55fb67844da3ef98d07b05fd1c5f7dce1fc5587a
SHA256 8ad476a4f0f080068bdb5b0591e448aa587bf1cca8b5eb3b60de96171abe35f7
SHA512 46f1069ab4684b9ffcf305c1c6233a8ba88d6dcd77503004cadab0a237df6d741a1aa35663a03b0b4dcaa3ff87529da621ec630d05fe2d7781a8ea9adbd097f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f5fa860c6a0898b6344a57c9acd611d
SHA1 47208ea7f9013f383e72c7aa2606b5cc57b122bd
SHA256 db432964f4da38c94596164ea3a4580ddcac3bef6152ce483b470418ca7429f1
SHA512 5a437e74b157c51a55ef773c1b7a2e58d6ac70c8be0c10db2b02f303143ea412117bb40ce7db1dbdbaa3b9feac26f82b958e445f7c785e443f5fec1fece29359

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f0c05d6d52b1a0701c84e8d751d74e3a
SHA1 260a2ee8a90f99236837ffd96c43ba6788828a43
SHA256 78691a41173a18b280ebbcef4acd16e3d7ab54c09e73a11499212beef76d9c9b
SHA512 a6e45d70710ae3eaa41b7ef79bc7e564b4346cc69fab7522fe93afcafa7cce206b1930bc03c96d26106bf402d4df74a1e41873dbe4b4551d5c1ec1a392cecc96

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\9377mycs_Y_mgaz2_01.exe

MD5 11a03edd815fdfde672df5e0c9db1ecd
SHA1 3612f55ae04e0f937d797f9c818a507e5b46011d
SHA256 dc0ddb5f676959234ec39c703187a741af91d8e6e17d084dfa256f3770336366
SHA512 6f82ad5153f501ff294371a12c7e82a9c15b3c0012bb2c39b04aa71ee2b2d4548b1e3c3418cd8e9a9d3eea048befabfd7a9ed8cd949eef53d86a3567814f6a12

C:\Users\Admin\AppData\Local\Temp\nsw3CA8.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsw3CA8.tmp\ip.dll

MD5 4df6320e8281512932a6e86c98de2c17
SHA1 ae6336192d27874f9cd16cd581f1c091850cf494
SHA256 7744a495ceacf8584d4f6786699e94a09935a94929d4861142726562af53faa4
SHA512 7c468de59614f506a2ce8445ef00267625e5a8e483913cdd18636cea543be0ca241891e75979a55bb67eecc11a7ac0649b48b55a10e9a01362a0250839462d3b

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.ini

MD5 5413850ca9697181194085be89378aac
SHA1 ddd35a3d412cec8e64a09604c62ce9bbb19a906f
SHA256 9945f0da338f87469d3a5f94e99bd108cd136c20d941631d57e99b967b8a1c77
SHA512 dabc1ff7d4fc07d85859120f28ed4fa78ee7895cb36e95bc8c05538c22f31b73cf088ebe4c7ded313ea52cd6297d323c8278fbc875f56838c41107df939a052b

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MYLogger.exe

MD5 e62edf270beee5820e781404b6792cbc
SHA1 b4a31e93ee812786deeab21fc990e1fa72d18f20
SHA256 cc6d069c6e4ce7da54901094753cd9df36dcb095b9ead758e809887c2643a5ba
SHA512 d0a208e4e692114e0ecfce35c9e33ab69296484b632446f04e8cebd3fef52b4e7fed5877f2321e179a1cb6a822161a6d31370a68b19cc5277819cbbc350c159a

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\uninstall.exe

MD5 1d4b24538bde98104eda1b5d3cff1fc5
SHA1 2f766c1fbdd8632ec9784d9631a5c74dcaf77f4a
SHA256 68237bdfcda9fdf8747e65df044a8b3668ea5dd26451335e78bf311999cf05e5
SHA512 985e0f01e8c186767b2025e5b0b253ac1aec8bf7145028f7737315998d0ec92ab42c80fd4722ac98873dd2ac1a3bbc3f8b6a4164cfe10865efec7b15c56215f6

C:\Program Files (x86)\9377÷ÈÓ°´«Ëµ\MeiYing.dll

MD5 b383bf5a47c46d6a22b1c3d383edc87c
SHA1 abfac8a4beb27df27fe9353ed70a30677f7bcaed
SHA256 aab3e362c47d454e48f265213bab6e582c3b5c6b7167e54d477c68b9d3dc5b8e
SHA512 92618f2db31110bdcb2937a8dc44a81640be8ff589266ade343c9301ee7bf1479995c6b14b6f06e52c2b1e52c4c91f254ca58d664a1cea10e1a1b2d1cf292d29

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 57d937098fb80a2e87abf8b8d9bf9fa9
SHA1 14a756edf3ca46f770371680607516348cd8acf7
SHA256 6a5deb7603c67afee175fdc93e3f3ae1328e231f6f4c54afc4d28a91e4ebc57a
SHA512 589994f6bf78a222332736de1ad27618a148686dbd41ffcb329f58d8805045839b77cf069dafac742a9bcb3f0057710113b58e03bc381f902ec888af50e4d9d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3fc72262b701eae63b393781e9e3c864
SHA1 209320d33791dc8d76739419664a7935051692d9
SHA256 6ef8b01741059187b1689d5a6b8587baa21e3a45015adbe11ec1a3753a0f27aa
SHA512 7735747ed005be40aeb5fd59ee52eb59b662ea01b559ef6ad4f3d4af577f8cb5038efb67f9a016b53425b3206570af50bfe7a7affc155000b128e4a614a9b138

C:\Users\Admin\AppData\Local\Temp\nsu3857.tmp\yx_dts.exe

MD5 d3f054de4c81b4d02c5dba5ab7c97b76
SHA1 6e8f39ddc425a7badc66e2e03e813a68e75ca772
SHA256 439641179cf715d946321bfb60d8fa0fbabf7a166c8aac941815571401edb489
SHA512 f0da7eb8b3b4622897b15c230d7f4b60f0d87ae19e0b32ead3f80f7c497cf6629cac9d047a9efae2e330e65e9d60dbe1997602674eb91759c7b29a544286a406

C:\Users\Admin\AppData\Local\Temp\nsb3A13.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/4856-363-0x00000000021B0000-0x00000000021B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\dts\mydts\lander.ini

MD5 c099269a0b569024a13ea5944f8c6d49
SHA1 f06abf2efd5e4b506d4f028683a10bc59e03fa15
SHA256 cc12d6aea0a462719635c2fa315e4fb0bbca96b78a4de5bdadb96b1f4bc90988
SHA512 65e14632a75bd4e29c3e868bda8ee0c1cf7ef5ddadc7f5f21e566a3c2e8cafc3f095e2c88acf0aea72bbab0e07ae023a0cf94b23f7a980251b9de944a5798f98

C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe

MD5 b5d09fd991b640cd198f9c32ca01e25e
SHA1 1a312c68d92c13dff436f951af1a1ad56c0fbfcc
SHA256 4cca4410d6559adc5b6f81ee2641132220fbc0fb75bf4ead6722ee8a9b2d9bb6
SHA512 ba0793bed656c3fdc9aa075eb26dbb52c9bfcdf012231bb5c1bb80ad6857825065ba433cbb0d34fc2dd3f0972bed37e59e74f3eeda60d659561c57a0069831e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3fd735f29837197eb90397d25a1301d0
SHA1 3ca6c6f78aaac6d88ac42db884fbbee252acc83f
SHA256 3cd8cc60c4bb62645b7e5c72e9ee4da287d190e0be9e7c6f34b49f5bd1827e6e
SHA512 c3827a420735871bfb7d5049bb3f0a1aa869866c454760b076c1feee7077f31f847074cfc18b72f6cd4a7625316294da10f195f12d85a31dee971c0e65c93fc6

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 240

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 244

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
GB 23.73.138.11:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/1500-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1500-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nso476.tmp\ioSpecial.ini

MD5 0412743a58b32c6e31233a070450ae70
SHA1 5ba703e7065f660670b71cb82e877ca92c51e048
SHA256 a09f10460fca336350a2e885312471c1ecced55794924028726a39240e9a762a
SHA512 63398bd47020abd410100dfbbfce6fd2c655dfbe677376b7e27766f8608448f5389987439328dfd01adb2a9d076e0768b346dc964e2c4e10d3f6fa1758542dce

\Users\Admin\AppData\Local\Temp\nso476.tmp\InstallOptions.dll

MD5 1d5c649dde35003a618b9679d5d71b92
SHA1 0409bbab3ab34f8c01289cdd847b4d1a32d05b18
SHA256 0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f
SHA512 b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-07 09:20

Reported

2024-05-07 09:23

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 23.73.138.122:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 122.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A