Malware Analysis Report

2025-08-05 16:59

Sample ID 240108-d8x1saaebj
Target 4a57dc33e1dd8a6ac06309534326430a
SHA256 402bef3fa2c40c93e8c4bd23e4605783a172e861e2d542a9f6172858fd438868
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

402bef3fa2c40c93e8c4bd23e4605783a172e861e2d542a9f6172858fd438868

Threat Level: Shows suspicious behavior

The file 4a57dc33e1dd8a6ac06309534326430a was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 03:41

Reported

2024-01-08 03:43

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
PID 2124 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe

"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"

C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe

C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe /checkispublisherinstalled

C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe

C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~2921~2951~~URL Parts Error~~SendRequest Error~EE-D0-D7-A1-BF-98~#~~SendRequest Error~~IE~~

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.northdl4best.com udp

Files

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/2124-66-0x0000000000570000-0x000000000058A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe

MD5 420320e78490a36cf23cb17ffbb13358
SHA1 fcf1151c22f9b8c9e29ec6387b38e6b040bd196e
SHA256 bc13af4eb6cc4917d617785d7e4ad09f64745a9cf06354833e815e9229ce8dcf
SHA512 fe2774fd095c3a3b51b01a1da1c5fcd49b53f939b647c84cdfd3c243cb74644ca2909971bc87d3e5c8781a93c27ac3ef7691625a024008b4f1ffba4c947cd023

\Users\Admin\AppData\Local\Temp\nsi56E7.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe

MD5 ed169c84a216825a90a03d889285b122
SHA1 7a1c3f3e21adc893283260855898f93898c045b7
SHA256 9aa109ebfe83d00f979b1ca43069eb72a35bb1dcb6e81c6336983a0db6da2c9a
SHA512 d7cc68c29ed7892a781e2519f921e1627107499da368fbb86e1b3778cdc3d1c0930e7c24d0634f0d477480bbc3cd6cf5c42806e062679c3edd7c2f2f097d176e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 03:41

Reported

2024-01-08 03:44

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe

"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~2921~2951~~URL Parts Error~~SendRequest Error~DE-9D-3A-49-EF-0E~#~~SendRequest Error~~~~

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1584

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.northdl4best.com udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

memory/1088-71-0x0000000002B00000-0x0000000002B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll

MD5 0e894133b6e53a20fec5cafda17a6610
SHA1 7812be995cbc449d622466d96bcc1e4145c02201
SHA256 b7240dc8ded4da1ce7c13609c4fc6819d2545ddd2ea02e6e43e148ee64b59bd4
SHA512 a04468a592cb0636cc41f2d2a15b92db66a06d67e14ff087c0ca24bf641b68718b105cc2c6b783ced4c346a5a1bb584c1bd1866bdd5b0cad8d9fb27b1a2f14fb

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe

MD5 9fb4d5536d6300d8d8caddfa4132e801
SHA1 a44f3dfb6ea79cef9d91db78fe2a17485998c408
SHA256 5585aeca4cbb3882a0deb6431c70aae22af5fe7552ea07088733d1bf8109cb03
SHA512 998abf434310d041bb3fb7bcd9fa6c429f9271b741806be5a247b39dc0632e293a8bae5d0911ccb1a0d90d6b02a783571917110d50cd1f00c1425e2c9c98d1bd

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe

MD5 9797ba82ab34a1c544ebee45d1edf711
SHA1 44754625d99b6896e1b9f01d30537f6274730311
SHA256 66f806a7c68fa5902a0a7bb20761520350dcfb0ab59c4a2644249d2363bd1070
SHA512 1d9ac6cb047c7e580d1a7b2663a09ce6bad50612750edc371374fc241bbfafad03b677b0ad9bc67be89a6c5ea7842202328381c6d815a63ba75c05d89d8b3340

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll

MD5 6789f6f686109a31e8282a64d4710061
SHA1 d29e63d0c01714d860f59f71c2ad72f2d6aba265
SHA256 5e56b042927d13266a4d4bcfc458d29094ea86c771048be81cd4f63e6672a3fd
SHA512 bebde4b8510a66d83d0a2ba7cc90371202fc824c37f72101751640031dc01074d98322230efc4c8815f465db6cd5fea62efdd4323c6c168c4c29a7676c4375f1

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\GetVersion.dll

MD5 ad41d2238c7c9c2c0deb3d4a03ba18fd
SHA1 ec3c3dc197d8fc2e73afee1a07b52518b31109ad
SHA256 1e8f08bb409b72ec8a0f0f954821d1aa61eb0e603de1cbe4885a40d8a13a768c
SHA512 bfb298bbbd9d9a1540c61da6560d0b9d8cdaca800054908f41296e1e9ee947f7c498bf61e6cdf7725f0e5ab687569509d7fbc2bc9ac256993a021e9d513ab652

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b