Malware Analysis Report

2024-12-07 03:29

Sample ID 241113-cma4fsvcld
Target 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d.zip
SHA256 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d
Tags
remcos new discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d

Threat Level: Known bad

The file 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d.zip was found to be: Known bad.

Malicious Activity Summary

remcos new discovery rat

Remcos

Remcos family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:13

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 3900 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 4760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 4760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1560 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1560 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1560 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 1560 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 1560 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 4344 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 4344 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 4344 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2336 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gpu.me udp
US 104.21.53.3:80 gpu.me tcp
US 104.21.53.3:80 gpu.me tcp
US 8.8.8.8:53 3.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
US 8.8.8.8:53 9.40.199.138.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/4760-0-0x0000000002810000-0x0000000002811000-memory.dmp

memory/1560-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/4760-4-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/1560-27-0x0000000000400000-0x000000000070A000-memory.dmp

memory/2252-28-0x000002524ED30000-0x000002524F0F4000-memory.dmp

memory/2252-24-0x00007FF887833000-0x00007FF887835000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

memory/2252-30-0x0000025269710000-0x0000025269CD0000-memory.dmp

memory/2252-31-0x000002524F4D0000-0x000002524F4F2000-memory.dmp

memory/2252-32-0x000002526B000000-0x000002526B4CC000-memory.dmp

memory/2252-33-0x000002524F4A0000-0x000002524F4A6000-memory.dmp

memory/2252-34-0x000002526AE20000-0x000002526AE28000-memory.dmp

memory/2252-36-0x000002526AE70000-0x000002526AE7E000-memory.dmp

memory/2252-35-0x000002526AEA0000-0x000002526AED8000-memory.dmp

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/4344-38-0x0000000074820000-0x000000007499B000-memory.dmp

memory/4344-39-0x00007FF8A6110000-0x00007FF8A6305000-memory.dmp

memory/2336-51-0x0000000074820000-0x000000007499B000-memory.dmp

memory/2336-52-0x00007FF8A6110000-0x00007FF8A6305000-memory.dmp

memory/2336-53-0x0000000074820000-0x000000007499B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75e7d5ea

MD5 2c5232873daafcb4c34416f9d6c6de68
SHA1 83abf9d13441ed7d1187a1ee4a2c470aadc40615
SHA256 7d6ff8ae13e3590b8379d06981f2512247d47835e6f5567f344b66e807c2fec5
SHA512 0835a74320320f15547ce457024dd22b3fb884e17e5ea56c2abe76bfd5e7c6f2e237a91a59b3003ed6571d46f39607418a77290b64b08087f41bc436ad3ef630

memory/2252-56-0x00007FF887833000-0x00007FF887835000-memory.dmp

memory/3900-57-0x00007FF8A6110000-0x00007FF8A6305000-memory.dmp

memory/3900-59-0x0000000074820000-0x000000007499B000-memory.dmp

memory/3428-61-0x00007FF8A6110000-0x00007FF8A6305000-memory.dmp

memory/3428-62-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-65-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-66-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-67-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-68-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-69-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-70-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-71-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-72-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-73-0x0000000000570000-0x00000000005F4000-memory.dmp

memory/3428-74-0x0000000000570000-0x00000000005F4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:13

Platform

win7-20240903-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2800 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2752 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2676 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gpu.me udp
US 8.8.8.8:53 gpu.me udp
US 172.67.206.142:80 gpu.me tcp
US 172.67.206.142:80 gpu.me tcp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/2800-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2800-3-0x0000000000400000-0x000000000070A000-memory.dmp

\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

memory/2752-25-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/2740-29-0x00000000011B0000-0x0000000001574000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

memory/2740-31-0x000000001B3E0000-0x000000001B9A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/2724-33-0x0000000074650000-0x00000000747C4000-memory.dmp

memory/2724-34-0x00000000774D0000-0x0000000077679000-memory.dmp

memory/2740-46-0x0000000000250000-0x0000000000256000-memory.dmp

memory/2740-49-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/2740-48-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/2624-51-0x0000000074790000-0x0000000074904000-memory.dmp

memory/2624-52-0x00000000774D0000-0x0000000077679000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9C70.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2624-69-0x0000000074790000-0x0000000074904000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4b27e652

MD5 d7260d861ec2fc0a0c4b1db08d8b3468
SHA1 dd490c9a89afb627fdbf90eb3adfb98242d5981d
SHA256 83c5991f347e0a472b5d8fdaf9ebca90a5a6485cd5d3a5d8ae3ae873c7ba1150
SHA512 9a2816ba22574c29382f2550ca215595e38eb91cb9b52fcabb78e343845cacf29e6a3eec106cd87048b03986864c89951fcca69d6e7f68bfbf66ace83cab744f

memory/2740-72-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/2676-73-0x00000000774D0000-0x0000000077679000-memory.dmp

memory/2676-119-0x0000000074790000-0x0000000074904000-memory.dmp

memory/1804-121-0x00000000774D0000-0x0000000077679000-memory.dmp

memory/1804-122-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-124-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-125-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-126-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-127-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-128-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-129-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-130-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-131-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-132-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-133-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1804-134-0x0000000000400000-0x0000000000484000-memory.dmp