Analysis Overview
SHA256
29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1
Threat Level: Known bad
The file 29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:11
Reported
2024-11-13 02:14
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | C:\Windows\SysWOW64\cmd.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Roaming\DeAct.exe
"C:\Users\Admin\AppData\Roaming\DeAct.exe"
C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 172.67.206.142:80 | gpu.me | tcp |
| US | 172.67.206.142:80 | gpu.me | tcp |
| US | 8.8.8.8:53 | www.techpowerup.com | udp |
| US | 138.199.40.9:443 | www.techpowerup.com | tcp |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp |
Files
memory/2292-0-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2292-3-0x0000000000400000-0x000000000070A000-memory.dmp
\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
| MD5 | 41421866b825dbdcc5f29a0bbd484362 |
| SHA1 | f7637ef22c82a108ab4668baca40e4f03eb49a5c |
| SHA256 | efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1 |
| SHA512 | 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d |
\Users\Admin\AppData\Roaming\DeAct.exe
| MD5 | 411cd1175b5e21b6a3c6a72c34e8773c |
| SHA1 | faabd22ddca0062dd3d7bc534e49078ee5d84be8 |
| SHA256 | 116b75d94dacf676931ff8623a0b34f3ea75b52d67b0494fefd1b8dce6bc121a |
| SHA512 | 6414d174a17edf813bb7f739b9d625c4489dd4a45c56932fad7f222a2b8ea646fd2316cdba4e421225cbdf4aeb245329aa5bb3034e2b54e3859dcd89c7d1dd90 |
memory/2304-39-0x000000013F2B0000-0x000000013F32D000-memory.dmp
memory/1908-40-0x0000000000400000-0x000000000070A000-memory.dmp
memory/1908-38-0x00000000044E0000-0x000000000455D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Qt5Core.dll
| MD5 | 2be4a1cf7511bbb244fe323af4f117d2 |
| SHA1 | a7e79fae4522bad1c05c865c07acfa91028598a8 |
| SHA256 | 7d6375d15e38ce9b3814089215d3969ce5430f83d01bd6519e2cbd1eb8d48b40 |
| SHA512 | 7fb194433d15a6577e90d33dbeb2a64942585c82b46f120eec0f4e93b09f8895e37a1dd4c09a4273127b0f7f9985ab69b1fba524fa9068e19d9952888a2aaf5f |
C:\Users\Admin\AppData\Roaming\MSVCP140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
\Users\Admin\AppData\Roaming\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
\Users\Admin\AppData\Roaming\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Users\Admin\AppData\Roaming\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Users\Admin\AppData\Roaming\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Users\Admin\AppData\Roaming\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Users\Admin\AppData\Roaming\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
memory/2304-57-0x000007FEF49D0000-0x000007FEF4F1E000-memory.dmp
C:\Users\Admin\AppData\Roaming\uarrwmx
| MD5 | 2c7353da4574e3bb2d66965717d45001 |
| SHA1 | 5fc5523ee0b685e602707b4f5f98f657454743f5 |
| SHA256 | 7652be5fde7c4dec0b4afa5eed98c3f1dd0e268376694bf37299e7e5f9ce290c |
| SHA512 | 4239d3e02dbfbfd7b60f7bed2d11780c6c7912e4ea1a653a56402c2584371a1517804e7f85afaea32043c904fc47fe60ccbb11cf6887cb30fd8518aef01ff480 |
C:\Users\Admin\AppData\Roaming\mpidcu
| MD5 | 7bd89ff94b0a9abd5e989bece470730b |
| SHA1 | 531b309cdbec7ad61ba9ffca6f688012fdb8acc1 |
| SHA256 | 90e70abbdd35d7fd3818770eca3030e477526b483128caf1eedbe1ba147f0e82 |
| SHA512 | ea930b15d9f6f321e4919db40aca5e2ae92cdc09d9b07d8c7f3170e825d32abe2fa766df1014f4ebbe54c92de27507fef730062ea7defaf9704bf4f2ac84117f |
memory/2304-60-0x000007FEF46A0000-0x000007FEF47F8000-memory.dmp
memory/3044-89-0x00000000009B0000-0x0000000000D74000-memory.dmp
memory/2616-100-0x000007FEF2FB0000-0x000007FEF3108000-memory.dmp
memory/2616-97-0x000007FEF4940000-0x000007FEF4E8E000-memory.dmp
memory/3044-101-0x000000001B6F0000-0x000000001BCB0000-memory.dmp
memory/2616-80-0x000000013F500000-0x000000013F57D000-memory.dmp
memory/2304-77-0x000000013F2B0000-0x000000013F32D000-memory.dmp
memory/2304-74-0x000000013F500000-0x000000013F57D000-memory.dmp
memory/2616-102-0x000007FEF2FB0000-0x000007FEF3108000-memory.dmp
memory/3044-103-0x0000000000150000-0x0000000000156000-memory.dmp
memory/2616-106-0x000000013F500000-0x000000013F57D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b7ca5048
| MD5 | 1b6330e55c32b93c5cf5dcd4893a2361 |
| SHA1 | 1af56815fd001571c4ff467f4a7dda951129b4ce |
| SHA256 | 8543c31be5a24408b2f790421f12fc804ef5ac6cd2e0c8b0fb3515be6d75ef44 |
| SHA512 | 41c931aa7d71482a687570d8d4c8b5597de997ccf7fed6a90ab2b438a086a8c0635764bb31a25cafbb4f2f391859bb22c58c97d24761fce19cc23b0ec54c04cd |
memory/3044-108-0x0000000000290000-0x000000000029A000-memory.dmp
memory/2816-109-0x0000000077460000-0x0000000077609000-memory.dmp
memory/2816-137-0x0000000000240000-0x0000000000250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFECB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/3044-173-0x0000000000290000-0x000000000029A000-memory.dmp
memory/2816-174-0x0000000074C80000-0x0000000074DF4000-memory.dmp
memory/2816-175-0x0000000000240000-0x0000000000250000-memory.dmp
memory/440-177-0x0000000077460000-0x0000000077609000-memory.dmp
memory/440-178-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-180-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-181-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-182-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-183-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-184-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-185-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-186-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-187-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-188-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-189-0x0000000000400000-0x0000000000483000-memory.dmp
memory/440-190-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:11
Reported
2024-11-13 02:14
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Remcos
Remcos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3908 set thread context of 1892 | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | C:\Windows\SysWOW64\cmd.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Roaming\DeAct.exe
"C:\Users\Admin\AppData\Roaming\DeAct.exe"
C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 104.21.53.3:80 | gpu.me | tcp |
| US | 8.8.8.8:53 | 3.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.techpowerup.com | udp |
| US | 138.199.40.9:443 | www.techpowerup.com | tcp |
| US | 8.8.8.8:53 | 9.40.199.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp | |
| FI | 95.217.148.142:9001 | tcp |
Files
memory/2280-0-0x0000000000D20000-0x0000000000D21000-memory.dmp
memory/516-3-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2280-4-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
| MD5 | 41421866b825dbdcc5f29a0bbd484362 |
| SHA1 | f7637ef22c82a108ab4668baca40e4f03eb49a5c |
| SHA256 | efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1 |
| SHA512 | 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d |
C:\Users\Admin\AppData\Roaming\DeAct.exe
| MD5 | 411cd1175b5e21b6a3c6a72c34e8773c |
| SHA1 | faabd22ddca0062dd3d7bc534e49078ee5d84be8 |
| SHA256 | 116b75d94dacf676931ff8623a0b34f3ea75b52d67b0494fefd1b8dce6bc121a |
| SHA512 | 6414d174a17edf813bb7f739b9d625c4489dd4a45c56932fad7f222a2b8ea646fd2316cdba4e421225cbdf4aeb245329aa5bb3034e2b54e3859dcd89c7d1dd90 |
C:\Users\Admin\AppData\Roaming\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Users\Admin\AppData\Roaming\Qt5Core.dll
| MD5 | 2be4a1cf7511bbb244fe323af4f117d2 |
| SHA1 | a7e79fae4522bad1c05c865c07acfa91028598a8 |
| SHA256 | 7d6375d15e38ce9b3814089215d3969ce5430f83d01bd6519e2cbd1eb8d48b40 |
| SHA512 | 7fb194433d15a6577e90d33dbeb2a64942585c82b46f120eec0f4e93b09f8895e37a1dd4c09a4273127b0f7f9985ab69b1fba524fa9068e19d9952888a2aaf5f |
memory/516-60-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Users\Admin\AppData\Roaming\uarrwmx
| MD5 | 2c7353da4574e3bb2d66965717d45001 |
| SHA1 | 5fc5523ee0b685e602707b4f5f98f657454743f5 |
| SHA256 | 7652be5fde7c4dec0b4afa5eed98c3f1dd0e268376694bf37299e7e5f9ce290c |
| SHA512 | 4239d3e02dbfbfd7b60f7bed2d11780c6c7912e4ea1a653a56402c2584371a1517804e7f85afaea32043c904fc47fe60ccbb11cf6887cb30fd8518aef01ff480 |
memory/3088-63-0x00007FFA870F0000-0x00007FFA87262000-memory.dmp
C:\Users\Admin\AppData\Roaming\mpidcu
| MD5 | 7bd89ff94b0a9abd5e989bece470730b |
| SHA1 | 531b309cdbec7ad61ba9ffca6f688012fdb8acc1 |
| SHA256 | 90e70abbdd35d7fd3818770eca3030e477526b483128caf1eedbe1ba147f0e82 |
| SHA512 | ea930b15d9f6f321e4919db40aca5e2ae92cdc09d9b07d8c7f3170e825d32abe2fa766df1014f4ebbe54c92de27507fef730062ea7defaf9704bf4f2ac84117f |
memory/3088-58-0x00007FFA875B0000-0x00007FFA87AFE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ultrajava\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
memory/3908-102-0x00007FFA88050000-0x00007FFA881C2000-memory.dmp
memory/232-103-0x0000019D2F840000-0x0000019D2FE00000-memory.dmp
memory/232-104-0x0000019D16DA0000-0x0000019D16DC2000-memory.dmp
memory/232-106-0x0000019D154A0000-0x0000019D154A6000-memory.dmp
memory/232-105-0x0000019D302D0000-0x0000019D3079C000-memory.dmp
memory/3908-98-0x00007FFA883C0000-0x00007FFA8890E000-memory.dmp
memory/232-107-0x0000019D16FB0000-0x0000019D16FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ultrajava\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Users\Admin\AppData\Roaming\Ultrajava\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Roaming\Ultrajava\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Users\Admin\AppData\Roaming\Ultrajava\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
memory/3088-84-0x00007FF7B1F30000-0x00007FF7B1FAD000-memory.dmp
memory/3908-79-0x00007FF75DF90000-0x00007FF75E00D000-memory.dmp
memory/232-59-0x0000019D14D30000-0x0000019D150F4000-memory.dmp
memory/232-40-0x00007FFA89F13000-0x00007FFA89F15000-memory.dmp
memory/3088-39-0x00007FF7B1F30000-0x00007FF7B1FAD000-memory.dmp
memory/3908-108-0x00007FFA88050000-0x00007FFA881C2000-memory.dmp
memory/3908-113-0x00007FF75DF90000-0x00007FF75E00D000-memory.dmp
memory/232-110-0x0000019D30080000-0x0000019D3008E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\269bdddc
| MD5 | cdc2145f9c8f28e729723360a24849f2 |
| SHA1 | 5d40d3eef5727c44d9d815095d1774ea0f93df85 |
| SHA256 | afc4fc10d42f53f5e7b0f8c2f588cae4768b81d028acafc8c0b3fff573165c97 |
| SHA512 | 9e417a35dfab2776aa53ec2af155d3012ace0b0507bb4f434de805f21ee636517d59a18769f36cb85068859e98fc9144d7c4f4fc764cee14ea4d0f7810f9a877 |
memory/232-109-0x0000019D30BE0000-0x0000019D30C18000-memory.dmp
memory/1892-115-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp
memory/232-117-0x00007FFA89F13000-0x00007FFA89F15000-memory.dmp
memory/1892-118-0x0000000074FE0000-0x000000007515B000-memory.dmp
memory/1484-120-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp
memory/1484-121-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-125-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-126-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-127-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-128-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-129-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-130-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-131-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-132-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-133-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-134-0x00000000010E0000-0x0000000001163000-memory.dmp
memory/1484-135-0x00000000010E0000-0x0000000001163000-memory.dmp