Malware Analysis Report

2024-12-07 03:21

Sample ID 241113-cqaxvsvcpf
Target 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d.zip
SHA256 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d
Tags
remcos new discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d

Threat Level: Known bad

The file 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d.zip was found to be: Known bad.

Malicious Activity Summary

remcos new discovery rat

Remcos family

Remcos

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:16

Reported

2024-11-13 02:18

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2384 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3028 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3028 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3028 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3028 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3028 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2600 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2648 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gpu.me udp
US 8.8.8.8:53 gpu.me udp
US 104.21.53.3:80 gpu.me tcp
US 172.67.206.142:80 gpu.me tcp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/2384-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2384-3-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/3028-28-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

memory/3064-30-0x00000000001A0000-0x0000000000564000-memory.dmp

memory/3064-31-0x000000001B580000-0x000000001BB40000-memory.dmp

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/2208-33-0x00000000745C0000-0x0000000074734000-memory.dmp

memory/2208-34-0x00000000771E0000-0x0000000077389000-memory.dmp

memory/3064-46-0x0000000000140000-0x0000000000146000-memory.dmp

memory/3064-48-0x0000000000190000-0x000000000019A000-memory.dmp

memory/3064-49-0x0000000000190000-0x000000000019A000-memory.dmp

memory/2600-51-0x00000000744D0000-0x0000000074644000-memory.dmp

memory/2600-52-0x00000000771E0000-0x0000000077389000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCCC3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2600-69-0x00000000744D0000-0x0000000074644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94979ad4

MD5 4ca5da99e65d3907e2507789e95907dd
SHA1 34809691eb9e148fb11100c7f61c2ad0fb675f61
SHA256 b37c5ed5ff627f13efc8db86ae695568d6de337f50a1f145865b679826772e7a
SHA512 50b9cf7fdb721b0d87c090b6817e3ee0f859ffe12ccc67d16dd07c8a3c85ddfab12b2b04ab647d862eec6e547335f0fce06a730926025ac4f5b18cc9e7432143

memory/3064-72-0x0000000000190000-0x000000000019A000-memory.dmp

memory/2648-73-0x00000000771E0000-0x0000000077389000-memory.dmp

memory/2648-119-0x00000000744D0000-0x0000000074644000-memory.dmp

memory/3008-121-0x00000000771E0000-0x0000000077389000-memory.dmp

memory/3008-122-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-124-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-125-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-126-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-127-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-128-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-129-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-130-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-131-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-132-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-133-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3008-134-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:16

Reported

2024-11-13 02:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3380 set thread context of 4500 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3004 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 3004 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1696 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1696 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1696 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 1696 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 1696 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 216 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 216 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 216 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 3380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4500 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4500 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4500 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4500 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gpu.me udp
US 172.67.206.142:80 gpu.me tcp
US 172.67.206.142:80 gpu.me tcp
US 8.8.8.8:53 142.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
US 8.8.8.8:53 9.40.199.138.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/3004-0-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/3004-3-0x0000000000400000-0x000000000070A000-memory.dmp

memory/1696-5-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/4340-27-0x000001F0990D0000-0x000001F099494000-memory.dmp

memory/1696-28-0x0000000000400000-0x000000000070A000-memory.dmp

memory/4340-24-0x00007FFB65723000-0x00007FFB65725000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

memory/4340-30-0x000001F0B3A90000-0x000001F0B4050000-memory.dmp

memory/4340-31-0x000001F099860000-0x000001F099882000-memory.dmp

memory/4340-32-0x000001F0B5380000-0x000001F0B584C000-memory.dmp

memory/4340-33-0x000001F099830000-0x000001F099836000-memory.dmp

memory/4340-34-0x000001F0B3A30000-0x000001F0B3A38000-memory.dmp

memory/4340-36-0x000001F0B5210000-0x000001F0B521E000-memory.dmp

memory/4340-35-0x000001F0B5250000-0x000001F0B5288000-memory.dmp

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/216-38-0x0000000075630000-0x00000000757AB000-memory.dmp

memory/216-39-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/3380-51-0x0000000075630000-0x00000000757AB000-memory.dmp

memory/3380-52-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/3380-53-0x0000000075630000-0x00000000757AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2b3d712f

MD5 4e1f1e875207d534293a1db99d39ac34
SHA1 73f4a8643584020de0e6aff0f8ca7e8dd8e91e38
SHA256 f532630cdb3f405c7e74d4b6c96e596e374f9056bf8f81e8b1ad15d1c6179709
SHA512 240b7bb264466db60fa76dbd4111167eb7e0f3611c23898406d2da41bc2d12fc2fbefab55892c9921eca91218ac4a003fcb200a2de9a150454ca5d453aefe51a

memory/4340-56-0x00007FFB65723000-0x00007FFB65725000-memory.dmp

memory/4500-57-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/4500-59-0x0000000075630000-0x00000000757AB000-memory.dmp

memory/784-61-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/784-62-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-65-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-66-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-67-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-68-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-69-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-70-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-71-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-72-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-73-0x0000000000400000-0x0000000000484000-memory.dmp

memory/784-74-0x0000000000400000-0x0000000000484000-memory.dmp