Analysis Overview
SHA256
25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d
Threat Level: Known bad
The file 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d.zip was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:16
Reported
2024-11-13 02:18
Platform
win7-20240903-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Roaming\scr_previw.exe
"C:\Users\Admin\AppData\Roaming\scr_previw.exe"
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 104.21.53.3:80 | gpu.me | tcp |
| US | 172.67.206.142:80 | gpu.me | tcp |
| US | 8.8.8.8:53 | www.techpowerup.com | udp |
| US | 138.199.40.9:443 | www.techpowerup.com | tcp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp |
Files
memory/2384-0-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2384-3-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
| MD5 | 41421866b825dbdcc5f29a0bbd484362 |
| SHA1 | f7637ef22c82a108ab4668baca40e4f03eb49a5c |
| SHA256 | efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1 |
| SHA512 | 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d |
\Users\Admin\AppData\Roaming\scr_previw.exe
| MD5 | d9530ecee42acccfd3871672a511bc9e |
| SHA1 | 89b4d2406f1294bd699ef231a4def5f495f12778 |
| SHA256 | 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280 |
| SHA512 | d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980 |
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll
| MD5 | e8ad346c114fda96fca288966eae8e92 |
| SHA1 | fdfad7f2030b54f076b2a2e24ef1199abf2588e6 |
| SHA256 | 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0 |
| SHA512 | d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549 |
memory/3028-28-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\gbxchd
| MD5 | 162ba47ec20e7fb580672579a6fef9d2 |
| SHA1 | a6b52b8f549ca44ffe821f65e846b869da544c28 |
| SHA256 | 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159 |
| SHA512 | 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4 |
memory/3064-30-0x00000000001A0000-0x0000000000564000-memory.dmp
memory/3064-31-0x000000001B580000-0x000000001BB40000-memory.dmp
C:\Users\Admin\AppData\Roaming\cygrt
| MD5 | a727c368e3a6c273f28c80607f2df861 |
| SHA1 | a31a2b4a4677d58bf9f7126da6dedaf4502eb283 |
| SHA256 | bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca |
| SHA512 | b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d |
memory/2208-33-0x00000000745C0000-0x0000000074734000-memory.dmp
memory/2208-34-0x00000000771E0000-0x0000000077389000-memory.dmp
memory/3064-46-0x0000000000140000-0x0000000000146000-memory.dmp
memory/3064-48-0x0000000000190000-0x000000000019A000-memory.dmp
memory/3064-49-0x0000000000190000-0x000000000019A000-memory.dmp
memory/2600-51-0x00000000744D0000-0x0000000074644000-memory.dmp
memory/2600-52-0x00000000771E0000-0x0000000077389000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCCC3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2600-69-0x00000000744D0000-0x0000000074644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94979ad4
| MD5 | 4ca5da99e65d3907e2507789e95907dd |
| SHA1 | 34809691eb9e148fb11100c7f61c2ad0fb675f61 |
| SHA256 | b37c5ed5ff627f13efc8db86ae695568d6de337f50a1f145865b679826772e7a |
| SHA512 | 50b9cf7fdb721b0d87c090b6817e3ee0f859ffe12ccc67d16dd07c8a3c85ddfab12b2b04ab647d862eec6e547335f0fce06a730926025ac4f5b18cc9e7432143 |
memory/3064-72-0x0000000000190000-0x000000000019A000-memory.dmp
memory/2648-73-0x00000000771E0000-0x0000000077389000-memory.dmp
memory/2648-119-0x00000000744D0000-0x0000000074644000-memory.dmp
memory/3008-121-0x00000000771E0000-0x0000000077389000-memory.dmp
memory/3008-122-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-124-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-125-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-126-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-127-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-128-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-129-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-130-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-131-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-132-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-133-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3008-134-0x0000000000400000-0x0000000000484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:16
Reported
2024-11-13 02:18
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Remcos
Remcos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3380 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
C:\Users\Admin\AppData\Roaming\scr_previw.exe
"C:\Users\Admin\AppData\Roaming\scr_previw.exe"
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpu.me | udp |
| US | 172.67.206.142:80 | gpu.me | tcp |
| US | 172.67.206.142:80 | gpu.me | tcp |
| US | 8.8.8.8:53 | 142.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.techpowerup.com | udp |
| US | 138.199.40.9:443 | www.techpowerup.com | tcp |
| US | 8.8.8.8:53 | 9.40.199.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp |
Files
memory/3004-0-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
memory/3004-3-0x0000000000400000-0x000000000070A000-memory.dmp
memory/1696-5-0x00000000009F0000-0x00000000009F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\scr_previw.exe
| MD5 | d9530ecee42acccfd3871672a511bc9e |
| SHA1 | 89b4d2406f1294bd699ef231a4def5f495f12778 |
| SHA256 | 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280 |
| SHA512 | d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980 |
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll
| MD5 | e8ad346c114fda96fca288966eae8e92 |
| SHA1 | fdfad7f2030b54f076b2a2e24ef1199abf2588e6 |
| SHA256 | 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0 |
| SHA512 | d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549 |
memory/4340-27-0x000001F0990D0000-0x000001F099494000-memory.dmp
memory/1696-28-0x0000000000400000-0x000000000070A000-memory.dmp
memory/4340-24-0x00007FFB65723000-0x00007FFB65725000-memory.dmp
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
| MD5 | 41421866b825dbdcc5f29a0bbd484362 |
| SHA1 | f7637ef22c82a108ab4668baca40e4f03eb49a5c |
| SHA256 | efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1 |
| SHA512 | 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d |
C:\Users\Admin\AppData\Roaming\gbxchd
| MD5 | 162ba47ec20e7fb580672579a6fef9d2 |
| SHA1 | a6b52b8f549ca44ffe821f65e846b869da544c28 |
| SHA256 | 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159 |
| SHA512 | 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4 |
memory/4340-30-0x000001F0B3A90000-0x000001F0B4050000-memory.dmp
memory/4340-31-0x000001F099860000-0x000001F099882000-memory.dmp
memory/4340-32-0x000001F0B5380000-0x000001F0B584C000-memory.dmp
memory/4340-33-0x000001F099830000-0x000001F099836000-memory.dmp
memory/4340-34-0x000001F0B3A30000-0x000001F0B3A38000-memory.dmp
memory/4340-36-0x000001F0B5210000-0x000001F0B521E000-memory.dmp
memory/4340-35-0x000001F0B5250000-0x000001F0B5288000-memory.dmp
C:\Users\Admin\AppData\Roaming\cygrt
| MD5 | a727c368e3a6c273f28c80607f2df861 |
| SHA1 | a31a2b4a4677d58bf9f7126da6dedaf4502eb283 |
| SHA256 | bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca |
| SHA512 | b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d |
memory/216-38-0x0000000075630000-0x00000000757AB000-memory.dmp
memory/216-39-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/3380-51-0x0000000075630000-0x00000000757AB000-memory.dmp
memory/3380-52-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/3380-53-0x0000000075630000-0x00000000757AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2b3d712f
| MD5 | 4e1f1e875207d534293a1db99d39ac34 |
| SHA1 | 73f4a8643584020de0e6aff0f8ca7e8dd8e91e38 |
| SHA256 | f532630cdb3f405c7e74d4b6c96e596e374f9056bf8f81e8b1ad15d1c6179709 |
| SHA512 | 240b7bb264466db60fa76dbd4111167eb7e0f3611c23898406d2da41bc2d12fc2fbefab55892c9921eca91218ac4a003fcb200a2de9a150454ca5d453aefe51a |
memory/4340-56-0x00007FFB65723000-0x00007FFB65725000-memory.dmp
memory/4500-57-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/4500-59-0x0000000075630000-0x00000000757AB000-memory.dmp
memory/784-61-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/784-62-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-65-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-66-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-67-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-68-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-69-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-70-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-71-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-72-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-73-0x0000000000400000-0x0000000000484000-memory.dmp
memory/784-74-0x0000000000400000-0x0000000000484000-memory.dmp