IOC Report
dstream.log.exe

loading gif

Files

File Path
Type
Category
Malicious
dstream.log.exe
PE32+ executable (GUI) x86-64, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0s1cbyv.0vl.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl0ett3z.0ks.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 15 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\dstream.log.exe
"C:\Users\user\Desktop\dstream.log.exe"
 malicious
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe
"C:\Users\user\Desktop\dstream.log.exe"
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c "del msupdate.exe"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell .\image3.jpg:msupdate.exe

URLs

Name
IP
Malicious
http://python.org/dev/peps/pep-0263/
unknown
https://mahler:8092/site-updates.py
unknown
http://xml.python.org/entities/fragment-builder/internalz
unknown
http://www.megginson.com/SAX/.
unknown
http://www.robotstxt.org/norobots-rfc.txt
unknown
http://xml.org/sax/features/external-general-entities
unknown
http://ocsp.thawte.com0
unknown
http://www.python.org/
unknown
http://xml.org/sax/features/namespaces
unknown
http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
unknown
https://www.python.org/dev/peps/pep-0506/
unknown
http://upx.sf.net
unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html
unknown
http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(
unknown
http://www.python.org/download/releases/2.3/mro/.
unknown
http://www.nightmare.com/squirl/python-ext/misc/syslog.py
unknown
http://xml.org/sax/features/external-parameter-entities
unknown
http://www.iana.org/assignments/character-sets
unknown
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
unknown
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
unknown
http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2
unknown
http://wwwsearch.sf.net/):
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0
unknown
https://www.openssl.org/H
unknown
http://www.xmlrpc.com/discuss/msgReader$1208z
unknown
http://www.iana.org/time-zones/repository/tz-link.html
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
unknown
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
unknown
http://curl.haxx.se/rfc/cookie_spec.html
unknown
http://speleotrove.com/decimal/decarith.html
unknown
http://www.python.org/dev/peps/pep-0205/
unknown
http://www.xmlrpc.com/discuss/msgReader$1208
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
unknown
http://xmlrpc.usefulinc.com/doc/reserved.html
unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
unknown
http://json.org
unknown
http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht
unknown
There are 29 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
217.20.57.18

Memdumps

Base Address
Regiontype
Protect
Malicious
28B1BB20000
heap
page read and write
7FF7BC6F1000
unkown
page read and write
2621B9C000
stack
page read and write
28B1BCBB000
heap
page read and write
28B1BCC6000
heap
page read and write
237B9A81000
heap
page read and write
28B1BC86000
heap
page read and write
28B1BC55000
heap
page read and write
256C512C000
heap
page read and write
15724C10000
heap
page read and write
256C30F0000
heap
page read and write
256C5136000
heap
page read and write
256C531D000
heap
page read and write
28B1C43C000
heap
page read and write
28B1C47D000
heap
page read and write
256C5374000
heap
page read and write
E9595BF000
stack
page read and write
28B1BBE5000
heap
page read and write
7FF7BC6C1000
unkown
page execute read
7FFDA4343000
unkown
page readonly
28B1C43F000
heap
page read and write
28B1C493000
heap
page read and write
237B9A60000
heap
page read and write
256C52F3000
heap
page read and write
1004FF000
stack
page read and write
7FF7BC6E1000
unkown
page readonly
E5793FB000
stack
page read and write
28B1BC32000
heap
page read and write
28B1C438000
heap
page read and write
15724D75000
heap
page read and write
256C5111000
heap
page read and write
28B1C481000
heap
page read and write
E5792FE000
stack
page read and write
7FF7BC6FF000
unkown
page readonly
E957963000
stack
page read and write
7FFD945D2000
unkown
page read and write
256C5324000
heap
page read and write
28B1BCB8000
heap
page read and write
256C3152000
heap
page read and write
28B1C230000
direct allocation
page read and write
28B1BCA7000
heap
page read and write
16EE795A000
heap
page read and write
15724BD0000
heap
page read and write
E5791FB000
stack
page read and write
7FF6EE608000
unkown
page read and write
28B1BC2E000
heap
page read and write
28B1BC58000
heap
page read and write
256C310A000
heap
page read and write
7FF7BC6C0000
unkown
page readonly
28B1C570000
direct allocation
page read and write
256C30A0000
heap
page read and write
7FF6EE613000
unkown
page readonly
7FF6EE5C1000
unkown
page execute read
16EE7960000
heap
page read and write
28B1C43F000
heap
page read and write
28B1C43A000
heap
page read and write
28B1BC17000
heap
page read and write
28B1BC52000
heap
page read and write
7FF7BC6C0000
unkown
page readonly
28B1C43F000
heap
page read and write
28B1C270000
direct allocation
page read and write
28B1C49C000
heap
page read and write
28B1BC55000
heap
page read and write
256C4A69000
heap
page read and write
28B1BC55000
heap
page read and write
28B1BC4E000
heap
page read and write
2621FFF000
stack
page read and write
28B1C439000
heap
page read and write
256C4B25000
heap
page read and write
28B1C463000
heap
page read and write
28B1BC25000
heap
page read and write
256C53DE000
heap
page read and write
16EE7A40000
heap
page read and write
28B1BC2B000
heap
page read and write
237B9960000
heap
page read and write
28B1C45E000
heap
page read and write
7FFD94633000
unkown
page write copy
28B1BCC3000
heap
page read and write
256C5126000
heap
page read and write
256C58EE000
heap
page read and write
256C30FE000
heap
page read and write
28B1C44D000
heap
page read and write
7FFD94492000
unkown
page readonly
7FFD9460C000
unkown
page write copy
28B1BC55000
heap
page read and write
15724BF0000
heap
page read and write
28B1BCAB000
heap
page read and write
157249F0000
heap
page read and write
28B1C1F0000
direct allocation
page read and write
256C58EC000
heap
page read and write
28B1C43D000
heap
page read and write
E5790FD000
stack
page read and write
256C4A89000
heap
page read and write
256C53C0000
heap
page read and write
7FF6EE5C0000
unkown
page readonly
28B1BC8D000
heap
page read and write
28B1BC2B000
heap
page read and write
256C5943000
heap
page read and write
256C534F000
heap
page read and write
16EE7B20000
heap
page read and write
28B1C495000
heap
page read and write
7FF6EE5F5000
unkown
page readonly
28B1BC8D000
heap
page read and write
28B1BC07000
heap
page read and write
16EE794B000
heap
page read and write
7FFDA4331000
unkown
page execute read
7FFD945B7000
unkown
page read and write
28B1BB80000
direct allocation
page read and write
28B1BBD0000
heap
page read and write
256C545E000
heap
page read and write
28B1C2B0000
direct allocation
page read and write
256C4B20000
heap
page read and write
16EE7970000
heap
page read and write
28B1BC9E000
heap
page read and write
7FFD94627000
unkown
page read and write
7FFD94624000
unkown
page write copy
28B1C430000
heap
page read and write
256C5684000
heap
page read and write
256C310A000
heap
page read and write
256C30B0000
heap
page read and write
E958C4E000
stack
page read and write
16EE7940000
heap
page read and write
7FF6EE5F5000
unkown
page readonly
7FFD9465F000
unkown
page readonly
237B9A6B000
heap
page read and write
7FFD94475000
unkown
page readonly
7FFD94504000
unkown
page readonly
28B1BC8D000
heap
page read and write
28B1C44E000
heap
page read and write
7FFD94655000
unkown
page read and write
7FFD942C0000
unkown
page readonly
16EE7C00000
heap
page read and write
7FF7BC6EE000
unkown
page read and write
7FFDA433E000
unkown
page readonly
16EE7970000
heap
page read and write
28B1C476000
heap
page read and write
256C3147000
heap
page read and write
28B1BC86000
heap
page read and write
28B1BC86000
heap
page read and write
E578FFE000
stack
page read and write
7FFD9460B000
unkown
page read and write
7FFD94623000
unkown
page read and write
28B1BC8D000
heap
page read and write
2621EFF000
unkown
page read and write
7FF7BC6F3000
unkown
page read and write
E9582DE000
stack
page read and write
28B1BE60000
heap
page read and write
7FFDA4342000
unkown
page read and write
237B9B80000
heap
page read and write
256C53E9000
heap
page read and write
28B1C453000
heap
page read and write
15724D70000
heap
page read and write
15724A0A000
heap
page read and write
7FF7BC6FF000
unkown
page readonly
28B1C481000
heap
page read and write
28B1C3F0000
direct allocation
page read and write
7FFD94651000
unkown
page read and write
28B1BC86000
heap
page read and write
16EE7B40000
heap
page read and write
256C545C000
heap
page read and write
7FF6EE5C0000
unkown
page readonly
28B1C530000
direct allocation
page read and write
28B1BBD8000
heap
page read and write
7FF6EE608000
unkown
page write copy
28B1BB60000
heap
page read and write
28B1BCA2000
heap
page read and write
256C50B9000
heap
page read and write
237B9CE0000
heap
page read and write
28B1C44D000
heap
page read and write
7FFDA4330000
unkown
page readonly
16EE7960000
heap
page read and write
28B1BC27000
heap
page read and write
28B1C45E000
heap
page read and write
28B1BE20000
direct allocation
page read and write
7FFD94678000
unkown
page readonly
7FFD9462A000
unkown
page write copy
28B1C46D000
heap
page read and write
28B1C447000
heap
page read and write
7FFDA4345000
unkown
page readonly
28B1BCB0000
heap
page read and write
BB4BFFF000
unkown
page read and write
7FFD9462B000
unkown
page read and write
256C314D000
heap
page read and write
E578EFF000
stack
page read and write
28B1BCB3000
heap
page read and write
7FF7BC6F6000
unkown
page read and write
28B1C49B000
heap
page read and write
7FF6EE613000
unkown
page readonly
256C52F1000
heap
page read and write
16EE7BF0000
heap
page read and write
1001FF000
unkown
page read and write
256C4AE0000
heap
page read and write
16EE7960000
heap
page read and write
7FF6EE5C1000
unkown
page execute read
BB4BEFD000
stack
page read and write
28B1BC55000
heap
page read and write
256C4A60000
heap
page read and write
7FFD9462C000
unkown
page write copy
16EE7960000
heap
page read and write
256C3107000
heap
page read and write
28B1BC66000
heap
page read and write
237B9A40000
heap
page read and write
28B1BC43000
heap
page read and write
28B1BCA1000
heap
page read and write
256C5708000
heap
page read and write
28B1BBE7000
heap
page read and write
28B1BC19000
heap
page read and write
28B1C44D000
heap
page read and write
28B1C463000
heap
page read and write
7FFD942C1000
unkown
page execute read
256C574A000
heap
page read and write
16EE7BF5000
heap
page read and write
1000FC000
stack
page read and write
28B1C447000
heap
page read and write
15724A00000
heap
page read and write
7FF7BC6EE000
unkown
page write copy
7FF7BC6E1000
unkown
page readonly
28B1C447000
heap
page read and write
28B1C49B000
heap
page read and write
28B1BDE0000
direct allocation
page read and write
28B1BC09000
heap
page read and write
7FFD945D6000
unkown
page write copy
28B1C1B0000
direct allocation
page read and write
7FFD945D1000
unkown
page write copy
28B1BB40000
heap
page read and write
256C514A000
heap
page read and write
7FF7BC6C1000
unkown
page execute read
BB4C0FE000
stack
page read and write
7FFD94634000
unkown
page read and write
28B1C436000
heap
page read and write
237B9B60000
heap
page read and write
28B1BC9B000
heap
page read and write
16EE7960000
heap
page read and write
7FFD94481000
unkown
page readonly
256C58A0000
heap
page read and write
7FFD9462D000
unkown
page read and write
28B1C474000
heap
page read and write
28B1BDA0000
direct allocation
page read and write
E578B06000
stack
page read and write
There are 229 hidden memdumps, click here to show them.