Malware Analysis Report

2024-09-22 11:38

Sample ID 230822-bex3kshc46
Target file.exe
SHA256 a6e0bb78ff01b34d44f452edc954795ee6aef2885fddbd2ee06cfc0f19273e65
Tags
hawkeye remcos office keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6e0bb78ff01b34d44f452edc954795ee6aef2885fddbd2ee06cfc0f19273e65

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos office keylogger persistence rat spyware stealer trojan

Remcos

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Drops startup file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-22 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 01:04

Reported

2023-08-22 01:06

Platform

win7-20230712-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\file.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1336

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.logpasta.com udp
NL 188.166.57.133:443 www.logpasta.com tcp

Files

memory/2924-54-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2924-53-0x0000000000840000-0x000000000092A000-memory.dmp

memory/2924-55-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/2924-56-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2924-57-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/2924-58-0x0000000074830000-0x0000000074F1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 01:04

Reported

2023-08-22 01:06

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tlsman = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Tlsmanager.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{67B9D915-6A30-4F5A-9F72-E6E619BA8A93} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{2A882A10-AC1C-44A2-9AA0-EC63376585A1} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe
PID 3364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe
PID 3364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 208 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 4128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4692 wrote to memory of 4128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4692 wrote to memory of 4128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4692 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4692 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Tlsman" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Tlsman" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\bzdinxxkgqljmsanmqxhpkv"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbqbopidcydoogorvbjbsxitsr"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovwuoasfqgvtynkvnmwcdcccbxeof"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovwuoasfqgvtynkvnmwcdcccbxeof"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.logpasta.com udp
NL 188.166.57.133:443 www.logpasta.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.57.166.188.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 188.166.57.133:443 www.logpasta.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
NL 46.21.250.36:7722 tcp
US 8.8.8.8:53 36.250.21.46.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
NL 20.123.141.233:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
NL 46.21.250.36:7722 tcp
NL 46.21.250.36:7722 tcp
NL 46.21.250.36:7722 tcp
NL 46.21.250.36:7722 tcp
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
NL 46.21.250.36:7722 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/3364-133-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3364-134-0x0000000000EC0000-0x0000000000FAA000-memory.dmp

memory/3364-135-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/3364-136-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/3364-137-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/3364-138-0x0000000005310000-0x000000000531A000-memory.dmp

memory/3364-139-0x0000000008200000-0x000000000829C000-memory.dmp

memory/3364-140-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3364-141-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/3364-142-0x00000000051F0000-0x0000000005200000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe

MD5 5ba4bb4bd14a87d9adf7373588be5f95
SHA1 7f227db042e80ac92dfa78de08dddccebe97abf8
SHA256 a6e0bb78ff01b34d44f452edc954795ee6aef2885fddbd2ee06cfc0f19273e65
SHA512 aeff8467dea895643a4d76f97aeb2db8203cdb8003080c9545ca9c2fe002c61782c6821cad5cc2e613e34a045066208e2f4b7fec7990bcf4f804d540cd8ba187

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe

MD5 5ba4bb4bd14a87d9adf7373588be5f95
SHA1 7f227db042e80ac92dfa78de08dddccebe97abf8
SHA256 a6e0bb78ff01b34d44f452edc954795ee6aef2885fddbd2ee06cfc0f19273e65
SHA512 aeff8467dea895643a4d76f97aeb2db8203cdb8003080c9545ca9c2fe002c61782c6821cad5cc2e613e34a045066208e2f4b7fec7990bcf4f804d540cd8ba187

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tlsmanager.exe

MD5 5ba4bb4bd14a87d9adf7373588be5f95
SHA1 7f227db042e80ac92dfa78de08dddccebe97abf8
SHA256 a6e0bb78ff01b34d44f452edc954795ee6aef2885fddbd2ee06cfc0f19273e65
SHA512 aeff8467dea895643a4d76f97aeb2db8203cdb8003080c9545ca9c2fe002c61782c6821cad5cc2e613e34a045066208e2f4b7fec7990bcf4f804d540cd8ba187

memory/3364-155-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/208-156-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/208-157-0x0000000000EF0000-0x0000000000FDA000-memory.dmp

memory/208-158-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/208-159-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/208-160-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/208-161-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/208-162-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/4692-163-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-165-0x0000000000400000-0x0000000000481000-memory.dmp

memory/208-166-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4692-167-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-169-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-170-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-171-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-172-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-173-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-174-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-176-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-177-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-178-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TLS\logs.dat

MD5 3bb800e0c83e781d00472ccd8fa7e52c
SHA1 ea46fc7b797997eca5c4cc4a20f69a1b2aae0ee9
SHA256 3832e5ef5db4feb00e4b71ce85defc8c18fbf25fcb11f258651fb3c48189be7c
SHA512 cb4bbbf43de7ae9d90b4299fafd80d02d3a7f2169f643f7bf954fb63fb06124125d5df2e95e749782b182180efd72a048bc784481eb9936c827217bbcc5bc7ab

memory/4692-185-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-186-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-192-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-193-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-194-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-195-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-196-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-197-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-199-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-200-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4128-201-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-203-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-202-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-207-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-208-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-210-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-209-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-211-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-212-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4128-213-0x0000000001520000-0x0000000001521000-memory.dmp

memory/4692-227-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1608-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1808-231-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1608-232-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1608-234-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1808-235-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1808-242-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1636-236-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1808-244-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1636-246-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1636-243-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1636-247-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1608-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4692-251-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bzdinxxkgqljmsanmqxhpkv

MD5 65c65d7391bbf343e0210b8f1d001a5e
SHA1 a77a6bf7c4bfd6ec92392578176638bf3f3fb357
SHA256 cd81b226ed42af36d75d4a03f36ee54abeb0f16352bdcec430a66269294d199a
SHA512 18ff4d86314abe01de2c2beac2ae921c3eac4a65c384fd88def4a28ff1c750ba5db11ccd6d4e8432ddfc0e0c626dc651df8f960b270cb60ea7f44e7a4dab523d

memory/4692-255-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4692-256-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 9500790e7dd6138b9224541b4a4ca4b4
SHA1 4ea20a69ea652839cf9f013f5170716e2d7cf32f
SHA256 005e2645007817ed160f7550cfe8fe561fc09b6d3b417d2680252fbd4e7cc9c8
SHA512 fa2037c1fdbd579eb7effb1daf03de92413494432f464b379d49a1b7e9db1da2d51d5a3925b1045e0c66634796f2317c4bacffe8ee437cc9bcbdbfa0211be6db

memory/4692-260-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4692-262-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4692-263-0x0000000000400000-0x0000000000481000-memory.dmp