Malware Analysis Report

2025-01-02 03:13

Sample ID 240405-b1nq2ahc99
Target a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe
SHA256 a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8
Tags
remotehost remcos collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8

Threat Level: Known bad

The file a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos collection rat

Remcos family

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 01:36

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 01:36

Reported

2024-04-05 01:39

Platform

win7-20240220-en

Max time kernel

147s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1636 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1636 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1636 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1636 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1292 wrote to memory of 892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe

"C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kpnmchsmvcdvke"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mjaeczcfjkvaukqmc"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xlgxdknhfsnnwymqlcpd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jansuri.kozow.com udp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1292-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1292-2-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-4-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-6-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-5-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-7-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-8-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-9-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-10-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-11-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-12-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-14-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-15-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2012-31-0x0000000000400000-0x0000000000462000-memory.dmp

memory/892-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2012-28-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2964-27-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2964-23-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2012-22-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2012-32-0x0000000000400000-0x0000000000462000-memory.dmp

memory/892-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/892-35-0x0000000000400000-0x0000000000424000-memory.dmp

memory/892-36-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2964-41-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kpnmchsmvcdvke

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2012-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1292-44-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1292-47-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1292-48-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1292-49-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1292-50-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-51-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-52-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-53-0x0000000000080000-0x0000000000102000-memory.dmp

memory/892-54-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1292-55-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1292-56-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-57-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-58-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-59-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-62-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1292-63-0x0000000000080000-0x0000000000102000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 01:36

Reported

2024-04-05 01:39

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 32 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 32 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 32 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1448 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1448 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1448 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1448 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 1728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 4792 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 4792 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 4792 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 3572 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 3572 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 3572 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 2260 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 2260 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 2260 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4028 wrote to memory of 2260 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe

"C:\Users\Admin\AppData\Local\Temp\a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aoebuqpap"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lrktviacdcuwb"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nlpewbkvrkmbmlsd"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nlpewbkvrkmbmlsd"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nlpewbkvrkmbmlsd"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 jansuri.kozow.com udp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 8.8.8.8:53 142.216.3.192.in-addr.arpa udp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 192.3.216.142:7232 jansuri.kozow.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/4028-0-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-1-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-4-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-2-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-5-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-6-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-7-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-8-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-10-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-9-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-11-0x0000000000700000-0x0000000000782000-memory.dmp

memory/1448-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1728-13-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2260-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4028-20-0x0000000000700000-0x0000000000782000-memory.dmp

memory/2260-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1448-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1728-22-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1728-24-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2260-25-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1448-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1728-27-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2260-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1728-29-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1448-40-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aoebuqpap

MD5 10fa8ec140c204486092fb161e567ec7
SHA1 4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473
SHA256 7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04
SHA512 9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

memory/4028-42-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4028-45-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4028-46-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4028-49-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4028-48-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-47-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4028-50-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-51-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-52-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-53-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-55-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-56-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-57-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-58-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-59-0x0000000000700000-0x0000000000782000-memory.dmp

memory/4028-60-0x0000000000700000-0x0000000000782000-memory.dmp