Malware Analysis Report

2024-12-07 22:44

Sample ID 240719-fr2czstfnq
Target 19072024_0507_19072024_Account _400919_16_07_2024_REM2.7z
SHA256 1dfd8bcbc2bae804da196e20590be37b7b96df9e592cd59dc575ffda0821faad
Tags
remcos nana collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dfd8bcbc2bae804da196e20590be37b7b96df9e592cd59dc575ffda0821faad

Threat Level: Known bad

The file 19072024_0507_19072024_Account _400919_16_07_2024_REM2.7z was found to be: Known bad.

Malicious Activity Summary

remcos nana collection rat

Remcos

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 05:07

Reported

2024-07-19 05:09

Platform

win7-20240705-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1456 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe

"C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\tmsytlhfc"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgxqudzhqqtr"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgxqudzhqqtr"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\gacjvwkaeyleabg"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\gacjvwkaeyleabg"

Network

Country Destination Domain Proto
US 72.11.143.10:1604 tcp
US 72.11.143.10:1604 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1456-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-5-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2892-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2892-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2068-25-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2656-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2656-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2656-27-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2892-24-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2068-23-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2892-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2068-21-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2892-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2068-18-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2892-34-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmsytlhfc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1456-36-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1456-40-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1456-39-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2068-41-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1456-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-53-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 05:07

Reported

2024-07-19 05:09

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4476 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1884 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe

"C:\Users\Admin\AppData\Local\Temp\Account _400919_16_07_2024_REM2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejnaa"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\olttbvke"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\zfylcovybed"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\zfylcovybed"

Network

Country Destination Domain Proto
US 72.11.143.10:1604 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.143.11.72.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 72.11.143.10:1604 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1884-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-1-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-5-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5044-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/512-13-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1060-18-0x0000000000400000-0x0000000000424000-memory.dmp

memory/512-16-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5044-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1060-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1060-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/512-30-0x0000000000400000-0x0000000000462000-memory.dmp

memory/512-27-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1060-26-0x0000000000400000-0x0000000000424000-memory.dmp

memory/512-21-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5044-20-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5044-17-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1060-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5044-33-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ejnaa

MD5 5f9f645ff4e46b384ac7a261904aabcb
SHA1 203a1216e576f93c2236a833b93c32c4fd8a0d3b
SHA256 887d93e6cbd14afa0cdf26f303b89cc1963ca5c5d7faba6c91ae87be183273b3
SHA512 b679e91072a1c3fa59e40ff6565c23549f33520c9c6bc8d1f4e055d65dddec3a8e93c165060668fbabae9f27de28985cc826b23f8402caa5d7bd4455165acbde

memory/1884-35-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1884-39-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1884-38-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1884-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1884-51-0x0000000000400000-0x0000000000482000-memory.dmp