Malware Analysis Report

2025-01-02 03:10

Sample ID 240816-s7l98awgnn
Target DN TK 7239 (()DHL#3272524765pdf.exe
SHA256 2c98d193201137a3e33b34934fa866c2c66f346ed6878562e8191f4314bc5dc9
Tags
remcos remotehost collection credential_access discovery rat stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c98d193201137a3e33b34934fa866c2c66f346ed6878562e8191f4314bc5dc9

Threat Level: Known bad

The file DN TK 7239 (()DHL#3272524765pdf.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery rat stealer upx

Remcos

Detected Nirsoft tools

Credentials from Password Stores: Credentials from Web Browsers

NirSoft WebBrowserPassView

NirSoft MailPassView

UPX packed file

Accesses Microsoft Outlook accounts

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 15:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 15:46

Reported

2024-08-16 15:48

Platform

win7-20240708-en

Max time kernel

148s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 set thread context of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 set thread context of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 set thread context of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2352 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2352 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2352 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2352 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2700 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2612 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2804 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\mrxwidkxcrwroxncmptehibltohowov"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ptdpjwvypzoeqljgdanfsnwuudzxxzmltx"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\znqzkog"

Network

Country Destination Domain Proto
LT 194.169.175.190:2404 tcp
LT 194.169.175.190:2404 tcp
LT 194.169.175.190:2404 tcp

Files

memory/2352-0-0x0000000000800000-0x00000000009D7000-memory.dmp

memory/2352-12-0x00000000001E0000-0x00000000001E4000-memory.dmp

memory/2712-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2352-20-0x0000000000800000-0x00000000009D7000-memory.dmp

memory/2712-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2700-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2612-31-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2612-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-35-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2804-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-41-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-39-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2700-38-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2612-37-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2700-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2700-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2700-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2700-48-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrxwidkxcrwroxncmptehibltohowov

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2612-50-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2712-51-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2712-54-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2712-55-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2712-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2712-61-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 15:46

Reported

2024-08-16 15:48

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3044 set thread context of 2908 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 set thread context of 4896 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 set thread context of 3384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 set thread context of 3092 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2976 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2976 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2976 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 2976 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 2976 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 4296 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 4296 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 4296 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 4296 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 4296 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 4296 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe
PID 3044 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 3044 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 3044 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 3044 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4896 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4896 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4896 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4896 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3092 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3092 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3092 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 3092 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\tzrgncqgophmknlhmwmkyaziazn"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\tzrgncqgophmknlhmwmkyaziazn"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\gvcjoflbygsexhwxnrtfmrgpjmosxfmhm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
LT 194.169.175.190:2404 tcp
LT 194.169.175.190:2404 tcp
LT 194.169.175.190:2404 tcp
US 8.8.8.8:53 190.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2976-0-0x0000000000CC0000-0x0000000000E97000-memory.dmp

memory/2976-12-0x00000000018C0000-0x00000000018C4000-memory.dmp

memory/2976-14-0x0000000000CC0000-0x0000000000E97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\avenses

MD5 0a2635be16a8198ce853e4903f314c39
SHA1 8d0d9b0554ac1a1a0476e3bf4fb91fc32293f5bd
SHA256 d3ce45201555b0954ced374ea84306e5b74a3ee6384f541725346ddf9a927dea
SHA512 7db087df47628d79c5c5b11ae24e3dce7f498fc93398170d31b030f1e1a2f1a5d2f4ee4f9a45e657311c4ceb9f5e399e14c31d4990dc7c3b730e8fae7762eed4

C:\Users\Admin\AppData\Local\Temp\phytographical

MD5 0525d45a79ebb31866ce270c9789d639
SHA1 0cca3162c9fe026aaf6fd0023c095c2e94381978
SHA256 09a1985d77a84c7b11e79bf18055d15a321a1def9fc7dab1938ac6c33816e3f5
SHA512 e5b2ec4ee75867274407c0c53982192e2824e918ce93e0bc46d1c9e8393ffc5fd7e331ab37e66507398ddc9fd3875541258af8b65a4d145284db7e27a18be031

memory/4296-29-0x0000000000CC0000-0x0000000000E97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut8AAD.tmp

MD5 929f6966ac8cca0cfe2a0afd9c63d33e
SHA1 85ed454c656cd4b4c1c1780e1d4fcd1c18d0c26e
SHA256 b5819d69322a25044dcce4d8ab0c70f8d091847188db7c19db4c6b10e6360293
SHA512 59034aa4e932d9789d08446a29df6e116422007e61d918772868288183b9a0776dcfc68729c6d1638168ef01d50ab33b1f9ee6a852364727458fb2f660896c5f

C:\Users\Admin\AppData\Local\Temp\aut8A9C.tmp

MD5 2d70bfd1c9ec172c998df713249aa082
SHA1 776b7f2acd1878719e590a4536b512eef2ba413f
SHA256 01ea48aef9caf96211f378b35d5cee12e898c5337f07101588e567809e3034ff
SHA512 b46815b83f8df40ce560aba3e5e500081dd719184f92050cb3bbb2cf199c3540d1baa2d2fcb5ad62b35c130ad0d382b29d0a806fad45a8e840049f570a121a02

memory/2908-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3044-46-0x0000000000CC0000-0x0000000000E97000-memory.dmp

memory/2908-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4896-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4896-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3092-64-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3092-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3384-62-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3092-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3384-59-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3384-58-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4896-57-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tzrgncqgophmknlhmwmkyaziazn

MD5 18db1829b27eaeed163c211f5d179d72
SHA1 4442332494cba1e012f8876ecac42126ba995bc6
SHA256 610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d
SHA512 123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986

memory/2908-70-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2908-74-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2908-73-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2908-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2908-86-0x0000000000400000-0x0000000000482000-memory.dmp