Malware Analysis Report

2025-01-02 03:17

Sample ID 240325-txhpqaff2s
Target Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe
SHA256 e825cdfc2e4a1b1c6a56602cce16417f55e4f42c699cea18b4dddbbf85d9527f
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e825cdfc2e4a1b1c6a56602cce16417f55e4f42c699cea18b4dddbbf85d9527f

Threat Level: Known bad

The file Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 16:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 16:26

Reported

2024-03-25 16:28

Platform

win7-20240221-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

Signatures

Remcos

rat remcos

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1288 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe

"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UlvywtFnmZtH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlvywtFnmZtH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9943.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
NL 91.92.247.97:2505 tcp
US 8.8.8.8:53 stefracino.store udp
NL 91.92.247.97:2505 tcp
NL 91.92.247.97:2505 tcp

Files

memory/1288-0-0x0000000000F20000-0x0000000001016000-memory.dmp

memory/1288-1-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/1288-2-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1288-3-0x0000000000330000-0x0000000000342000-memory.dmp

memory/1288-4-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/1288-5-0x00000000054D0000-0x0000000005590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9943.tmp

MD5 b338ed8878f6e1471e061dde45f83012
SHA1 d65949ace7b565f4ae10148d25a99b10cc781605
SHA256 39da6e37b3cca8829b88ae87e09b778601e7b8d3349fd1e9e2eacaaf51785d8b
SHA512 cf4ff805781421ac9b62c6d1a8d185263b3053bb1d5e7e031b380c048499a542fe515d7aac5e24bbba70a9abe2e06f39d8310047a17e12924ba6137f2dfd4e28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHYJEI419AV3OIO9M4ZM.temp

MD5 84caf5967138d71086202e97532bf1a5
SHA1 d1bbc9de1affa643a7830e6e1f049a34c7164918
SHA256 ab1b219cafe5da829026f33bd94a475cf068d4031c5793093548ac71e991ae91
SHA512 e0b027e459c22a2b0d08710227d5ba4279d4de396146c22dff8152f4ebac1d0f693aee971171718aa1d81024c0192f56bd45e9c8337870e451cacffde52cd0f8

memory/2616-18-0x000000006DF60000-0x000000006E50B000-memory.dmp

memory/2564-19-0x000000006DF60000-0x000000006E50B000-memory.dmp

memory/2616-20-0x000000006DF60000-0x000000006E50B000-memory.dmp

memory/2564-21-0x00000000025D0000-0x0000000002610000-memory.dmp

memory/1948-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1948-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1288-40-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/1948-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-45-0x000000006DF60000-0x000000006E50B000-memory.dmp

memory/2564-46-0x000000006DF60000-0x000000006E50B000-memory.dmp

memory/1948-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-50-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 16:26

Reported

2024-03-25 16:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4216 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4216 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe

"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UlvywtFnmZtH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlvywtFnmZtH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0C2.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 91.92.247.97:2505 tcp
US 8.8.8.8:53 97.247.92.91.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 stefracino.store udp
NL 91.92.247.97:2505 tcp
US 8.8.8.8:53 128.225.79.178.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 stefracino.store udp
NL 91.92.247.97:2505 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
GB 88.221.134.18:80 tcp

Files

memory/4216-0-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/4216-1-0x0000000000050000-0x0000000000146000-memory.dmp

memory/4216-2-0x0000000005150000-0x00000000056F4000-memory.dmp

memory/4216-3-0x0000000004AE0000-0x0000000004B72000-memory.dmp

memory/4216-4-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/4216-5-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

memory/4216-6-0x0000000004D80000-0x0000000004E1C000-memory.dmp

memory/4216-7-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/4216-8-0x0000000005140000-0x000000000514C000-memory.dmp

memory/4216-9-0x0000000006370000-0x0000000006430000-memory.dmp

memory/1508-14-0x0000000002F30000-0x0000000002F66000-memory.dmp

memory/1508-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1508-17-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/1508-16-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/4088-19-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/4088-20-0x0000000002930000-0x0000000002940000-memory.dmp

memory/1508-18-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/4216-21-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/4088-22-0x0000000002930000-0x0000000002940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB0C2.tmp

MD5 54f871890eae5d789e1802ce7b1f0ca9
SHA1 14fe7b9446b35492e9b7f09ad9768d2e9ca2d5f1
SHA256 4b85c999de1eea4610320f789cd9519e4741c48c1d8f806f445b797541ceb15f
SHA512 8c1484701b40e92fa5cd9ddc3b1c1cc88bc360aa191eb178562807a0553dc8e1de44b96c807d763ecf931f9babc9debc1c9092f71595249db5b9aa3badd0d76b

memory/4088-25-0x0000000005130000-0x0000000005196000-memory.dmp

memory/4088-26-0x0000000005A10000-0x0000000005A76000-memory.dmp

memory/1508-24-0x0000000005790000-0x00000000057B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usfmofov.3vf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1508-37-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/3988-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4216-50-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3988-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4088-55-0x0000000006170000-0x000000000618E000-memory.dmp

memory/4088-57-0x0000000006200000-0x000000000624C000-memory.dmp

memory/4088-58-0x0000000002930000-0x0000000002940000-memory.dmp

memory/1508-59-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/4088-62-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/4088-63-0x000000007F330000-0x000000007F340000-memory.dmp

memory/1508-74-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/4088-73-0x00000000070C0000-0x00000000070DE000-memory.dmp

memory/4088-84-0x0000000007130000-0x00000000071D3000-memory.dmp

memory/1508-61-0x0000000006E30000-0x0000000006E62000-memory.dmp

memory/1508-60-0x000000007F610000-0x000000007F620000-memory.dmp

memory/4088-86-0x0000000007470000-0x000000000748A000-memory.dmp

memory/4088-85-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/4088-87-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/1508-88-0x0000000007E00000-0x0000000007E96000-memory.dmp

memory/1508-89-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/4088-90-0x00000000076A0000-0x00000000076AE000-memory.dmp

memory/4088-91-0x00000000076B0000-0x00000000076C4000-memory.dmp

memory/1508-92-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

memory/4088-93-0x0000000007790000-0x0000000007798000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4088-98-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1508-97-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3988-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3988-103-0x0000000000400000-0x0000000000482000-memory.dmp