Malware Analysis Report

2025-01-02 03:20

Sample ID 240403-rbbyyaed69
Target Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe
SHA256 16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce

Threat Level: Known bad

The file Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 14:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 14:00

Reported

2024-04-03 14:03

Platform

win7-20231129-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

Signatures

Remcos

rat remcos

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2316 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3717.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp

Files

memory/2316-0-0x0000000000890000-0x0000000000974000-memory.dmp

memory/2316-1-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2316-2-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2316-3-0x0000000000490000-0x00000000004A4000-memory.dmp

memory/2316-4-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/2316-5-0x0000000000510000-0x000000000051C000-memory.dmp

memory/2316-6-0x0000000004BA0000-0x0000000004C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3717.tmp

MD5 4539f8014b01fa586d343ab6152193ce
SHA1 11d9d6974740d351afae63e734e0ce065744d899
SHA256 ca744c26582d6a3f26f7a465fdc4e8e304f4694094ac6ae5134af447b07cfb51
SHA512 eeaad9624805f8881e7c3c4e9449c3d29db8853edd0bcc5420531e8243e33d65eb0c0a7a0ad28e360ad2afaec3c58b484936461a096391d34c371006cee1b00e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 860a7e9b2011327a9ad2451742e3be08
SHA1 dc10282d0aa3e9b99d62af506e04533880a7a2e4
SHA256 7cded2221d9db245b9b59df362c7ec929e4311842b0e66799952e440b2790c1f
SHA512 0597106d5ff3cb0640b43d349aa700eab060d7fa6d95f87d893021ef8238e19d7f044605e8bbc10abf06fb9e0d693558b54526e1d13deda1c861fbd722f37c27

memory/2092-19-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/812-20-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/2092-21-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/2092-22-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/812-23-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/812-24-0x0000000002800000-0x0000000002840000-memory.dmp

memory/812-25-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2852-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2852-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2316-40-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2852-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2092-46-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/812-45-0x000000006E4B0000-0x000000006EA5B000-memory.dmp

memory/2852-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-59-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 14:00

Reported

2024-04-03 14:03

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 3516 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 3516 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase order Inquiry 01-04 project 22501 - Request for quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3516-0-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3516-1-0x0000000000E30000-0x0000000000F14000-memory.dmp

memory/3516-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

memory/3516-3-0x0000000005940000-0x00000000059D2000-memory.dmp

memory/3516-4-0x0000000005910000-0x0000000005920000-memory.dmp

memory/3516-5-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

memory/3516-6-0x0000000005BF0000-0x0000000005C04000-memory.dmp

memory/3516-7-0x0000000005E30000-0x0000000005E3A000-memory.dmp

memory/3516-8-0x0000000005E40000-0x0000000005E4C000-memory.dmp

memory/3516-9-0x0000000006C40000-0x0000000006D00000-memory.dmp

memory/3516-10-0x0000000009370000-0x000000000940C000-memory.dmp

memory/2756-15-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/2756-16-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/2756-17-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/2756-19-0x0000000005140000-0x0000000005768000-memory.dmp

memory/3516-18-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/2008-21-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/2008-20-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3516-22-0x0000000005910000-0x0000000005920000-memory.dmp

memory/2008-23-0x0000000002B30000-0x0000000002B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp

MD5 ebb9291107d17eab49be9db0fb38df8b
SHA1 efa2d47f08abf3d781b60239df020dec0083135f
SHA256 cce6434b094750832f8569b2603f07903fb490b0cb28a22e8d828084669736b1
SHA512 0cf8c688dbd83070ae2b4f4e55d7e1fb726ca3f85662426b3f8c7c9ab15fbfae01a11e9a03aa343c66b82df62c1fb98fbec900ab604d9351f189073bf5ff9b7f

memory/2756-25-0x0000000005040000-0x0000000005062000-memory.dmp

memory/2756-27-0x00000000057E0000-0x0000000005846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijsecjnk.nt4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2756-26-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/3516-47-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/2008-48-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/2008-49-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/2008-50-0x0000000006830000-0x000000000687C000-memory.dmp

memory/2756-52-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/2008-51-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/2756-57-0x0000000075340000-0x000000007538C000-memory.dmp

memory/2008-76-0x0000000006880000-0x000000000689E000-memory.dmp

memory/2008-56-0x0000000075340000-0x000000007538C000-memory.dmp

memory/2756-55-0x000000007F0E0000-0x000000007F0F0000-memory.dmp

memory/2008-77-0x00000000072B0000-0x0000000007353000-memory.dmp

memory/2756-54-0x0000000006DD0000-0x0000000006E02000-memory.dmp

memory/2008-53-0x000000007F340000-0x000000007F350000-memory.dmp

memory/2756-78-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/2008-79-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/2756-80-0x0000000007190000-0x000000000719A000-memory.dmp

memory/2756-81-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/2756-82-0x0000000007320000-0x0000000007331000-memory.dmp

memory/2008-83-0x0000000007800000-0x000000000780E000-memory.dmp

memory/2008-85-0x0000000007810000-0x0000000007824000-memory.dmp

memory/2756-84-0x0000000007360000-0x0000000007374000-memory.dmp

memory/2008-86-0x0000000007910000-0x000000000792A000-memory.dmp

memory/2756-87-0x0000000007440000-0x0000000007448000-memory.dmp

memory/2008-93-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/2756-92-0x0000000074AB0000-0x0000000075260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3