Malware Analysis Report

2025-01-02 03:15

Sample ID 240404-bltzhaag34
Target 16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe
SHA256 16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce

Threat Level: Known bad

The file 16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables packed with SmartAssembly

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 01:14

Reported

2024-04-04 01:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2272 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78C8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp

Files

memory/2272-0-0x0000000000840000-0x0000000000924000-memory.dmp

memory/2272-1-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2272-2-0x0000000004DD0000-0x0000000004E10000-memory.dmp

memory/2272-3-0x00000000004E0000-0x00000000004F4000-memory.dmp

memory/2272-4-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2272-5-0x0000000000520000-0x000000000052C000-memory.dmp

memory/2272-6-0x0000000004FF0000-0x00000000050B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp78C8.tmp

MD5 767620f63004ce1de5a9bb1d0b95c7e6
SHA1 26cb33ed1637555818e627d4da44dbeb3fac2b35
SHA256 9c7e0fb5cb66112918d06c4b464a297d6f56c9bc612c2b7713d5b5a605ee18c0
SHA512 054445c489f277418c5b39857f9a735f0ba11159b8f8f7257d1d18a186054a2486b483957eeb4548d48d6f8329018aff7e4dc5f7db8e4bcbc6ffe793fb9678ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d9c10d1813dcfacd7bda5c57cd801177
SHA1 fa6db48ff259d2bc6d34b407bf532a375ca94ecb
SHA256 7a5612d3b84427bba00ce6f3d1e1ee67e4a89203f424509550f30b05b2acf8df
SHA512 1dfb67cf024eec9287f8dca9580104a50f3dcce492697a17a042ef668af9ee6de3aa45a76b78a9b207308ace2debb311c8f1232f0cd0c82fc24886299f9b7830

memory/2556-19-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/2980-20-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/2556-21-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2980-22-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/2556-23-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/2272-24-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2980-25-0x0000000002560000-0x00000000025A0000-memory.dmp

memory/2556-26-0x0000000002600000-0x0000000002640000-memory.dmp

memory/1204-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1204-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2272-41-0x0000000074950000-0x000000007503E000-memory.dmp

memory/1204-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2980-44-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/2556-45-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

memory/1204-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1204-55-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 01:14

Reported

2024-04-04 01:17

Platform

win10v2004-20240319-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4560 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 4560 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 4560 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4560 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2092 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 14.34.115.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
NL 172.217.168.234:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4560-1-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4560-0-0x00000000004E0000-0x00000000005C4000-memory.dmp

memory/4560-2-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/4560-3-0x0000000004FA0000-0x0000000005032000-memory.dmp

memory/4560-4-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/4560-5-0x0000000005170000-0x000000000517A000-memory.dmp

memory/4560-6-0x0000000005330000-0x0000000005344000-memory.dmp

memory/4560-7-0x00000000055E0000-0x00000000055EA000-memory.dmp

memory/4560-8-0x00000000055F0000-0x00000000055FC000-memory.dmp

memory/4560-9-0x00000000062F0000-0x00000000063B0000-memory.dmp

memory/4560-10-0x0000000008A00000-0x0000000008A9C000-memory.dmp

memory/3632-15-0x0000000004F20000-0x0000000004F56000-memory.dmp

memory/3632-16-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1384-18-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/3632-17-0x0000000005590000-0x0000000005BB8000-memory.dmp

memory/1384-19-0x0000000005210000-0x0000000005220000-memory.dmp

memory/3632-21-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/1384-22-0x0000000005210000-0x0000000005220000-memory.dmp

memory/3632-20-0x0000000002B10000-0x0000000002B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp

MD5 796ec2a1f21afdbbb607778305a88a66
SHA1 a738a8d51d50b5b012708c80f6b9c385969eaf4a
SHA256 b94c036964e8ad25ec8300e6189dcf49604f39c255b68231f9875137fe517b0e
SHA512 a97fbb6751a0b47a5806d946c97ea456e019ce087c0915bca88ef6b80641358f9c6bda0edd95c3976293e1ca730b503d69d70b3b9b6061e2b66ba80dfac499fc

memory/3632-24-0x0000000005520000-0x0000000005542000-memory.dmp

memory/1384-26-0x0000000005EF0000-0x0000000005F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sbj2cs5.x5y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1384-25-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/2612-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1384-37-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/2612-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1384-52-0x0000000006700000-0x000000000671E000-memory.dmp

memory/2612-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4560-53-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/2612-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1384-55-0x0000000006C70000-0x0000000006CBC000-memory.dmp

memory/1384-56-0x0000000005210000-0x0000000005220000-memory.dmp

memory/3632-57-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/1384-58-0x000000007FA30000-0x000000007FA40000-memory.dmp

memory/3632-59-0x000000007FA90000-0x000000007FAA0000-memory.dmp

memory/1384-60-0x00000000078F0000-0x0000000007922000-memory.dmp

memory/3632-61-0x0000000075590000-0x00000000755DC000-memory.dmp

memory/3632-71-0x0000000007450000-0x000000000746E000-memory.dmp

memory/1384-72-0x0000000075590000-0x00000000755DC000-memory.dmp

memory/1384-82-0x0000000007930000-0x00000000079D3000-memory.dmp

memory/1384-83-0x0000000008060000-0x00000000086DA000-memory.dmp

memory/3632-84-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/1384-85-0x0000000007A90000-0x0000000007A9A000-memory.dmp

memory/1384-86-0x0000000007CA0000-0x0000000007D36000-memory.dmp

memory/3632-87-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/3632-88-0x0000000007A20000-0x0000000007A2E000-memory.dmp

memory/3632-89-0x0000000007A30000-0x0000000007A44000-memory.dmp

memory/3632-90-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/1384-91-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/3632-97-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1384-98-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f56fd1e1f237be469bd4bd69587516e4
SHA1 b75e2c24c8b3a4cbd6451c0b380b11bcaa49874e
SHA256 31173bbbfc4b87019efdd18a9346d0e8491fac356987f8a7035f11cd363e820c
SHA512 26ae3ba40cc8e1e758d72a912650cfcadd5b229368c34878b1f9e00addc2e42d52b683b6ed229c107201be11797af70e80ed6851b11de4171bbf9a6eff5d5c1e

memory/2612-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-110-0x0000000000400000-0x0000000000482000-memory.dmp