Malware Analysis Report

2024-12-07 22:30

Sample ID 240405-b5gtaahe57
Target cb60f9802b22337e3182ff3045e848fa.bin
SHA256 08aa3bfb5f56d17ce70299a7ac6680738f95df00da7445f6ba4d7064dfa73d71
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08aa3bfb5f56d17ce70299a7ac6680738f95df00da7445f6ba4d7064dfa73d71

Threat Level: Known bad

The file cb60f9802b22337e3182ff3045e848fa.bin was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 01:43

Reported

2024-04-05 01:46

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

Signatures

Remcos

rat remcos

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1676 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1676 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp

Files

memory/1676-0-0x0000000001080000-0x0000000001164000-memory.dmp

memory/1676-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/1676-2-0x0000000004910000-0x0000000004950000-memory.dmp

memory/1676-3-0x00000000004B0000-0x00000000004C4000-memory.dmp

memory/1676-4-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/1676-5-0x00000000004F0000-0x00000000004FC000-memory.dmp

memory/1676-6-0x0000000005010000-0x00000000050D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp

MD5 5cbb47e3d40d82dd1c275082b3db635c
SHA1 9be84262cee6f6c78ad0ef8276e064cc6e552c62
SHA256 fe05a8b2e0e38814b6e37b4b4e59aecf2943e2abfe7c9f8a80dfa7a4ed4c718a
SHA512 07ed902f909b2c5a765f4dfc126d5174958623f7319f94377a74bb6f29a36faa31a8ed533971afc22b154c26bdb24797198fbe2fee894102de64a8fda8470799

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4Y67BV1XGKS93B1KW63.temp

MD5 6e725e16d459ce7e3263b8c3e49d310c
SHA1 e83b3577d931f747a5cb77430fe91c80b474a6e6
SHA256 b93dd058f1ed3d5cc1213023bb4f857e624e1b09a9d40949113d18bd1a359b06
SHA512 1062bc77f79b47a7e26e46d177b9e60061109bf19a39dcef6e8ec2b4831527b6dcd5591bf383ffe1b5c456250af1460ef3cfd4c2c57f216405994df71c1eac9f

memory/2628-19-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/3068-20-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/2660-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3068-23-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/3068-25-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-26-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/2660-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-28-0x0000000002980000-0x00000000029C0000-memory.dmp

memory/2628-30-0x0000000002980000-0x00000000029C0000-memory.dmp

memory/2660-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1676-46-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2660-42-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2660-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3068-51-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/2628-50-0x000000006F680000-0x000000006FC2B000-memory.dmp

memory/2660-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-63-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 01:43

Reported

2024-04-05 01:46

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3076 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3076 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

"C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xEAqrgXRK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEAqrgXRK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
NL 91.92.244.17:2707 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3076-0-0x00000000005B0000-0x0000000000694000-memory.dmp

memory/3076-1-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3076-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

memory/3076-3-0x0000000005080000-0x0000000005112000-memory.dmp

memory/3076-4-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/3076-5-0x0000000005150000-0x000000000515A000-memory.dmp

memory/3076-6-0x0000000005400000-0x0000000005414000-memory.dmp

memory/3076-7-0x0000000005430000-0x000000000543A000-memory.dmp

memory/3076-8-0x0000000005440000-0x000000000544C000-memory.dmp

memory/3076-9-0x0000000006350000-0x0000000006410000-memory.dmp

memory/3076-10-0x0000000008B00000-0x0000000008B9C000-memory.dmp

memory/632-15-0x00000000027A0000-0x00000000027D6000-memory.dmp

memory/632-16-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/632-17-0x0000000002750000-0x0000000002760000-memory.dmp

memory/4648-19-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/632-18-0x00000000051A0000-0x00000000057C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp

MD5 304c4e1fa1f2264967869ebed101208c
SHA1 61d39c21262c83614d9ee67009b273419f2c8072
SHA256 1cbcf5d9e59b15688b7d8b29fd81a52c432f8ee59fb4d14452bdafbfa0a9becb
SHA512 0363cc5e2e2be3c3b107b5beab0dddc41e48e646a180131ab1506f53679d5efbadbf464f36670930e5ce178d9f52288d3bcc0b5708773ec8e4bc973101e41a41

memory/4648-20-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4648-23-0x00000000053A0000-0x00000000053C2000-memory.dmp

memory/632-24-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/4648-22-0x0000000005070000-0x0000000005080000-memory.dmp

memory/1588-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/632-27-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/1588-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4648-49-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/3076-52-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1588-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-50-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytx4t1wf.mug.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1588-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4648-53-0x0000000006480000-0x000000000649E000-memory.dmp

memory/4648-54-0x0000000006510000-0x000000000655C000-memory.dmp

memory/4648-55-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

memory/632-57-0x0000000007220000-0x0000000007252000-memory.dmp

memory/632-56-0x000000007F460000-0x000000007F470000-memory.dmp

memory/632-59-0x0000000075710000-0x000000007575C000-memory.dmp

memory/632-80-0x0000000007290000-0x0000000007333000-memory.dmp

memory/4648-79-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4648-81-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4648-58-0x0000000075710000-0x000000007575C000-memory.dmp

memory/632-82-0x0000000002750000-0x0000000002760000-memory.dmp

memory/632-83-0x0000000002750000-0x0000000002760000-memory.dmp

memory/4648-69-0x0000000007420000-0x000000000743E000-memory.dmp

memory/632-85-0x0000000007A10000-0x000000000808A000-memory.dmp

memory/4648-84-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/4648-86-0x0000000007800000-0x000000000780A000-memory.dmp

memory/4648-87-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/4648-88-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/4648-89-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/4648-90-0x00000000079D0000-0x00000000079E4000-memory.dmp

memory/4648-91-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/4648-92-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d77ac3fa23d85dd2023e534f0ea465a0
SHA1 48fd0343f715884e44dbd6e228ab965e3e1922c5
SHA256 0de14eed8d808e59bfbe056c8fdd98091eb0c69c3b1ac1c10db6769445c646f2
SHA512 04e842f0c7a36a59696eed4d21e136a0134792a012b56a0748c0fd7c9444ec7ce1685185f2eed112b2a05024eb3b397480ebffc8c34a51bc0498d3a4d265b4bf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4648-98-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/632-99-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1588-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1588-112-0x0000000000400000-0x0000000000482000-memory.dmp