Malware Analysis Report

2024-12-07 22:27

Sample ID 240406-b8dk2ahd75
Target f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
SHA256 f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

Threat Level: Known bad

The file f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables packed with SmartAssembly

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:48

Reported

2024-04-06 01:51

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 2308 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8FD1.tmp"

C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2308-0-0x0000000000D90000-0x0000000000E78000-memory.dmp

memory/2308-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2308-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

memory/2308-3-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2308-4-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2308-5-0x00000000051C0000-0x0000000005280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8FD1.tmp

MD5 17052790e32d50230c2c3fc13ddaac9c
SHA1 0371dff5deae34fe2eda04fd0a1024cccacaf6e5
SHA256 cdb7aa026e8d4d4b51131b9e109d9ad02d54355086ac75ef6b683f1c8e9c2654
SHA512 810c68bc7e4a42d0d4b18f0620e4d1125f8865e700f03bf71d166f69faab2ce334665d4f5fefc746318c80022427e490548430ac06869a3e13b7c4dd8a0e3b3a

memory/2724-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2308-27-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2724-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-33-0x000000006E580000-0x000000006EB2B000-memory.dmp

memory/2588-34-0x000000006E580000-0x000000006EB2B000-memory.dmp

memory/2724-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-36-0x0000000002480000-0x00000000024C0000-memory.dmp

memory/2588-37-0x0000000002480000-0x00000000024C0000-memory.dmp

memory/2588-38-0x0000000002480000-0x00000000024C0000-memory.dmp

memory/2724-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-40-0x000000006E580000-0x000000006EB2B000-memory.dmp

memory/2724-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-49-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 a71ac44af7543078eb3cc11efb8f49e7
SHA1 a51bbb3dfa4ac567b24da7b82067b89252585967
SHA256 80e45cec26960581dc27a5fc78fefe03f8334adc16eef7e5a45deff4c93fea08
SHA512 d7c20207546b2c40c3da9224bc3764604f03d23f1ae2466b8e133db23e90cb0a5be3875e0b5f3c8df1cc7f6613898d41fed427d2d858e46ceac853ba158af941

memory/2724-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2724-82-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:48

Reported

2024-04-06 01:51

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe
PID 5088 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA48D.tmp"

C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

"C:\Users\Admin\AppData\Local\Temp\f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 142.250.179.202:443 tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 115.251.187.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/5088-0-0x0000000000D10000-0x0000000000DF8000-memory.dmp

memory/5088-1-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/5088-2-0x0000000005D80000-0x0000000006324000-memory.dmp

memory/5088-3-0x0000000005870000-0x0000000005902000-memory.dmp

memory/5088-4-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/5088-5-0x0000000005810000-0x000000000581A000-memory.dmp

memory/5088-6-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/5088-7-0x0000000005AF0000-0x0000000005AFC000-memory.dmp

memory/5088-8-0x0000000006CA0000-0x0000000006D60000-memory.dmp

memory/5088-9-0x00000000095E0000-0x000000000967C000-memory.dmp

memory/3152-14-0x00000000028B0000-0x00000000028E6000-memory.dmp

memory/3152-15-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3152-16-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3152-17-0x0000000002980000-0x0000000002990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA48D.tmp

MD5 601227869aa531a3acd347f9d0181f37
SHA1 d7a03dc42224bd50cd4010916e81547ff5cba586
SHA256 1b580c9fc6722565956906ec38a187d34feaaa75f732c78cf62fb6b0c7395809
SHA512 6fbc9f497d73b86392a780b3d61dc582c921f8ea29853c4691fe9e9e853356d6b7f860b292e8bc597cc1c96377c70b00d789d2a923ea8418044d2ee8586b0a00

memory/3152-19-0x0000000005380000-0x00000000059A8000-memory.dmp

memory/4864-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3152-33-0x0000000005B20000-0x0000000005B86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azf1nleb.n1m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4864-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3152-35-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/4864-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5088-25-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3152-23-0x0000000005300000-0x0000000005322000-memory.dmp

memory/3152-42-0x0000000005D00000-0x0000000006054000-memory.dmp

memory/4864-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3152-44-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/3152-45-0x0000000006220000-0x000000000626C000-memory.dmp

memory/4864-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3152-51-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3152-52-0x00000000071E0000-0x0000000007212000-memory.dmp

memory/3152-53-0x0000000071FC0000-0x000000007200C000-memory.dmp

memory/3152-63-0x0000000006780000-0x000000000679E000-memory.dmp

memory/3152-64-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/3152-65-0x0000000007B50000-0x00000000081CA000-memory.dmp

memory/3152-66-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/3152-67-0x0000000007560000-0x000000000756A000-memory.dmp

memory/3152-68-0x0000000007770000-0x0000000007806000-memory.dmp

memory/3152-71-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/3152-72-0x0000000007720000-0x000000000772E000-memory.dmp

memory/3152-73-0x0000000007730000-0x0000000007744000-memory.dmp

memory/3152-74-0x0000000007830000-0x000000000784A000-memory.dmp

memory/3152-75-0x0000000007810000-0x0000000007818000-memory.dmp

memory/3152-78-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4864-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-80-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 a71ac44af7543078eb3cc11efb8f49e7
SHA1 a51bbb3dfa4ac567b24da7b82067b89252585967
SHA256 80e45cec26960581dc27a5fc78fefe03f8334adc16eef7e5a45deff4c93fea08
SHA512 d7c20207546b2c40c3da9224bc3764604f03d23f1ae2466b8e133db23e90cb0a5be3875e0b5f3c8df1cc7f6613898d41fed427d2d858e46ceac853ba158af941

memory/4864-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4864-113-0x0000000000400000-0x0000000000482000-memory.dmp