Malware Analysis Report

2025-01-02 03:06

Sample ID 240815-bpvefasbkl
Target 65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe
SHA256 65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9

Threat Level: Known bad

The file 65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 01:19

Reported

2024-08-15 01:22

Platform

win7-20240708-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe

"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIGcKBg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIGcKBg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4B8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ghost360.zapto.org udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 ghost360.zapto.org udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 ghost360.zapto.org udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp

Files

memory/2352-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/2352-1-0x00000000000E0000-0x00000000001E4000-memory.dmp

memory/2352-2-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2352-3-0x0000000000530000-0x000000000054E000-memory.dmp

memory/2352-4-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/2352-5-0x00000000059D0000-0x0000000005A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e42664b753454e46fae5cb737bc9e3e1
SHA1 27d79fd705c3e615aa4f6ead771cdaf922dead81
SHA256 17ffbbcaa679b581d56fd19170608e5b22fd8a7b6f3ae3cdd52cc7ff4f3431ca
SHA512 fffcaeafa6745fed60b6378900346d26122ef6582c33e76fc9f7e998df467e880c06f69d4fc85e9d99fed16c3a087c322dc4849c522b17d0742faf99b31c96cd

C:\Users\Admin\AppData\Local\Temp\tmpA4B8.tmp

MD5 4e2b41165ccb0bcb9e07b8e6e3c383c3
SHA1 6f7abde67166122fd353662f3b0afa538a9c31b9
SHA256 697d482b588c6ad0d2dd97dd64b4133cd6499c4deb1c9ac554d1cf27286a67ca
SHA512 cdba8afe86d0044ce047d61125dc5d75c044d0333d3a3c187412f2b82f758c1fa4bac69efd827aaf2bfd2616936452ca327d516b6a89f9bb94e4fcf3036cde04

memory/2624-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2624-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2352-38-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2624-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-51-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 01:19

Reported

2024-08-15 01:22

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe

"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIGcKBg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIGcKBg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ghost360.zapto.org udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ghost360.zapto.org udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
NL 45.66.231.219:4190 ghost360.zapto.org tcp
US 8.8.8.8:53 ghost360.zapto.org udp

Files

memory/2352-0-0x000000007530E000-0x000000007530F000-memory.dmp

memory/2352-1-0x00000000004F0000-0x00000000005F4000-memory.dmp

memory/2352-2-0x00000000054B0000-0x0000000005A54000-memory.dmp

memory/2352-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

memory/2352-4-0x0000000005090000-0x000000000509A000-memory.dmp

memory/2352-5-0x00000000052D0000-0x000000000536C000-memory.dmp

memory/2352-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2352-7-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

memory/2352-8-0x0000000005BF0000-0x0000000005C06000-memory.dmp

memory/2352-9-0x0000000008C30000-0x0000000008CF0000-memory.dmp

memory/2568-14-0x0000000005060000-0x0000000005096000-memory.dmp

memory/2568-15-0x00000000057F0000-0x0000000005E18000-memory.dmp

memory/2568-16-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2568-17-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2568-18-0x0000000005750000-0x0000000005772000-memory.dmp

memory/2568-20-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/2568-19-0x0000000005E20000-0x0000000005E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi3plqm5.hwi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmp

MD5 4ea3c8343528dd35ff30ec75e8c13adc
SHA1 5521edc9e2a0feb83777706026f80439d8f66bdc
SHA256 f2eba2b381122c90b6d20f5a047f9c45120e53e8dfebc9c19af9c2246e24a356
SHA512 899c2d63dba0425939850026adcc2c05b8f090b534ad4bb649688aca8af5f9bcf38f6c858918e8dc196a84baca937e8be8d2d0358f9d3da2a96ea6bfaed5e217

memory/2568-28-0x0000000006000000-0x0000000006354000-memory.dmp

memory/4724-27-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/4724-42-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/4724-43-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2540-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2352-48-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2540-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4724-50-0x0000000006380000-0x000000000639E000-memory.dmp

memory/4724-51-0x0000000006410000-0x000000000645C000-memory.dmp

memory/2540-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4724-53-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

memory/2568-64-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

memory/4724-63-0x0000000007300000-0x000000000731E000-memory.dmp

memory/4724-52-0x0000000007320000-0x0000000007352000-memory.dmp

memory/2568-74-0x0000000007810000-0x00000000078B3000-memory.dmp

memory/2568-76-0x0000000007950000-0x000000000796A000-memory.dmp

memory/2568-75-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/4724-77-0x0000000007730000-0x000000000773A000-memory.dmp

memory/4724-78-0x0000000007940000-0x00000000079D6000-memory.dmp

memory/2568-79-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/2568-80-0x0000000007B80000-0x0000000007B8E000-memory.dmp

memory/2568-81-0x0000000007B90000-0x0000000007BA4000-memory.dmp

memory/4724-82-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/4724-83-0x00000000079E0000-0x00000000079E8000-memory.dmp

memory/2568-90-0x0000000075300000-0x0000000075AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1258f46ccfc7b97bc472a9f9975ecb9d
SHA1 07827f5e6b4a0ed72d17aacb506535f4f406a479
SHA256 f785b51789835b87001dba882fee479e9e3fb351c6bdf97c076bb3d37a0e6738
SHA512 eb9aa3f524cf65b593e0323ac06635ad445f34f2f9c3d182560d653d208250b77e2535a8220e3916fb2717d3184bf876414273980fab16e84d791d54fadfdc26

memory/4724-89-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2540-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2540-101-0x0000000000400000-0x0000000000482000-memory.dmp