Malware Analysis Report

2025-01-02 03:10

Sample ID 240816-myqy6avbqm
Target 06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c
SHA256 06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c

Threat Level: Known bad

The file 06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 10:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 10:52

Reported

2024-08-16 10:55

Platform

win7-20240705-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3040 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CqcHNIR.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CqcHNIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58AB.tmp"

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

Network

Country Destination Domain Proto
US 212.162.149.42:7118 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/3040-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/3040-1-0x0000000001050000-0x0000000001140000-memory.dmp

memory/3040-2-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/3040-3-0x0000000004D30000-0x0000000004E00000-memory.dmp

memory/3040-4-0x0000000000570000-0x000000000057E000-memory.dmp

memory/3040-5-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/3040-6-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/3040-7-0x0000000000580000-0x000000000058E000-memory.dmp

memory/3040-8-0x0000000004E00000-0x0000000004EBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 733c5eb5c4bfe5cad63bd73ce0206941
SHA1 e8677d809317e466788496b9651d9a741773884e
SHA256 464efb62a7fbfc56c232db5f9daa4d82381a0e6ffd3ca1224e4520edb67d1783
SHA512 909bd3210934306143a1e7a102287ec60d047827150802ea10cb840c6c1301b32f13df4ace11ed9efbb7a3439d4022f065a66c1b92479c1f8134ae831984f222

C:\Users\Admin\AppData\Local\Temp\tmp58AB.tmp

MD5 54691e245d55a1c5016aecf27062f6d8
SHA1 e97bc566bf9270d02a43fd763b3f1e6b8f37673e
SHA256 8ec546d595546c776755a0a71c4ed61351dfca33fa658c77e6e20adb605d5b69
SHA512 27073c1e24a7e369fce18395cc7936efa906baec9332627a683062af1b0ea2d525323679480380207924e059695c435e34e74da887f175b070350dd95cafd966

memory/2264-21-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2264-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-29-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-27-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-25-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-23-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3040-42-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2264-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2264-54-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 10:52

Reported

2024-08-16 10:55

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
PID 3152 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CqcHNIR.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CqcHNIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF52D.tmp"

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 212.162.149.42:7118 tcp
US 8.8.8.8:53 42.149.162.212.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/3152-0-0x000000007516E000-0x000000007516F000-memory.dmp

memory/3152-1-0x0000000000460000-0x0000000000550000-memory.dmp

memory/3152-2-0x00000000054D0000-0x0000000005A74000-memory.dmp

memory/3152-3-0x0000000004FC0000-0x0000000005052000-memory.dmp

memory/3152-4-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3152-5-0x00000000051B0000-0x00000000051BA000-memory.dmp

memory/3152-6-0x00000000062F0000-0x000000000638C000-memory.dmp

memory/3152-7-0x0000000006BF0000-0x00000000070BC000-memory.dmp

memory/3152-8-0x0000000006720000-0x00000000067F0000-memory.dmp

memory/3152-9-0x0000000005360000-0x000000000536E000-memory.dmp

memory/3152-10-0x000000007516E000-0x000000007516F000-memory.dmp

memory/3152-11-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3152-12-0x00000000054B0000-0x00000000054BE000-memory.dmp

memory/3152-13-0x0000000006450000-0x000000000650E000-memory.dmp

memory/3160-18-0x0000000004F30000-0x0000000004F66000-memory.dmp

memory/3160-19-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3160-20-0x0000000005670000-0x0000000005C98000-memory.dmp

memory/3160-21-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4252-22-0x0000000075160000-0x0000000075910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF52D.tmp

MD5 e62ca9bcb91670073a4a40027b002ec7
SHA1 7e16482b6ac970b1bf21dd7f5b7bb70c60ba6f42
SHA256 282f6d3b0e662ff4ca27fdaff198614650425b4ae4514b41e4baaee4a9c16100
SHA512 4175c28585f85a909df8463a4acf636b3eca0d7c6a030b22abf174e7d91294fcf76b6d62b118c6f7fb1e9777e689e52be943332a946e202a325b6a7b2e9e636d

memory/3160-31-0x0000000005EE0000-0x0000000005F46000-memory.dmp

memory/3160-30-0x0000000005E00000-0x0000000005E66000-memory.dmp

memory/4252-45-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3160-47-0x0000000075160000-0x0000000075910000-memory.dmp

memory/2288-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3152-54-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4252-53-0x0000000075160000-0x0000000075910000-memory.dmp

memory/2288-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4252-46-0x0000000006060000-0x00000000063B4000-memory.dmp

memory/4252-55-0x0000000006530000-0x000000000654E000-memory.dmp

memory/4252-56-0x0000000006570000-0x00000000065BC000-memory.dmp

memory/3160-29-0x0000000005D50000-0x0000000005D72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4w043ew.slb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2288-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3160-63-0x00000000759F0000-0x0000000075A3C000-memory.dmp

memory/3160-62-0x0000000006AB0000-0x0000000006AE2000-memory.dmp

memory/4252-74-0x00000000759F0000-0x0000000075A3C000-memory.dmp

memory/3160-73-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

memory/3160-84-0x00000000074D0000-0x0000000007573000-memory.dmp

memory/3160-85-0x0000000007E50000-0x00000000084CA000-memory.dmp

memory/3160-86-0x0000000007810000-0x000000000782A000-memory.dmp

memory/4252-87-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/3160-88-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/4252-89-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/3160-90-0x0000000007A40000-0x0000000007A4E000-memory.dmp

memory/4252-91-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

memory/4252-92-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/3160-93-0x0000000007B30000-0x0000000007B38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 571aa8ebdaba4a41ea4f6d0c594aa5f8
SHA1 f2ad6dfee4528d6db8045962e2a113a306bd4517
SHA256 ae583a0f6cf875e4ae4af7547c65303e9607791fadffb6b9bf773bcbd2c615c5
SHA512 23d283622d8cfe6a073103f703cefac5776e81989b41fa3008a052f8d9401412b2149239d269ec14f080d4ecd680780ace305eb795d2929c718529942b8559d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3160-100-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4252-99-0x0000000075160000-0x0000000075910000-memory.dmp

memory/2288-101-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-102-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-103-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-104-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-105-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-106-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-107-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2288-108-0x0000000000400000-0x000000000047F000-memory.dmp