Malware Analysis Report

2025-06-15 22:21

Sample ID 241109-x5t99szlcw
Target e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN
SHA256 e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebf
Tags
remcos newfile discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebf

Threat Level: Known bad

The file e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN was found to be: Known bad.

Malicious Activity Summary

remcos newfile discovery execution rat

Remcos

Remcos family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:26

Reported

2024-11-09 19:28

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 2328 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cRBWNNQsqe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cRBWNNQsqe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4450.tmp"

C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 novsereverconfigconnect.duckdns.org udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 novsereverconfigconnect.duckdns.org udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 novsereverconfigconnect.duckdns.org udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp

Files

memory/2328-0-0x000000007475E000-0x000000007475F000-memory.dmp

memory/2328-1-0x0000000001070000-0x0000000001178000-memory.dmp

memory/2328-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/2328-3-0x000000007475E000-0x000000007475F000-memory.dmp

memory/2328-4-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/2328-5-0x0000000000730000-0x000000000074C000-memory.dmp

memory/2328-6-0x00000000050D0000-0x000000000518E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4450.tmp

MD5 c5423e2c94ac52e83f79699a652a1983
SHA1 358517caa82c80cf585c387cf5dd15a5b3a07800
SHA256 13b708dc866c8bbf5b367c112b3a3d565a494ccdf647041d64c1feee97193194
SHA512 3f9980243c1891e88eca17b353ab601b923965ebfdfb818d5f194e2c3ed8adea82c40433c4615f2877f40c34da8ea7c918e77c8901ea9bf745258177c6c7cdf0

memory/2876-14-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-32-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2876-28-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2328-34-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/2876-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-18-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-67-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-76-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2876-78-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:26

Reported

2024-11-09 19:28

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 4740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 4740 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Windows\SysWOW64\schtasks.exe
PID 4740 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe
PID 4740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cRBWNNQsqe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cRBWNNQsqe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2CE.tmp"

C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe

"C:\Users\Admin\AppData\Local\Temp\e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebfN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 novsereverconfigconnect.duckdns.org udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 novsereverconfigconnect.duckdns.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp
US 192.169.69.26:45682 novsereverconfigconnect.duckdns.org tcp

Files

memory/4740-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/4740-1-0x0000000000560000-0x0000000000668000-memory.dmp

memory/4740-2-0x0000000005690000-0x0000000005C34000-memory.dmp

memory/4740-3-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/4740-5-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/4740-4-0x0000000005070000-0x000000000507A000-memory.dmp

memory/4740-6-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/4740-7-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/4740-8-0x0000000005300000-0x000000000531C000-memory.dmp

memory/4740-9-0x000000000A4A0000-0x000000000A55E000-memory.dmp

memory/4740-10-0x000000000D600000-0x000000000D69C000-memory.dmp

memory/2120-15-0x0000000002330000-0x0000000002366000-memory.dmp

memory/2120-16-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/2120-18-0x0000000004E40000-0x0000000005468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE2CE.tmp

MD5 215f5ff2dc0ab9491b6e26cce535437b
SHA1 2c355d6f002dc64f09ae9b6501f9e28bac85660b
SHA256 ea4c209c6027e68a3ae40d72822ce5f2f9e77d2cad546209222e664568e35149
SHA512 f4f63424cef7121e6f9abfd7e9c117501e6cc8de3ae10cd39fd138b5e656fcc04a732f268e5d9fc2e7582b886ff8354adb40e704fb95f21271fdff5a25fd9794

memory/2120-19-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/3876-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2120-23-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/3876-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2120-26-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/3876-21-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-27-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2120-29-0x00000000055E0000-0x0000000005646000-memory.dmp

memory/4740-30-0x0000000074F40000-0x00000000756F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3g24h5q.f0p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2120-28-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/3876-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2120-40-0x0000000005650000-0x00000000059A4000-memory.dmp

memory/2120-42-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/2120-43-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/2120-45-0x0000000073A10000-0x0000000073A5C000-memory.dmp

memory/2120-56-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/2120-55-0x0000000006220000-0x000000000623E000-memory.dmp

memory/2120-44-0x0000000006C00000-0x0000000006C32000-memory.dmp

memory/2120-58-0x0000000006F60000-0x0000000006F7A000-memory.dmp

memory/2120-57-0x00000000075A0000-0x0000000007C1A000-memory.dmp

memory/2120-59-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

memory/2120-60-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/2120-61-0x0000000007160000-0x0000000007171000-memory.dmp

memory/2120-62-0x0000000007190000-0x000000000719E000-memory.dmp

memory/2120-63-0x00000000071A0000-0x00000000071B4000-memory.dmp

memory/2120-64-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/2120-65-0x0000000007280000-0x0000000007288000-memory.dmp

memory/2120-68-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/3876-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-76-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-78-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-81-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-82-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-84-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-85-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-86-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-88-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-89-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-91-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-92-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-93-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-94-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-95-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-96-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-97-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-98-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-99-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-100-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-101-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-102-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-103-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-104-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-105-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-106-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-107-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-108-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-109-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-110-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-111-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-112-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-113-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-114-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-115-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-116-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-117-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-118-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-119-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-120-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-121-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-122-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-123-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-124-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-125-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-126-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3876-127-0x0000000000400000-0x000000000047F000-memory.dmp