Malware Analysis Report

2024-12-07 03:35

Sample ID 241113-c7khmavhjk
Target 9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
SHA256 9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6
Tags
remcos remotehost collection discovery execution rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6

Threat Level: Known bad

The file 9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection discovery execution rat spyware stealer

Remcos

Remcos family

NirSoft MailPassView

Detected Nirsoft tools

NirSoft WebBrowserPassView

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:43

Reported

2024-11-13 02:45

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 1800 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 2616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gAGKIpbVdGGk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gAGKIpbVdGGk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\tsmoetmipwodhrxscscmcnnva"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\tsmoetmipwodhrxscscmcnnva"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\tsmoetmipwodhrxscscmcnnva"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\duayfmwbdegqkxmwuvwgfszejhwjc"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\duayfmwbdegqkxmwuvwgfszejhwjc"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\gpfrgehdrmyvuliadgjhpfuvjogsdgqs"

Network

Country Destination Domain Proto
NL 81.161.238.174:46098 tcp
NL 81.161.238.174:46098 tcp
NL 81.161.238.174:46098 tcp
NL 81.161.238.174:46098 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1800-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1800-1-0x00000000000F0000-0x00000000001FC000-memory.dmp

memory/1800-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/1800-3-0x00000000006A0000-0x00000000006BC000-memory.dmp

memory/1800-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1800-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/1800-6-0x000000000A780000-0x000000000A840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BB1TPJ2OMKVRD0GEASQ8.temp

MD5 824032f1258d0eb0396eb4987d5d18a4
SHA1 30bef5acd671c47b97222710b7d2f1f069a44560
SHA256 dbb96f045b1793fbaf77e175222e2897cf76968d740accc48ad9dba040b1641e
SHA512 af6add1b25a8c8ccc87dfb658a073401ee158059d3fc61d6693ac178ac13522dde6306cdae2580196fd200f823cc7cbaa7975a4951cf4c7533a6ac6ea1884de2

C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp

MD5 eda4e4dd0c068c078a2752195f8e3f8e
SHA1 2bf496d72fec0b9a84726b8ef137489d18591599
SHA256 ee5d5a36252136aba5bb21d522d2766d3fb12c857e5e0670612f3840218504f6
SHA512 67d9432be6d894c9cb4a09f7b66644dbbf9c2d69bc4a24d92fc358d52895cb24d1c9ae8acd44426734a1019fa54b60e05b78828ae5bf10e46d72173affc13f38

memory/2616-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1800-41-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2616-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1484-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1484-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1484-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2148-58-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2148-64-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1036-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1036-62-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1036-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1484-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2148-59-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tsmoetmipwodhrxscscmcnnva

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2616-70-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2616-74-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2616-73-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2616-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2616-82-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:43

Reported

2024-11-13 02:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4308 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4308 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4308 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 4308 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe
PID 412 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gAGKIpbVdGGk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gAGKIpbVdGGk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

"C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\eodktelmpt"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqicuowgdbhly"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkwvvhhhrjzqaznry"

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe

C:\Users\Admin\AppData\Local\Temp\9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkwvvhhhrjzqaznry"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 81.161.238.174:46098 tcp
US 8.8.8.8:53 174.238.161.81.in-addr.arpa udp
NL 81.161.238.174:46098 tcp
NL 81.161.238.174:46098 tcp
NL 81.161.238.174:46098 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4308-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/4308-1-0x0000000000510000-0x000000000061C000-memory.dmp

memory/4308-2-0x0000000005590000-0x0000000005B34000-memory.dmp

memory/4308-3-0x0000000005080000-0x0000000005112000-memory.dmp

memory/4308-4-0x0000000005020000-0x000000000502A000-memory.dmp

memory/4308-5-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/4308-6-0x00000000052C0000-0x000000000535C000-memory.dmp

memory/4308-7-0x0000000005420000-0x000000000543C000-memory.dmp

memory/4308-8-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/4308-9-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/4308-10-0x000000000A7A0000-0x000000000A860000-memory.dmp

memory/2896-15-0x00000000027D0000-0x0000000002806000-memory.dmp

memory/2896-16-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-18-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-19-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-17-0x0000000005490000-0x0000000005AB8000-memory.dmp

memory/2864-21-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-22-0x0000000005240000-0x0000000005262000-memory.dmp

memory/2896-24-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/2864-25-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-23-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/2896-31-0x0000000005B30000-0x0000000005E84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g04v3czz.1oi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/412-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4308-51-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/412-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2896-52-0x00000000060F0000-0x000000000610E000-memory.dmp

memory/412-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2896-53-0x00000000061A0000-0x00000000061EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp

MD5 4c20be0bcef3443159aa2c4fdff96e93
SHA1 067b533da242e38cf90dd7481a610f0266dc8e14
SHA256 a89cfba12d5f3a34fcfa7edb0f637b9be9418c37cf42cdbdd4e1a77150e3add2
SHA512 1d496b76ab55ecd0247f50e187c2a2ef79fbdaa9481288dc9218027a3a37ce051761da325fb33cf886a03a88e79ee9101718585670c667634a32193673bb32d3

memory/412-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-62-0x0000000007010000-0x0000000007042000-memory.dmp

memory/2864-63-0x00000000752A0000-0x00000000752EC000-memory.dmp

memory/2864-83-0x0000000007050000-0x000000000706E000-memory.dmp

memory/2896-73-0x00000000752A0000-0x00000000752EC000-memory.dmp

memory/2864-84-0x0000000007080000-0x0000000007123000-memory.dmp

memory/2864-85-0x0000000007800000-0x0000000007E7A000-memory.dmp

memory/2864-86-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/2896-87-0x00000000074B0000-0x00000000074BA000-memory.dmp

memory/2864-88-0x0000000007440000-0x00000000074D6000-memory.dmp

memory/2896-89-0x0000000007630000-0x0000000007641000-memory.dmp

memory/2864-90-0x00000000073F0000-0x00000000073FE000-memory.dmp

memory/2896-91-0x0000000007670000-0x0000000007684000-memory.dmp

memory/2864-92-0x0000000007500000-0x000000000751A000-memory.dmp

memory/2896-93-0x0000000007750000-0x0000000007758000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7db428de8939df294967d3659221251a
SHA1 42046b78c3bc546b289991b1888f863ff047d735
SHA256 c9d7086459fd56e9261b4e3c416b6275318857fc2d30edf7900f292ee0e9928d
SHA512 d45847e94aaac01700ea8c47e20e56cdfb17eadf379620a13a9e8ee01fc5c4970b0951dd41b9fecccf626f9ff7cd466fe350f4c0ccffcc3473066e45fbc69cd3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2864-99-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2896-100-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/412-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3460-107-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3460-110-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3460-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1896-113-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1896-117-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1896-118-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2892-112-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2892-109-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2892-108-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eodktelmpt

MD5 562a58578d6d04c7fb6bda581c57c03c
SHA1 12ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256 ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA512 3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

memory/412-121-0x0000000010000000-0x0000000010019000-memory.dmp

memory/412-125-0x0000000010000000-0x0000000010019000-memory.dmp

memory/412-124-0x0000000010000000-0x0000000010019000-memory.dmp

memory/412-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/412-132-0x0000000000400000-0x0000000000482000-memory.dmp