Malware Analysis Report

2025-01-02 12:13

Sample ID 240417-p6el7sgb45
Target 0486a402a26990b8173dbe65e26fc129c4cac2d3ea28c430c816fedfd70bd33e
SHA256 0486a402a26990b8173dbe65e26fc129c4cac2d3ea28c430c816fedfd70bd33e
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0486a402a26990b8173dbe65e26fc129c4cac2d3ea28c430c816fedfd70bd33e

Threat Level: Known bad

The file 0486a402a26990b8173dbe65e26fc129c4cac2d3ea28c430c816fedfd70bd33e was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:56

Reported

2024-04-17 12:58

Platform

win7-20240220-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3028 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1556 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1556 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1556 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1556 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1556 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1556 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1556 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1556 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1284 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76D5.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8640.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1E6.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/3028-0-0x0000000001130000-0x00000000011A4000-memory.dmp

memory/3028-1-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/3028-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

memory/3028-3-0x0000000000320000-0x0000000000334000-memory.dmp

memory/3028-4-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/3028-5-0x0000000000420000-0x000000000042C000-memory.dmp

memory/3028-6-0x0000000000A00000-0x0000000000A54000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MOE2L3T7XP14A8O2PGPU.temp

MD5 743f4154d743ac4de54a97ae94bb09aa
SHA1 938b504baf488e74a44f599010e54c7970de97ae
SHA256 059845896e5afe225594d290a5334d6751336c4b70e6eae368dceb8cc9f606eb
SHA512 6536dfbab88d9796606d39e09c846b21ae46178efd0fa6999b2bb84f3db122d64df382077dfac9bad37dce081d8b15958e28bee0ecb94c429e9ffebcd2a28117

C:\Users\Admin\AppData\Local\Temp\tmp76D5.tmp

MD5 e6e0fe790f8459d1fce8cfdae134737a
SHA1 e8afbb57a1b8caed66931139ada15a70b92cca28
SHA256 fb1651eb50556e997ec359429569a0f133d7692386d542f8e79d89e7edef999c
SHA512 9672e8348e9b6663a820a513d5ca344e322130b381976a60609ac618a8ac4a57f2657bbeea8fd3cc1b6126f9aa33f399ac5cb82c7bdb694541e6b8f2da30fc0b

memory/2880-19-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-21-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-27-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2880-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-31-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2408-32-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2552-35-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2408-34-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/2552-33-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2408-36-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2552-37-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2408-40-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/2408-39-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/2552-38-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2880-41-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2408-43-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2552-42-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2880-44-0x0000000000C70000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8640.tmp.bat

MD5 fc38fdd86af899cbad553b0a3fc75100
SHA1 b61ea762c299d542e29c74ee9b992b176a69521d
SHA256 ac946836600658f518111284fdf416a116f344e4b80249e77c73b30b7ce3f4e0
SHA512 0990e9c621c3be59108e35ea927d86e857cf7cf84a33a28c9612a9d7bf5f954b4b2c2e11e1eee47f73f4947f585c13b002139b6a1d928ede9e3f5bba47cc536b

memory/2880-54-0x00000000744C0000-0x0000000074BAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/1284-61-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/1284-60-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/1284-59-0x0000000000320000-0x0000000000334000-memory.dmp

memory/1284-58-0x0000000000090000-0x0000000000104000-memory.dmp

memory/1284-62-0x00000000042C0000-0x0000000004314000-memory.dmp

memory/1284-63-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/1972-76-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/2076-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1900-82-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/1284-90-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/1972-92-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/1900-94-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/2076-93-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2076-89-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-95-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/1900-86-0x0000000002E10000-0x0000000002E50000-memory.dmp

memory/1972-96-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/1972-85-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/1900-97-0x0000000002E10000-0x0000000002E50000-memory.dmp

memory/2076-98-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/1900-99-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/1972-100-0x000000006E690000-0x000000006EC3B000-memory.dmp

memory/2076-101-0x0000000001F40000-0x0000000001F80000-memory.dmp

memory/2076-102-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/2076-103-0x0000000001F40000-0x0000000001F80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:56

Reported

2024-04-17 12:59

Platform

win10v2004-20240412-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3652 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4604 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1412 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1412 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1412 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1412 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1412 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4368 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4368 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4368 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9431.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA50A.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF01.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/3652-1-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3652-2-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/3652-0-0x0000000000420000-0x0000000000494000-memory.dmp

memory/3652-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/3652-4-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3652-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

memory/3652-6-0x0000000004F00000-0x0000000004F14000-memory.dmp

memory/3652-7-0x0000000005030000-0x000000000503A000-memory.dmp

memory/3652-8-0x0000000005040000-0x000000000504C000-memory.dmp

memory/3652-9-0x00000000061B0000-0x0000000006204000-memory.dmp

memory/3652-10-0x00000000087F0000-0x000000000888C000-memory.dmp

memory/4108-15-0x0000000000CC0000-0x0000000000CF6000-memory.dmp

memory/3652-16-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4108-17-0x0000000005220000-0x0000000005848000-memory.dmp

memory/4108-18-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4108-19-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4108-20-0x0000000002610000-0x0000000002620000-memory.dmp

memory/3652-21-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9431.tmp

MD5 c6345a62573bb388c89da13dac938e47
SHA1 fbaefc94ef505f521494fa4e7db1d8b610ee209d
SHA256 6e3c84f17df2f9af0932e432157021c20a398beba7e719f7ce2d41382023e076
SHA512 98b893e7daad3508d181c7e28421c5751625a43344b472210d6c14825b691e7f62054356fa7c558a6725cb33ac36526d1ac56ff92e137c571b11ef20d2857fee

memory/3056-22-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4108-23-0x0000000004EE0000-0x0000000004F02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5vkiriz.zdw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3056-35-0x0000000005110000-0x0000000005176000-memory.dmp

memory/3056-30-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4604-37-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3056-36-0x00000000053B0000-0x0000000005416000-memory.dmp

memory/4604-40-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3056-38-0x0000000005A50000-0x0000000005DA4000-memory.dmp

memory/3652-50-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4108-51-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

memory/4108-52-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

memory/3056-53-0x00000000065E0000-0x0000000006612000-memory.dmp

memory/4108-54-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

memory/3056-56-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

memory/4108-66-0x0000000006360000-0x000000000637E000-memory.dmp

memory/3056-77-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/3056-78-0x0000000007000000-0x00000000070A3000-memory.dmp

memory/3056-67-0x000000007F890000-0x000000007F8A0000-memory.dmp

memory/4108-55-0x000000007F700000-0x000000007F710000-memory.dmp

memory/3056-80-0x0000000007340000-0x000000000735A000-memory.dmp

memory/4108-79-0x0000000007720000-0x0000000007D9A000-memory.dmp

memory/4108-81-0x0000000007150000-0x000000000715A000-memory.dmp

memory/3056-82-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/4108-83-0x00000000072E0000-0x00000000072F1000-memory.dmp

memory/4108-84-0x0000000007310000-0x000000000731E000-memory.dmp

memory/4108-85-0x0000000007320000-0x0000000007334000-memory.dmp

memory/3056-87-0x0000000007660000-0x0000000007668000-memory.dmp

memory/3056-86-0x0000000007680000-0x000000000769A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d81276e56503819b7cbc80acae885ff
SHA1 62bc20a22166ab4595fc9500cdf3efb3f59e20bb
SHA256 fe8b21d9b531bf7dd8025bb6ac8f1d3d58f5e43a086b682456b5da984393ed43
SHA512 61363ef9e90fc1c14bfc1e7fb723a45aa568fdec0d3eaaafa34bf7f8bae7bb690ff0f8e32887f1fff9ed35597ffeb4694d1ed631ca52aac447074eb127645f85

memory/4108-94-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3056-93-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4604-95-0x00000000055A0000-0x00000000055B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\Users\Admin\AppData\Local\Temp\tmpA50A.tmp.bat

MD5 345f187b2783010165977acd820a1518
SHA1 465a6d28008b9f297c67383560dd6596c45bd9fe
SHA256 a02bce6cafc6dc0a5f22386b4c4ae626b0d9c498f24f047c594eee7874d2cb74
SHA512 15a5d9c56fae59ddda2e08c4d0ad3f50278ac9ca1d3be0ab9627c33e750275c7d3036553ddd08d67154a88efa9e126b6bc08dbbc8f397d411cf5b62b714adf4b

memory/4604-100-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/4368-105-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4368-106-0x0000000005980000-0x0000000005990000-memory.dmp

memory/4368-107-0x0000000005970000-0x0000000005984000-memory.dmp

memory/4368-109-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/736-110-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/736-111-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/736-112-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/3516-113-0x0000000004960000-0x0000000004970000-memory.dmp

memory/3516-114-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/736-126-0x0000000005D60000-0x00000000060B4000-memory.dmp

memory/4368-125-0x0000000005980000-0x0000000005990000-memory.dmp

memory/4368-140-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4492-141-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/736-143-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/736-144-0x000000007F140000-0x000000007F150000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4136f844969d20beb48c6efa838199ec
SHA1 d622104cc31f22363c2b85e2235fb1b4201debb8
SHA256 b0a17f83aca53c593f384e0b7ed8daf01e28033c1d8106cfb0fb26c3ea0496ad
SHA512 daaed2fdb33e076caf48e5c135db3a288de25aa11fa618b7048c0c442ba5bd9b4b955c4f5ac0019ddc2128b72295b3a0add6e9ffd3e3907826fcc00f4471f6c2