Malware Analysis Report

2025-01-02 12:11

Sample ID 240417-p7p5bsgc39
Target 7dd59e401ddd74587eec4fc88a3e20e8e056d6adeed8d904d17e00195741d6f0
SHA256 7dd59e401ddd74587eec4fc88a3e20e8e056d6adeed8d904d17e00195741d6f0
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dd59e401ddd74587eec4fc88a3e20e8e056d6adeed8d904d17e00195741d6f0

Threat Level: Known bad

The file 7dd59e401ddd74587eec4fc88a3e20e8e056d6adeed8d904d17e00195741d6f0 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:58

Reported

2024-04-17 13:01

Platform

win7-20240220-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2784 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1528 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1528 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1528 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2204 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AB5.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD623.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/1992-0-0x00000000010F0000-0x0000000001164000-memory.dmp

memory/1992-1-0x0000000074060000-0x000000007474E000-memory.dmp

memory/1992-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/1992-3-0x00000000002A0000-0x00000000002B4000-memory.dmp

memory/1992-4-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/1992-5-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/1992-6-0x0000000000710000-0x0000000000764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6AB5.tmp

MD5 e6e0fe790f8459d1fce8cfdae134737a
SHA1 e8afbb57a1b8caed66931139ada15a70b92cca28
SHA256 fb1651eb50556e997ec359429569a0f133d7692386d542f8e79d89e7edef999c
SHA512 9672e8348e9b6663a820a513d5ca344e322130b381976a60609ac618a8ac4a57f2657bbeea8fd3cc1b6126f9aa33f399ac5cb82c7bdb694541e6b8f2da30fc0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 171f665c69f7040532b337c21e8e7076
SHA1 555ba172865d3e61113cc87384bc58d061060c70
SHA256 12a9329e10f3bbfe07602ae4cc1a5582d74af762ac8c8b0a7116a81db9d5ae4a
SHA512 6e305bc2b1113ad1a512d90c605c3a368ae3a2154bdce7653a8ff1586678f50783094d59a55f4d4c985472ebcc49853897405c8ebb39b287dad6ca15f124d85d

memory/2784-19-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1992-20-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2784-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1992-35-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2672-36-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2520-37-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2672-39-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2520-38-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/2520-40-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2520-42-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/2520-41-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/2672-44-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2672-43-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2784-45-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2520-47-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2672-46-0x000000006DB30000-0x000000006E0DB000-memory.dmp

memory/2784-48-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp.bat

MD5 4fb6cda0ba6f20c7cf44e8cc953a4c91
SHA1 64e78cafba753d446719ed657d47cf598d4b3c95
SHA256 617ccc01cf7e92472b08b6fd4318631435576a8b079655499d91f9775e6cc3af
SHA512 51268744751e35f7de5674cd8a3fd225424717fd1713996184857b24a29c2a92ab21c9f6ddbcecaca4f9b0655da842dd39812f8211228f31ce020da30ad53311

memory/2784-58-0x0000000074060000-0x000000007474E000-memory.dmp

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/2204-63-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/2204-62-0x00000000009A0000-0x0000000000A14000-memory.dmp

memory/2204-65-0x00000000004C0000-0x00000000004D4000-memory.dmp

memory/2204-64-0x0000000004710000-0x0000000004750000-memory.dmp

memory/2920-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/540-80-0x00000000004A0000-0x00000000004E0000-memory.dmp

memory/540-92-0x000000006E220000-0x000000006E7CB000-memory.dmp

memory/2920-94-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2204-96-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/336-95-0x0000000002A50000-0x0000000002A90000-memory.dmp

memory/336-99-0x000000006E220000-0x000000006E7CB000-memory.dmp

memory/2920-100-0x0000000000400000-0x0000000000412000-memory.dmp

memory/336-98-0x000000006E220000-0x000000006E7CB000-memory.dmp

memory/540-93-0x000000006E220000-0x000000006E7CB000-memory.dmp

memory/540-79-0x000000006E220000-0x000000006E7CB000-memory.dmp

memory/2204-74-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/336-101-0x0000000002A50000-0x0000000002A90000-memory.dmp

memory/2920-102-0x0000000072D60000-0x000000007344E000-memory.dmp

memory/2920-103-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/336-104-0x0000000002A50000-0x0000000002A90000-memory.dmp

memory/2920-105-0x0000000072D60000-0x000000007344E000-memory.dmp

memory/2920-106-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:58

Reported

2024-04-17 13:01

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 4932 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2720 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2720 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2720 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2720 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2720 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1588 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1588 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp93A5.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp431.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/4932-0-0x0000000000640000-0x00000000006B4000-memory.dmp

memory/4932-1-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4932-2-0x0000000005640000-0x0000000005BE4000-memory.dmp

memory/4932-3-0x0000000005130000-0x00000000051C2000-memory.dmp

memory/4932-4-0x0000000005320000-0x0000000005330000-memory.dmp

memory/4932-5-0x00000000050D0000-0x00000000050DA000-memory.dmp

memory/4932-6-0x0000000005310000-0x0000000005324000-memory.dmp

memory/4932-7-0x00000000054C0000-0x00000000054CA000-memory.dmp

memory/4932-8-0x00000000055E0000-0x00000000055EC000-memory.dmp

memory/4932-9-0x00000000063D0000-0x0000000006424000-memory.dmp

memory/4932-10-0x0000000008A10000-0x0000000008AAC000-memory.dmp

memory/4708-15-0x0000000004620000-0x0000000004656000-memory.dmp

memory/4932-16-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4708-18-0x0000000004CE0000-0x0000000005308000-memory.dmp

memory/4708-19-0x00000000046A0000-0x00000000046B0000-memory.dmp

memory/4708-17-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/5096-20-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5096-21-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5096-23-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4932-24-0x0000000005320000-0x0000000005330000-memory.dmp

memory/5096-22-0x0000000005A50000-0x0000000005A72000-memory.dmp

memory/4708-27-0x00000000055A0000-0x0000000005606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp93A5.tmp

MD5 c6345a62573bb388c89da13dac938e47
SHA1 fbaefc94ef505f521494fa4e7db1d8b610ee209d
SHA256 6e3c84f17df2f9af0932e432157021c20a398beba7e719f7ce2d41382023e076
SHA512 98b893e7daad3508d181c7e28421c5751625a43344b472210d6c14825b691e7f62054356fa7c558a6725cb33ac36526d1ac56ff92e137c571b11ef20d2857fee

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uskjmjx5.bky.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5096-25-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/4708-46-0x0000000005710000-0x0000000005A64000-memory.dmp

memory/3720-47-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3720-50-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4932-51-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/5096-52-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/4708-53-0x0000000005C00000-0x0000000005C4C000-memory.dmp

memory/5096-54-0x00000000068B0000-0x00000000068E2000-memory.dmp

memory/4708-56-0x000000007EEC0000-0x000000007EED0000-memory.dmp

memory/4708-58-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

memory/5096-57-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

memory/5096-55-0x000000007F020000-0x000000007F030000-memory.dmp

memory/4708-78-0x0000000006BB0000-0x0000000006C53000-memory.dmp

memory/4708-79-0x00000000046A0000-0x00000000046B0000-memory.dmp

memory/5096-80-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5096-77-0x0000000006890000-0x00000000068AE000-memory.dmp

memory/4708-82-0x0000000006F10000-0x0000000006F2A000-memory.dmp

memory/5096-81-0x0000000007C50000-0x00000000082CA000-memory.dmp

memory/4708-83-0x0000000006F80000-0x0000000006F8A000-memory.dmp

memory/5096-84-0x0000000007890000-0x0000000007926000-memory.dmp

memory/4708-85-0x0000000007110000-0x0000000007121000-memory.dmp

memory/5096-86-0x0000000007840000-0x000000000784E000-memory.dmp

memory/4708-87-0x0000000007150000-0x0000000007164000-memory.dmp

memory/4708-88-0x0000000007250000-0x000000000726A000-memory.dmp

memory/4708-89-0x0000000007230000-0x0000000007238000-memory.dmp

memory/5096-95-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4708-96-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b344c3ba49410ff60e58a0d25f0fbd0
SHA1 dd07d1388657465b0f89eaf41048554899dbc2d9
SHA256 cd6b6b97dffcd6ea58fae9a9db08c1066391c508ca869dd8576d8a699e629e2f
SHA512 56945deb70509dc322c520add2a27d2ce25d4888a0f0dce1a511c4f05f8f9808a719272f90bca8bbbf82d57480173bd899548dfaef5e65f5ff30b8d17093e208

memory/3720-97-0x0000000005480000-0x0000000005490000-memory.dmp

memory/3720-101-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp.bat

MD5 d7d41a0c8c49269b647df15afe1d75e9
SHA1 b1b79d0d25dcf3a33dda2622d815d6e8b7e1a058
SHA256 56324ab43156c0af05b7a5dd86c007e16019c4cd1c383c8ec8f9fd423834e5c2
SHA512 a09cc809350e92be0cc3990690e1904f065429a2c24f285bbf5b50e14f23a9d2ce0ec0e5677e3e6e44a230b58caa593d9e457be49005ef444560eeafbc0a337d

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/1588-106-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1588-107-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1588-108-0x0000000004DE0000-0x0000000004DF4000-memory.dmp

memory/1588-110-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4388-111-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4388-114-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4412-113-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4388-115-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4412-116-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/4388-126-0x0000000005E40000-0x0000000006194000-memory.dmp

memory/1588-141-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1588-142-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4032-144-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4412-145-0x00000000064F0000-0x000000000653C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2d468ea4604da56434a632a9b65e25a
SHA1 b3fc970618506719a041eebe7128ded07eb2e406
SHA256 6120a3b761ee06d86199574dc0827c410a74281044348de44635577ca4450b4c
SHA512 dda3a71af90706c5f9b06f66f97df769fde30e1cec054a7684f558a9d9946ffb56db4193866adacfeb496cd69ca722ba1aea33acbe0c41609d7271730dbbc2b8