Malware Analysis Report

2025-01-02 12:12

Sample ID 240417-qbgzhsge68
Target 5924b6d7b4e0c0ca7b9154ceea866ecddbfdf8dfcbf53d9fa1dc4da5920eaad9
SHA256 5924b6d7b4e0c0ca7b9154ceea866ecddbfdf8dfcbf53d9fa1dc4da5920eaad9
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5924b6d7b4e0c0ca7b9154ceea866ecddbfdf8dfcbf53d9fa1dc4da5920eaad9

Threat Level: Known bad

The file 5924b6d7b4e0c0ca7b9154ceea866ecddbfdf8dfcbf53d9fa1dc4da5920eaad9 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:05

Reported

2024-04-17 13:07

Platform

win7-20240319-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2516 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2428 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2344 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2344 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2344 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2344 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2344 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2344 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2344 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78F.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/2516-0-0x00000000000E0000-0x0000000000154000-memory.dmp

memory/2516-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2516-2-0x0000000000550000-0x0000000000590000-memory.dmp

memory/2516-3-0x00000000005B0000-0x00000000005C4000-memory.dmp

memory/2516-4-0x0000000000620000-0x000000000062A000-memory.dmp

memory/2516-5-0x0000000000630000-0x000000000063C000-memory.dmp

memory/2516-6-0x0000000004A30000-0x0000000004A84000-memory.dmp

memory/2516-7-0x0000000074470000-0x0000000074B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp

MD5 48ead6e42bfb9e466f84beb1b15fdafb
SHA1 314602b4fc0258f181589487332314b96ea8e6ef
SHA256 2cda412fd2478b9f131cb9edebe3a3a8b7dd36bc3f5d2a2ba910a7e14c988146
SHA512 f385bdc42c12b92555b5f763202e949e202019e84ff2cc8b35ff634d68cc7d74373393cc149fc1d15882b2f3c6eb97ef51636c7af93bc6bc36cae62798db9357

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 5f3638bcf2cd90822092c1de10ca4e71
SHA1 85955cb0976890236e597d0f87f2cd89cb5b2d14
SHA256 ea14e3c4d6cf256afea229bc98d18430e607d64133f4ae4d68b990cd71aa8dba
SHA512 08f978efda362552f7e3430a239ea3074f05c3937031a6d9c26caad2a7af08161853d007a64c7b0aa5c2e2aa9a331de791d9f638287645736ae4bb2b48ad69c7

memory/2428-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2516-27-0x0000000000550000-0x0000000000590000-memory.dmp

memory/2428-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2428-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2516-34-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2428-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2676-37-0x000000006EF60000-0x000000006F50B000-memory.dmp

memory/2580-38-0x000000006EF60000-0x000000006F50B000-memory.dmp

memory/2580-40-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2676-39-0x0000000002670000-0x00000000026B0000-memory.dmp

memory/2676-42-0x0000000002670000-0x00000000026B0000-memory.dmp

memory/2580-43-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2676-41-0x000000006EF60000-0x000000006F50B000-memory.dmp

memory/2428-44-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2580-45-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2580-46-0x000000006EF60000-0x000000006F50B000-memory.dmp

memory/2428-47-0x0000000001FD0000-0x0000000002010000-memory.dmp

memory/2676-48-0x000000006EF60000-0x000000006F50B000-memory.dmp

memory/2580-49-0x000000006EF60000-0x000000006F50B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat

MD5 75b22a75880f6a476c17eac4ef301a6c
SHA1 40dbf09a1eb1f6759851ac42ab6eef43883a6ebb
SHA256 16d442dbfab0c71f3ee26a453fc8b524fe6aa26345ca7f5cff49ddfba4895f8f
SHA512 b4478105c7179635929d10f6b508a8af1d811cc37907b84eb51f1eb3517936045266f4563c770e08f2a54ffab3c43a77a4246fcf2f8651af54d5fb16b9f87f97

memory/2428-59-0x0000000074470000-0x0000000074B5E000-memory.dmp

\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/764-63-0x0000000001090000-0x0000000001104000-memory.dmp

memory/764-64-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/764-65-0x00000000009A0000-0x00000000009E0000-memory.dmp

memory/764-66-0x0000000000AD0000-0x0000000000B24000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a54dbefaea6328a091939098a40c7547
SHA1 3eae379e4c638ae17d74ce77372c82dd5f2f8375
SHA256 0bb1ca11866160b7edb499143a7a8887d1899878ee472030213f3cb9577f6fef
SHA512 9128164df0d46a9c4b12aece1c311ead7f4c2c2c7cfd1fe7acd42d845402874ef1a9ec7b763338d7df496fd16d2fc33f5a55df71a904ccab419e22902ff56626

memory/764-80-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/1584-84-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/1584-86-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/1584-88-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/2108-91-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/2108-92-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/800-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2108-97-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/1584-100-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/800-99-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2108-104-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/764-105-0x00000000009A0000-0x00000000009E0000-memory.dmp

memory/800-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2108-102-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/1584-98-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/764-107-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2108-106-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/800-108-0x0000000073110000-0x00000000737FE000-memory.dmp

memory/1584-109-0x000000006E600000-0x000000006EBAB000-memory.dmp

memory/800-110-0x0000000004900000-0x0000000004940000-memory.dmp

memory/800-111-0x0000000073110000-0x00000000737FE000-memory.dmp

memory/800-112-0x0000000004900000-0x0000000004940000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 13:05

Reported

2024-04-17 13:07

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2932 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2204 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4604 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4604 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4604 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4604 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4604 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 4604 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 2296 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD542.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpECB2.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DBD.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/2932-0-0x0000000000260000-0x00000000002D4000-memory.dmp

memory/2932-1-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2932-2-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/2932-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/2932-4-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/2932-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

memory/2932-6-0x0000000004E30000-0x0000000004E44000-memory.dmp

memory/2932-7-0x0000000004E70000-0x0000000004E7A000-memory.dmp

memory/2932-8-0x0000000004FF0000-0x0000000004FFC000-memory.dmp

memory/2932-9-0x0000000005FD0000-0x0000000006024000-memory.dmp

memory/2932-10-0x0000000008630000-0x00000000086CC000-memory.dmp

memory/2932-11-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2932-16-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4712-17-0x00000000024D0000-0x0000000002506000-memory.dmp

memory/4712-18-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4712-19-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/4456-20-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4456-23-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/4712-24-0x0000000004A00000-0x0000000004A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD542.tmp

MD5 cc76898055b19a9816d0f9d966112a2b
SHA1 0eb865bd7cfbe37652e58ccc778f82e582fc03ba
SHA256 07553f956e42e2c7822ba99bab8b53f6ef8aa94e58346ad994589af8c68f0b64
SHA512 d71e8906a05e26df2c3bfc2de96b865dfcd706a3dbab88f88fb43b0da8e16df600600ff4dd8f8223c911cbd1c92d64bcc3d504b6b9d34ffba040761f6ad71c14

memory/4456-21-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/2204-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4456-28-0x0000000005610000-0x0000000005632000-memory.dmp

memory/2932-31-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2204-30-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4456-32-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/4456-29-0x0000000005F00000-0x0000000005F66000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itcaht0a.2dk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4456-51-0x0000000005FE0000-0x0000000006334000-memory.dmp

memory/4712-52-0x0000000005E10000-0x0000000005E2E000-memory.dmp

memory/4712-53-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/4712-54-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/4456-55-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4712-56-0x00000000063E0000-0x0000000006412000-memory.dmp

memory/4456-58-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/4712-57-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/4712-68-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/4712-78-0x0000000006FE0000-0x0000000007083000-memory.dmp

memory/4712-79-0x0000000007760000-0x0000000007DDA000-memory.dmp

memory/4456-80-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4712-81-0x0000000007190000-0x000000000719A000-memory.dmp

memory/4456-82-0x0000000007B90000-0x0000000007C26000-memory.dmp

memory/4456-83-0x0000000007B10000-0x0000000007B21000-memory.dmp

memory/2204-87-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpECB2.tmp.bat

MD5 06cd73c632e961c02acbe2497b29294b
SHA1 86cd2bdde7e31558dc77ccc7c1da63c98b7936fa
SHA256 e8dbef012b3b4c5a8183582eb432aed84a57b43a48087e03027a3383b7ce0c90
SHA512 1086b067f34be1ba42e8598043d10c79b389262ddd34c9d4eebbd668f1ed5a763b23e7d3d60bb19750dbccc4518fd87c95e09df038c25e91cfd6d305b5d8bb4c

memory/4456-89-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/4712-90-0x0000000007360000-0x0000000007374000-memory.dmp

memory/4712-91-0x0000000007460000-0x000000000747A000-memory.dmp

memory/4456-92-0x0000000007C30000-0x0000000007C38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 129f08e4b4e038e6e956d3507af71794
SHA1 ebd62c2a242a2fe1282f545e6195ee472fcf19c7
SHA256 3034f41a7317a8dc9edf5cbd1430a1a5b78089888243ecde465e6e6e4c4737e5
SHA512 1a11ee68d2f0aa9543bf25eb48a8b64d6a1ed691060473ae4010666875e02384b2cffac60038c19d8a93c23a050587e43dac09e3ed87c4ee6624972292511db7

memory/4712-97-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4456-98-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/2296-102-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2296-103-0x0000000005510000-0x0000000005520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2296-106-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2856-107-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2856-108-0x0000000002740000-0x0000000002750000-memory.dmp

memory/2856-109-0x0000000002740000-0x0000000002750000-memory.dmp

memory/1020-111-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1020-110-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1020-115-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2728-122-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2296-123-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2856-128-0x0000000005A50000-0x0000000005DA4000-memory.dmp

memory/2856-139-0x0000000006660000-0x00000000066AC000-memory.dmp

memory/2856-140-0x0000000002740000-0x0000000002750000-memory.dmp

memory/2856-141-0x000000007FC00000-0x000000007FC10000-memory.dmp

memory/2856-142-0x00000000757B0000-0x00000000757FC000-memory.dmp

memory/2856-152-0x0000000007370000-0x0000000007413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 11ec032a4612b0e1af7789e057277824
SHA1 c97e9d5d84121a5ba22f59e1351e707c13ac1046
SHA256 f9bb4bb9a12f8854ebdda168609792c2e74f0d2be56ff9fd3c8feccedf635f86
SHA512 18d84c4b3e147d329336b639a23b1291b6bddf35db657a6b5f0a27610c8e557d95fcd9118d93efd6aa32fd1327d621a7acdda10f2fcd2e95ddb7ad59f5fa18d2