Malware Analysis Report

2025-01-02 12:13

Sample ID 240417-qeecssac5t
Target 9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc
SHA256 9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc

Threat Level: Known bad

The file 9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:10

Reported

2024-04-17 13:12

Platform

win7-20240221-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 2436 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1800 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1800 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1800 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 676 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp

Files

memory/2960-1-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/2960-0-0x0000000000D00000-0x0000000000D74000-memory.dmp

memory/2960-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/2960-3-0x0000000000320000-0x0000000000334000-memory.dmp

memory/2960-4-0x0000000000350000-0x000000000035A000-memory.dmp

memory/2960-5-0x0000000000360000-0x000000000036C000-memory.dmp

memory/2960-6-0x0000000000CB0000-0x0000000000D04000-memory.dmp

memory/2960-7-0x0000000074E30000-0x000000007551E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp

MD5 1932843c6cdcb3a7c01029c551e67201
SHA1 7b8aed4f6e9596568c06876db80ae7616303a6bd
SHA256 14a56d320fb17b4bd11f103e6fbe10b618491f11965e3cd3a0d8044fcc5612a3
SHA512 6802ea1a79b93faa7adb1d0f6e8fae1ac3859cc3cb43b938bb0c272003ff1356dbb98427b79ec665a7d1903b51d79f362886d4f74a1d2f86b4e41a7f46b89b5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F8NYMYDH0DTXO3GWG075.temp

MD5 0e0d26cb62e8a545f48bd44a7d85eb81
SHA1 9ea42d82ece8f933c5233792873a29bfec8122a8
SHA256 16b0421108933ed478b761b7b2425a1cc2f708c11d774288573979b3cbdeac77
SHA512 fe359498e4e032d16931ee48e0b902513813e81afb7c15ea50c063452f9480130820eea2fb42b4ed6d3cbca16830c5c7e91cfda3e51c370fcdaadd45b86be319

memory/2436-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2960-21-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/2436-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2436-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2436-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2436-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2436-27-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2436-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2960-31-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/2436-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2992-33-0x000000006FCB0000-0x000000007025B000-memory.dmp

memory/2992-35-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2628-34-0x000000006FCB0000-0x000000007025B000-memory.dmp

memory/2992-36-0x000000006FCB0000-0x000000007025B000-memory.dmp

memory/2992-38-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2628-39-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2436-37-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/2436-40-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

memory/2628-41-0x000000006FCB0000-0x000000007025B000-memory.dmp

memory/2992-42-0x000000006FCB0000-0x000000007025B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp.bat

MD5 67ef356a2925832ec6ffa768d6ea2c78
SHA1 12361a2b230d80fca2b2d3332b1c5d9668922a14
SHA256 3ee2c307ef89808af255da0f796d516ee2fcd215cd3bc6c2f3b337b121b659c5
SHA512 977fc7649286292070b19bf852652a7f299c94c473a37d2fd4a5b97343cedde196a5cc44217a138fe495c025b31071b6ea4e376587ef22bff402e55ec600f8c3

memory/2436-52-0x0000000074E30000-0x000000007551E000-memory.dmp

\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/676-56-0x00000000013B0000-0x0000000001424000-memory.dmp

memory/676-57-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/676-58-0x0000000000440000-0x0000000000480000-memory.dmp

memory/676-59-0x0000000000CD0000-0x0000000000D24000-memory.dmp

memory/676-60-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2452-69-0x000000006EFD0000-0x000000006F57B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c3ef1031790b1b6ab3c88d8ea2e3a9ed
SHA1 f5dc679b8f33803e8afaf2a6d7d62fce1c11f117
SHA256 843bc60d3e304fa0aa13d29d8053ab04fe79d6448459df01a8250799733c3217
SHA512 c73ff2e30109c1a23b4d3334089f143b8d0b65be0110c783c913275b3f2a7f3d3720daacb56cc4df88aa71d6ef886142d81614c541cf0421697d162618c3ebc4

memory/2452-74-0x00000000026C0000-0x0000000002700000-memory.dmp

memory/2452-76-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/2452-80-0x00000000026C0000-0x0000000002700000-memory.dmp

memory/2452-82-0x00000000026C0000-0x0000000002700000-memory.dmp

memory/1752-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1952-85-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1952-89-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1952-91-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1752-90-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-93-0x0000000000400000-0x0000000000412000-memory.dmp

memory/676-94-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/1952-95-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/2452-96-0x000000006EFD0000-0x000000006F57B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 13:10

Reported

2024-04-17 13:12

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msdtc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3760 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 3760 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
PID 5060 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1380 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1380 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1316 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1316 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1316 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1316 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 1316 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe
PID 3340 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\msdtc.exe C:\Users\Admin\AppData\Roaming\msdtc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8D0.tmp"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe

"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32E2.tmp"

C:\Users\Admin\AppData\Roaming\msdtc.exe

"C:\Users\Admin\AppData\Roaming\msdtc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
UA 194.147.140.157:3361 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3760-0-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3760-1-0x0000000000890000-0x0000000000904000-memory.dmp

memory/3760-2-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/3760-3-0x00000000052F0000-0x0000000005382000-memory.dmp

memory/3760-4-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/3760-5-0x00000000054B0000-0x00000000054BA000-memory.dmp

memory/3760-6-0x00000000058F0000-0x0000000005904000-memory.dmp

memory/3760-7-0x0000000005920000-0x000000000592A000-memory.dmp

memory/3760-8-0x0000000005930000-0x000000000593C000-memory.dmp

memory/3760-9-0x0000000006600000-0x0000000006654000-memory.dmp

memory/3760-10-0x0000000008C40000-0x0000000008CDC000-memory.dmp

memory/3760-11-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3760-16-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/1532-17-0x0000000004F50000-0x0000000004F86000-memory.dmp

memory/1532-18-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1532-19-0x0000000005710000-0x0000000005D38000-memory.dmp

memory/1148-20-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1148-21-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/1148-22-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/1532-24-0x00000000050D0000-0x00000000050E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB8D0.tmp

MD5 cc76898055b19a9816d0f9d966112a2b
SHA1 0eb865bd7cfbe37652e58ccc778f82e582fc03ba
SHA256 07553f956e42e2c7822ba99bab8b53f6ef8aa94e58346ad994589af8c68f0b64
SHA512 d71e8906a05e26df2c3bfc2de96b865dfcd706a3dbab88f88fb43b0da8e16df600600ff4dd8f8223c911cbd1c92d64bcc3d504b6b9d34ffba040761f6ad71c14

memory/1532-23-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/1148-26-0x0000000005140000-0x0000000005162000-memory.dmp

memory/1532-28-0x0000000005EF0000-0x0000000005F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1lo1omz.aph.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5060-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1532-27-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/1148-48-0x0000000005B60000-0x0000000005EB4000-memory.dmp

memory/5060-49-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3760-51-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1148-52-0x0000000006020000-0x000000000603E000-memory.dmp

memory/1148-53-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/1148-54-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/1532-55-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/1532-56-0x000000007F870000-0x000000007F880000-memory.dmp

memory/1532-57-0x0000000006AF0000-0x0000000006B22000-memory.dmp

memory/1148-58-0x0000000075120000-0x000000007516C000-memory.dmp

memory/1148-69-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/1532-68-0x0000000075120000-0x000000007516C000-memory.dmp

memory/1532-79-0x0000000007730000-0x00000000077D3000-memory.dmp

memory/1532-81-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/1148-80-0x0000000007340000-0x000000000735A000-memory.dmp

memory/1148-82-0x00000000073B0000-0x00000000073BA000-memory.dmp

memory/1532-83-0x0000000007AB0000-0x0000000007B46000-memory.dmp

memory/1532-84-0x0000000007A30000-0x0000000007A41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1148-89-0x0000000007570000-0x000000000757E000-memory.dmp

memory/5060-91-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1532-90-0x0000000007A70000-0x0000000007A84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat

MD5 06458189843302b8b941a048c6675465
SHA1 c4ebe5d01917e0c738bf0a4190dd80cf91d1fa4a
SHA256 0cc40df055554a5f8caaa0a8e4114cd8a4a9bfc1ad11633b10a2896333ac75ca
SHA512 fceb58e7187c336168fab07804fbb3894990d397127af30f0f5a339f4277299276b35baf4a778c0dec7a82452fc653515b9892babc5567d4734be7d4d35100f8

memory/1148-93-0x0000000007680000-0x000000000769A000-memory.dmp

memory/1148-94-0x0000000007660000-0x0000000007668000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e529c353051d245a094ed31e0a9bfb5
SHA1 e50ba7768527efa7cf2125fb5ff35775a24350b7
SHA256 e367658c804506edba9b0f8bbb20fc3c1758a1d76bd076b66d301344410dc4e3
SHA512 4b02c0c398b9cc48f8709ef9a96476147a89326b63119319656b60acb3f3d69418163cd97aad8ec90710e86a3cfc74551db78c1eb21856b35af103d74640ca96

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1148-100-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1532-101-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\AppData\Roaming\msdtc.exe

MD5 ead981cd98146fabe078992943b0329d
SHA1 a20ba9450187e13e3ed62e6beab4d2bec788df01
SHA256 fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
SHA512 a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a

memory/3340-105-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/3340-106-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/3340-108-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/324-109-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/324-110-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/324-111-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1192-112-0x0000000000C90000-0x0000000000CA0000-memory.dmp

memory/1192-114-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/324-126-0x0000000006400000-0x0000000006754000-memory.dmp

memory/3812-128-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/3340-129-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/324-140-0x0000000006EE0000-0x0000000006F2C000-memory.dmp

memory/324-141-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/324-143-0x0000000075160000-0x00000000751AC000-memory.dmp

memory/324-142-0x000000007EFF0000-0x000000007F000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2310d170d3073d359153effcff4c11ff
SHA1 c82999f1651a2c6f7e3cce447ba85febdf10bd76
SHA256 59267b783e32f9273993595cad4153404dea3aadb0854de082b008a294052ab8
SHA512 7c2acf3a0c0036a79944f09c331c0ad0c6b7d37d07d4cf8f09191d935d7d6e0b50d92eac1dad2c37612fb13e51f4952286c78fde5023688b1324f08b42e774a2