asyncrat | hxxps://gofile[.]io/d/IbkPa0

Analysis

max time kernel
301s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/IbkPa0

Score

10^/10

asyncrat ceva discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

ceva

127.0.0.1:17237

Mutex

skema

Attributes

delay
1
install
true
install_file
grab.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a00000002339b-150.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	gg2.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	gg2.exe
2904	grab.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2044	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666708595772447"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
3792	gg2.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe
2904	grab.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1468	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
1468	7zFM.exe
1468	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2904	grab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3264	212	chrome.exe	85
PID 212 wrote to memory of 3264	212	chrome.exe	85
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 1592	212	chrome.exe	87
PID 212 wrote to memory of 2336	212	chrome.exe	88
PID 212 wrote to memory of 2336	212	chrome.exe	88
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89
PID 212 wrote to memory of 2448	212	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/IbkPa0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb2f7cc40,0x7fffb2f7cc4c,0x7fffb2f7cc58
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1780,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5020,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4544,i,3381433951056527911,3094017543241893156,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:3156

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:184

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\gg2.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1468

C:\Users\Admin\Desktop\gg2.exe
"C:\Users\Admin\Desktop\gg2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "grab" /tr '"C:\Users\Admin\AppData\Roaming\grab.exe"' & exit
  2⤵
  PID:4024
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "grab" /tr '"C:\Users\Admin\AppData\Roaming\grab.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB987.tmp.bat""
  2⤵
  PID:3984
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2044
- - C:\Users\Admin\AppData\Roaming\grab.exe
    "C:\Users\Admin\AppData\Roaming\grab.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
19cdea6a594d89c611e6301990833cdb

SHA1
3d4b352cce14f28fbdab4ac5447ee0a89ee43630

SHA256
9e83265211f59a60b9d94d6e0e121f0ac88de2577f1386b62d1098d721f9c779

SHA512
6d3f8409e71b2ce3cd9ae749dcad7945ed96c52ad6a99d17502543e62d276534ca79236581a8f79d3de0558986c938304c0c1c0a1a40bb4b9edab1cd8a7303f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6955dddbd5d42bb4566c58e49dafa312

SHA1
6413929f13fc8fcd89045260a314c425cd4a9cdf

SHA256
65034733661f41bcfe8945c53e19faecd072687d35b495c64914a37a929eebf9

SHA512
8c0356647001836bbfd24e39c6ca146e768e121d98a236500aa24e2b7afecd7fbe7ff8b4ea4aaffd31566b38562046fe49af0abf64bc982759ec523a99e48c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0da9965c58106506efc74c215c85ccf7

SHA1
c92fbe2fc03454865daabb0016018bfbe20a0f58

SHA256
a3b3ada10a637ec860096c0e66bd3c435eaa39156d00242f1e18422b7dbbcc46

SHA512
65a953c5e6ecf3fd9594df70dd66032a539c419801e841cf5a8e176995dc5dfe4b42a70b9951f275a61f3c0217c3fe9ecabf4904840f86173910e2b59a31e63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
12fba65fac8f6d60d0f5a38142bcfc2f

SHA1
88f79f45cf3dd5c2746f9833d78e7b06ccb64faf

SHA256
39bdefd1785dd63d1d0313a13bc2dbfc6e85089b167d5c433bde34c0ce734834

SHA512
e97325360d0d4ccfb3ae352e90d7414cc997a1551779c935639a49ef65861ce7c340595f530dd0e29338c2a1ba63e28c818982464ab3df6627243ed208f6b53d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
de0ee52e379ad32cd2137b16620fc3e8

SHA1
bd77bd08386cf127ed053de4933c1c507c0fc088

SHA256
4c8006e235c7de8cc705daaa5cf8c608dfe718804b2a9cc9f0ddf56066f110ff

SHA512
d85ac1fdef0e52c947e789020c364b79dcfb073b16c4143f169d233a0cfa6494e4d731468d0468bec222ef0464bd1c8f48271f0ece4dc000f2c9831e06be03ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
bc0a11e109ee2bb3217ca91a44f0d13a

SHA1
4c026a5101c3ea7b514aa38c19adb519e5445dec

SHA256
5f84a2c0040c8e947061740dd064c7d81b4bc937a2da2508d217b3f9abf72e12

SHA512
8ac30f62e7a55b6656c2565e714d69c547569b90a48a201ef12352eeae135674d9fe8207ba59b2d271a90fec87ffebd148686c4ae856fa75e29240018b93f9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d03398f5013a8ec14f99eb4a3ddaf8a7

SHA1
ed9dae1fa3e90f1331ab003a3895f6630be07755

SHA256
9cb82534af6b38cc47c22b5eae808900cc67bf27f50a96b5e8a3cf6d1e841cce

SHA512
fd35583b8c2a0e52916dc4a50180ae5ca2ee66a4c667647102b9a55b95e7f79b4b26a3631246a355e8494e113b6d327871d4e40bc041ab0e72f0309f687d888c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42b2e5dc4d19e349d0820b94df22dbbc

SHA1
90043a8663a8e98365b8c75d3ad09e1147aae85e

SHA256
80ad2f0af23ac164fbccbbfa34ceaa9d4b8ce1da93e4a57a9e1928c3dc2489e8

SHA512
8a2348de550bc22c1111e045bc5e72dabaa03099549f27d9386aa0f1ee43051fbe2ebaeb4d9cfffed073031ea3473722c07eb78c635a713ef019eaecde4c82e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6d49320f9bb37182b3b19003b0ff7c5

SHA1
09a79e44c4ce489f94baccbc42414ed9789bf48c

SHA256
186b31eb7a668525ae77da6dc76822d24ec3f09b32a1f6dceacd45a64a639c12

SHA512
c454069114317deecfe22ff2e530d7d85606701a91e134c7eea3dbd985375d22a53f506cb9cad2a5226e8bec6d852c583a552883cfbac5aadbfc2b10813a899f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7723995d7291f5defc557089787c173b

SHA1
e193a1dce830d23999cd149357431499525436ab

SHA256
49a576ac9f9132958fabed1a643b5b6fbc8617bd09777af17237a6524fb2e6f8

SHA512
354e0e2dfd5ecbd076cb6f9cfde040ea4b9b0e9b6de3c92ee7ef86f10bf122db7bacab053261bf47e61acbcc2b32ee23c987b5530bb7a488489d5f624854cebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d8042438434f1d190592a20411008cc

SHA1
d3bcb8aa81f2f602e1b953a33685159228dd64d8

SHA256
7823eea6cce4dc7937d28f6615c00e0c506dfd13c5357dbd21a7950774896762

SHA512
9d6b9f4d8effacd1d501a3d465e628465a6cd4f026711b9083d2154b2f604c1f71e1b4780c5b1b19da1427abad6429815b14645d5abddb8e101517fb08ce6f20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8cac464aae466e772bb4c781008e707d

SHA1
b4989261961f3e870b60cdd2c6885c529904e7ed

SHA256
3db995b531a10f21d99d0a4159a56c4ee95ba9205234bbdcfd0266257b35dbf1

SHA512
203c91ef4e7c58ce5a45c9d2f6a8159dfaf549fadeb665b025d601f9cd5d189d23e05b8dba4972dea5451229159476fc612b15297ea9e173579c120611abd641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b97eb21758bd9625b97c770b2a1c312

SHA1
e0010ba4c02f13691e7fd7e3c75365d187276f4a

SHA256
3cf95a0db4bca3f4f69b02bde54f4af17f3e57cd0ece7f934bea21c7726a2533

SHA512
4d6ed76e6f2ee91a20d70717d887571ea5bdaf5653c529d3a1b00ebd71b10645a4ce4f075f5a4a54ff6c1ba0f025d064728806f876a073da08702ff0a69f6145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d55aa3f9c7e5faf8618d81f944ef7d5

SHA1
f6bb1d76df7265e4bf7924c80808dc9b545c1ffc

SHA256
4d1fce540d2dc461db664bdb2f17863245532d9af92eac564094eacf270c9e3e

SHA512
4b872b05900b765eaf036c0e403d6626a1d9b6a4fb3299edd76a9041324b18b46453925f5cf8d6791d53cbd2e8e9d3a3c2e367c8246a1e346debc98d76a19bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
303f25479adbfe00417c2d9e27c4172c

SHA1
fc8c5062da578086fd76bbeb7b16a4bedd843078

SHA256
86571dd9ee6a5a1e325c766448a32425f8016bddd41880380016dcab29b9ab29

SHA512
f30030a12e23e06dbadd337c610d39071493c47067a8b9d10c09626cd7432a321266e81d0bb764c5e76eee3e02aa530016891491ce8da9fd7221100cac3baef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6432eb8bc860a20d38af6241c94aecc3

SHA1
4050c59e0e377d6bb997d691fd7f21fb7d9c3a5f

SHA256
bfce20e88e068092fcdf1d74c840afe83a32ea68e016aae8c639c443b2f429bd

SHA512
7b3e18cdf43cb504ffca1b69b87ca650e6d33a40dd45da3e7ec2053858b054e82d4e4b9fc3bf034dcb291720c4ec85716fce7c2ca5d6de74406921ab7d99197f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9443622b8cca73d753d2b554581cdba1

SHA1
d91fc40b710bdd55ea6752bc8cf2763363f47eef

SHA256
4dfc06804e7f0c323935b965e0c5806561c99acdb817ac452fc08226acd35159

SHA512
c7c97a300339e846125d129f5c5e08dee40acd171829b0e26d0c91a3ee58ac7c910451cc42183003e79de88516843ab7c9e2f0681dd3896f61dab54c961a1887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7e80bf07ebed558b81c1410cc684acc

SHA1
5f2c05b5049d17921feae2002770ab2e7ceb7d36

SHA256
c952d2332acef0cd1020b7427c5a729e21dbff19c0ea0e53b4942fc53bc082f9

SHA512
4d912ca1d6ec7817b26243fb822039ed3d1fffcc6f7627d773d3368292823e4d208dd4635091961f266aa48c7f716398e050bf09169fda82663ab0d2c344fc13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0cc42532762a9c6210f5f6ced77e9c92

SHA1
6e40dc3bfd8b7261afa681f901e2f364ef5f5c16

SHA256
d89f40ff8da2fb9c25ee9f91f1c9d120e9c29ce5ae5053f3b3de908b828f14e2

SHA512
9e0e68226063c86bd727c1fbf36dec0d7339a04956d32174f4b5415a9bd5584c6c1aa972e5ce64ccff2e4efa17982ac556577f26350d50238bd041e186d96e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1504c1db920acc0c054b7e624156e0f

SHA1
4354173d43d4dd013e3d7177ec0caa3bbf017b15

SHA256
629a953a792b4ddb0cd9328586e99ddb5b45ec3ab33806de6041cef0fa51369c

SHA512
82a7980bf56d44b5ed76ce1459c08370950cce9a63e662e67b602f4431ce6c0c4075e59a3d5a1fcaf962406deee8f87ca4c64257a39ceea1dfff95c6c3c77c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e55fb5722af218414237151f32b4888

SHA1
21aad8b7da261b3cb40661be2567792ad0845c86

SHA256
d45888e9e50a2e631ba2223efc9bff3f95d9b85ce514c30954eee494f51bddcd

SHA512
c6ee877a0c464965f8b68a8549a73b69719e79598c75e02609e67fe7bdb86487c33e2791545e7f639ec2e5a346888ecbdfe5c3bfa9d226b12260f03ef43266db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc9d0252824bdca11c11205aa450c3bc

SHA1
284acdb084ba8abc501e621092d021b24c166706

SHA256
1fa387e00e4f6f693df7d215d8fa8becdf94daeec3d4c56d8878575070e42e99

SHA512
5392a0b92686ba2252db8848a344dc586b1e8f8517cfe9023a160659ed18065bbc4c2cbbc4fc8c4d8ea86cc88727ab887343df0b558447dd51a94439428e94de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41cce7586919dcdfaf32ed7cad837a65

SHA1
4a2efb66aa30ed46d4712cc4e34ce583b9573bde

SHA256
0d706e8a40850dbd97e7448d9a2b7987cdea187158ad06975e97d2084a96fe46

SHA512
a4b9e582a6e0e90b299c04441b9d9d75069b7fb4380469c4b24f3c1848651f445785a37641af7fd88a820aca479a53fadf432be72b894ba2a4f46dabea01c4ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
888105597ad00055ea2424dc595d4e81

SHA1
334e04355421edb54ba4565bee48edcd3753e05c

SHA256
ee2c0196f3c0bce43273fae5b262615d9c32c1a2e8c73b70c4e7154f514d1071

SHA512
2428ad33958738b82ed28ec1206235901888f61b70f8026f154f0f60b33ed85dfcb69b6c86b6bff1ce8d15df91ac758a5e7c064417de8ed8869969ec97963865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
8878c492c126b9c34ccbcabe1ff72ef1

SHA1
85e0349a07a4e50794de02fe4b5dab482a7709fb

SHA256
8d2043ff8888cbd91a2261b311c679470822a83df7f93288e0038e335db249de

SHA512
7be4a02c7b8f342e3f2dc68d2ab6944d29794347117d1dea92bfec787b6f0dde16b9c2b0c15cb81f7fe8b505b60d8807126bd7fc19531f2356dc59401a158023

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB987.tmp.bat

Filesize
148B

MD5
dd988eeb838374e9801735e1355198cb

SHA1
0607775fea6873f51d480d36eb677073b52f5e3d

SHA256
8d4cdd672dcf823bf419b18a945cdce4517fb592a103165d162e84b088a1c366

SHA512
a41cd306bd2c2e774358d802d1d5d670363758a9c451503e9d14b494d2403391b8d1a74727ea3e768a5317d6eb17515ac2c33043fd0de65732ffbd607a41b123

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Desktop\gg2.exe

Filesize
74KB

MD5
578cec0c76993fc582c16e4e7c89f99b

SHA1
13ef68a7460bde6635307caac02c16f86048a8c7

SHA256
09b94896838343af498a769f7ae046e40b77187c79d3492f5bb2ad67f92a363c

SHA512
e820e8a5919047b7d05e20cb0bdc59f95b64907297591d388806f4f992e25a7abd12f8d9f22def893f3580faefd387cce2ebab975a5b3346b6f2660b2c655994

Download Submit
C:\Users\Admin\Downloads\gg2.rar

Filesize
32KB

MD5
22ac041effd774c14e752c5bbcafb44d

SHA1
535cd13cb14b754d59b3972348e168c10c183636

SHA256
18ce7dc8e7abe9d6803adc57c2e06fd8b6d5dc65eb8b6c57fd1d9ada7c9479d1

SHA512
df75a57527b4bd19013482b9f5bc808c1955555d01879f72bd4319b830536e43faf5379dc087f71bead79363ea524f16edd5546a773dce8980ce1ad7250d143c

Download Submit
memory/3792-152-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download