asyncrat | hxxps://gofile[.]io/d/jY1CkK

Analysis

max time kernel
145s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25/09/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/jY1CkK

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:1337

Mutex

dIdD3t8xZS0Q

Attributes

delay
3
install
true
install_file
plaguefix.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000100000002aaa3-82.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5112	plaguefix.exe
572	plaguefix.exe
1936	plaguefix.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\plaguefix.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plaguefix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plaguefix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plaguefix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2680	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 514282.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\plaguefix.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3712	msedge.exe
3712	msedge.exe
4508	msedge.exe
4508	msedge.exe
5028	identity_helper.exe
5028	identity_helper.exe
1632	msedge.exe
1632	msedge.exe
3324	msedge.exe
3324	msedge.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
5112	plaguefix.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeSecurityPrivilege	2448	svchost.exe
Token: SeTakeOwnershipPrivilege	2448	svchost.exe
Token: 35	2448	svchost.exe
Token: SeDebugPrivilege	5112	plaguefix.exe
Token: SeDebugPrivilege	572	plaguefix.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4548	4508	msedge.exe	78
PID 4508 wrote to memory of 4548	4508	msedge.exe	78
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 4364	4508	msedge.exe	79
PID 4508 wrote to memory of 3712	4508	msedge.exe	80
PID 4508 wrote to memory of 3712	4508	msedge.exe	80
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81
PID 4508 wrote to memory of 728	4508	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/jY1CkK
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab2203cb8,0x7ffab2203cc8,0x7ffab2203cd8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Users\Admin\Downloads\plaguefix.exe
"C:\Users\Admin\Downloads\plaguefix.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "plaguefix" /tr '"C:\Users\Admin\AppData\Roaming\plaguefix.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "plaguefix" /tr '"C:\Users\Admin\AppData\Roaming\plaguefix.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp981.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2680
- - C:\Users\Admin\AppData\Roaming\plaguefix.exe
    "C:\Users\Admin\AppData\Roaming\plaguefix.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:572

C:\Users\Admin\Downloads\plaguefix.exe
"C:\Users\Admin\Downloads\plaguefix.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\plaguefix.exe.log

Filesize
614B

MD5
fece27917067365b631bc648c66fe066

SHA1
f12c84b1c2b1296091ee06e8654c7065d22cbb44

SHA256
93e03593374ce40bc5d4c57832ebe96d3a6a532766eb6385f568a0383b426d10

SHA512
9b502a6d46b82ccc2c8aff650de664299f0131a82480eb9cec701546e9cd7f1647c0665014035c19da80a6cab267cf896645af827ecdd95287a70994c1ecb662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7b0a4944a0f479c703386b13b3df6e19

SHA1
dffae3ac90a29182fe8e0f57a5c6455637f61ad8

SHA256
30c6725b14cb84ff89bbb9c4d8b53ef3ab9d66b42a573c050550942b5df691f2

SHA512
230f560f1518a58a1fa48b98696b316843e4d0f0d2baa1d29247e7164359091fa7b6745295a0a1f9be1defa939b504597c20be0f06001ca5c23600edcb7b6116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
d3dec18bb94719971f2fca51c7457284

SHA1
fbe56fd514e178ecccb27b047e9c4a28f85969c4

SHA256
49bf2e0fd563e5a70eef9e3826e4e676d36763b75a56a667b99d061d8e40c433

SHA512
a5dbb443eb2e99435f0b302177eaee58b207806279d7c3e299371d401277bb0ae008902eb70075664976212571430c26febc7e47d71a47bd3a75829be5f9baa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e8ad228739d476a7b89fc4bb61402e0

SHA1
78e080cc7162b5936b18d8bdbd2740cce2f353b0

SHA256
9fe0f78192c2463b403bc2955079e5165986fbb076901145c8a245ba8ba9bb91

SHA512
adf4c20c2c9608deaf179fee57dd8195451aef96056d081957f0ccb7d7e9b35745bcf219b5490c90b89b15979ac92f787d5e74bf87af3b2d0ed500a89e403e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d3b4b83e0a287938b227785c9e26bc4

SHA1
e3454f64023ddea3a05aae5767f199cfb9d65c80

SHA256
366c1995a763c8a756cfaa713ea59a9493df59222f145442027c53661aaf4719

SHA512
623248d8b11ec48b3bc54ae6f21fe9185ff9b312158f39a9ec6de993b215e84db69420f8045a4e3e1541ad07477c006d152a9f77ed3ff213ac949d2bd14cf1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a575e15af229862a49e958ffe31307bb

SHA1
a33c5fe469e2eb4f6a24c7b993b5593028afc361

SHA256
65c6ba8fbde1e071c03e689e21b65ae9d355c0893f02e6f9dcdf891cf17e5357

SHA512
311155d71a695c36b16b875db893aabfebcbc4082d27d299bc4e8d81dfedab6a0e1e3d65f5af3946209a0b2552bcba497dad297ce9f5165a07782de384eb7b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8bfbde99fed3ec4f2df7629efe9579d2

SHA1
20041bfb4ecf5c9b2cd671b5edb722aac9dd62f4

SHA256
4f016b882a939333eea0a9b419eb3e938b3180e8e6cb45b6045be5e533449427

SHA512
3132b670c4f3c9c1cec8ba7f355abd0e4d0587a8ea92a9bf39e25b9a373fabc1dc17f41c1892c96b829f914d6e0782500abf886ba82c82fc81be2fda2cff3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp981.tmp.bat

Filesize
152B

MD5
6790568ceabe6f652403960a1995fc58

SHA1
8979fb00a9cae4c3273100ae089e9ab3ebba2696

SHA256
3f8c61666b35d432450bb09b9a221f9350fd4a851aea5797b4ff7646069989bc

SHA512
fe3dcf658bdfcaef5785cc09de781fa0c587a40f6e67c9a1bb1b301736f158c67e0b69c7182e7d89baa5be556a055f180ebf9a934ca0c11df63c05098da9c3a2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 514282.crdownload

Filesize
45KB

MD5
f627fb8dbafdbf9ba100db0320b80ab7

SHA1
fd83743498b101971e10aea5291592e29f85b7e3

SHA256
1e05c9cc2df2649a64eab9718b729fc9d88e387369a5be97f862dce3f4c95f0f

SHA512
7aafd02e72c3e5670b5da9ba39f2d72bf284804131644d2f5a3a02e11dae0164dd05edde74e49ccd29e4e046bb1a40bf7a20fb2fabd81fc8fdf068506e576ff4

Download Submit
C:\Users\Admin\Downloads\plaguefix.exe:Zone.Identifier

Filesize
156B

MD5
c11c706e04db08ab8acfd4982e3fb107

SHA1
13b00d71aae3e1b2923b37c58293e91c0041f79f

SHA256
0ab854690df7ea96395627278ebf52523713928cdcd403240d29fef38e2c5a8b

SHA512
71e24e3ad7a67aa0f9992ddb87a4f05dd6998b5a3678aea230a36cf6b36454b2a8f8f184c7171f878b7b0679be67ae9737a114cf5da00eb53975d4921286930c

Download Submit
memory/5112-141-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/5112-144-0x0000000004F40000-0x0000000004FA6000-memory.dmp

Filesize
408KB

Download
memory/5112-145-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download