asyncrat | 35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61

Analysis

max time kernel
32s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/12/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

2.1MB
MD5

a07c79f9e2dd72f3b884928ee384344e
SHA1

88df6b54a3e53a501b09b32de2def406820879fa
SHA256

35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61
SHA512

cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd
SSDEEP

49152:5ZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:5Zostak7RGuqGJZXdpmIn

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001b00000002aae0-7.dat	family_asyncrat

Executes dropped EXE 25 IoCs

pid	Process
2780	Load.exe
3988	Load.exe
128	Load.exe
3888	Load.exe
3912	Load.exe
3020	Load.exe
3416	Load.exe
2616	Load.exe
1012	Load.exe
3428	Load.exe
2952	Load.exe
4740	Load.exe
2136	Load.exe
1604	Load.exe
2184	Load.exe
4280	Load.exe
3404	Load.exe
2100	Load.exe
712	Load.exe
1672	Load.exe
4972	Load.exe
3208	Load.exe
2804	Load.exe
3784	Load.exe
2824	Load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 13 IoCs

evasion

pid	Process
2592	timeout.exe
3600	timeout.exe
4648	timeout.exe
1276	timeout.exe
3400	timeout.exe
3576	timeout.exe
1532	timeout.exe
5076	timeout.exe
4872	timeout.exe
912	timeout.exe
2368	timeout.exe
4988	timeout.exe
2656	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1500	schtasks.exe
912	schtasks.exe
4888	schtasks.exe
4328	schtasks.exe
1916	schtasks.exe
1856	schtasks.exe
4508	schtasks.exe
3400	schtasks.exe
2780	schtasks.exe
3468	schtasks.exe
2608	schtasks.exe
4864	schtasks.exe
3752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
2780	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
3988	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
128	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe
3888	Load.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	Load.exe
Token: SeDebugPrivilege	3988	Load.exe
Token: SeDebugPrivilege	128	Load.exe
Token: SeDebugPrivilege	3888	Load.exe
Token: SeDebugPrivilege	3912	Load.exe
Token: SeDebugPrivilege	3020	Load.exe
Token: SeDebugPrivilege	3416	Load.exe
Token: SeDebugPrivilege	2616	Load.exe
Token: SeDebugPrivilege	1012	Load.exe
Token: SeDebugPrivilege	3428	Load.exe
Token: SeDebugPrivilege	2952	Load.exe
Token: SeDebugPrivilege	4740	Load.exe
Token: SeDebugPrivilege	2136	Load.exe
Token: SeDebugPrivilege	1604	Load.exe
Token: SeDebugPrivilege	2184	Load.exe
Token: SeDebugPrivilege	4280	Load.exe
Token: SeDebugPrivilege	3404	Load.exe
Token: SeDebugPrivilege	2100	Load.exe
Token: SeDebugPrivilege	712	Load.exe
Token: SeDebugPrivilege	1672	Load.exe
Token: SeDebugPrivilege	4972	Load.exe
Token: SeDebugPrivilege	3208	Load.exe
Token: SeDebugPrivilege	2804	Load.exe
Token: SeDebugPrivilege	3784	Load.exe
Token: SeDebugPrivilege	2824	Load.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2184	2756	Loader.exe	77
PID 2756 wrote to memory of 2184	2756	Loader.exe	77
PID 2756 wrote to memory of 2780	2756	Loader.exe	78
PID 2756 wrote to memory of 2780	2756	Loader.exe	78
PID 2780 wrote to memory of 2132	2780	Load.exe	79
PID 2780 wrote to memory of 2132	2780	Load.exe	79
PID 2780 wrote to memory of 1644	2780	Load.exe	81
PID 2780 wrote to memory of 1644	2780	Load.exe	81
PID 2132 wrote to memory of 1916	2132	cmd.exe	83
PID 2132 wrote to memory of 1916	2132	cmd.exe	83
PID 1644 wrote to memory of 3576	1644	cmd.exe	84
PID 1644 wrote to memory of 3576	1644	cmd.exe	84
PID 2184 wrote to memory of 3832	2184	Loader.exe	85
PID 2184 wrote to memory of 3832	2184	Loader.exe	85
PID 2184 wrote to memory of 3988	2184	Loader.exe	86
PID 2184 wrote to memory of 3988	2184	Loader.exe	86
PID 3988 wrote to memory of 5088	3988	Load.exe	87
PID 3988 wrote to memory of 5088	3988	Load.exe	87
PID 5088 wrote to memory of 3752	5088	cmd.exe	89
PID 5088 wrote to memory of 3752	5088	cmd.exe	89
PID 3832 wrote to memory of 4804	3832	Loader.exe	90
PID 3832 wrote to memory of 4804	3832	Loader.exe	90
PID 3832 wrote to memory of 128	3832	Loader.exe	91
PID 3832 wrote to memory of 128	3832	Loader.exe	91
PID 3988 wrote to memory of 3436	3988	Load.exe	92
PID 3988 wrote to memory of 3436	3988	Load.exe	92
PID 3436 wrote to memory of 1532	3436	cmd.exe	94
PID 3436 wrote to memory of 1532	3436	cmd.exe	94
PID 128 wrote to memory of 1708	128	Load.exe	95
PID 128 wrote to memory of 1708	128	Load.exe	95
PID 1708 wrote to memory of 1500	1708	cmd.exe	97
PID 1708 wrote to memory of 1500	1708	cmd.exe	97
PID 4804 wrote to memory of 3024	4804	Loader.exe	98
PID 4804 wrote to memory of 3024	4804	Loader.exe	98
PID 4804 wrote to memory of 3888	4804	Loader.exe	99
PID 4804 wrote to memory of 3888	4804	Loader.exe	99
PID 128 wrote to memory of 3048	128	Load.exe	100
PID 128 wrote to memory of 3048	128	Load.exe	100
PID 3048 wrote to memory of 2368	3048	cmd.exe	102
PID 3048 wrote to memory of 2368	3048	cmd.exe	102
PID 3436 wrote to memory of 3912	3436	cmd.exe	103
PID 3436 wrote to memory of 3912	3436	cmd.exe	103
PID 3888 wrote to memory of 2612	3888	Load.exe	104
PID 3888 wrote to memory of 2612	3888	Load.exe	104
PID 2612 wrote to memory of 1856	2612	cmd.exe	106
PID 2612 wrote to memory of 1856	2612	cmd.exe	106
PID 3024 wrote to memory of 1568	3024	Loader.exe	107
PID 3024 wrote to memory of 1568	3024	Loader.exe	107
PID 3024 wrote to memory of 3020	3024	Loader.exe	108
PID 3024 wrote to memory of 3020	3024	Loader.exe	108
PID 3888 wrote to memory of 984	3888	Load.exe	109
PID 3888 wrote to memory of 984	3888	Load.exe	109
PID 984 wrote to memory of 5076	984	cmd.exe	111
PID 984 wrote to memory of 5076	984	cmd.exe	111
PID 3048 wrote to memory of 3416	3048	cmd.exe	112
PID 3048 wrote to memory of 3416	3048	cmd.exe	112
PID 3020 wrote to memory of 4916	3020	Load.exe	113
PID 3020 wrote to memory of 4916	3020	Load.exe	113
PID 4916 wrote to memory of 912	4916	cmd.exe	115
PID 4916 wrote to memory of 912	4916	cmd.exe	115
PID 1568 wrote to memory of 2360	1568	Loader.exe	116
PID 1568 wrote to memory of 2360	1568	Loader.exe	116
PID 1568 wrote to memory of 2616	1568	Loader.exe	117
PID 1568 wrote to memory of 2616	1568	Loader.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        15⤵
        
        PID:732
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1613.tmp.bat""
        15⤵
        
        PID:2632
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        14⤵
        
        PID:3532
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD97.tmp.bat""
        14⤵
        
        PID:2076
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        13⤵
        
        PID:2524
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55A.tmp.bat""
        13⤵
        
        PID:3732
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        12⤵
        
        PID:5020
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.bat""
        12⤵
        
        PID:4776
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        11⤵
        
        PID:4032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF359.tmp.bat""
        11⤵
        
        PID:3456
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        10⤵
        
        PID:1976
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.bat""
        10⤵
        
        PID:2312
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        9⤵
        
        PID:1968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1C5.tmp.bat""
        9⤵
        
        PID:3504
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:3600
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        8⤵
        
        PID:3728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.bat""
        8⤵
        
        PID:1752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0FC.tmp.bat""
        7⤵
        
        PID:4636
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:128
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC052.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB7B7.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1532
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB05.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1613.tmp.bat

Filesize
148B

MD5
7ef4a7132d257f91a5b4d281cdc4e648

SHA1
8aa36be5a0aa5aa92f0c19d73962922134c46dc6

SHA256
cc9099a32bcf29ada886ee11ffe2f2792065c0273f8c91d2f0e2b076a5421710

SHA512
0f038e39992b3180b231e10ed212cb4cd1276a6dc8c86ac887797c4cbe4d5779eb2e937afb6d2548253eac7244fead0cc40db40088b02d7e6fb79362c2961536

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55A.tmp.bat

Filesize
147B

MD5
98797100899464b2c2431f2177201689

SHA1
2d40c3854be1d26b896bde1f945577a8dd4bcdb7

SHA256
2608cd7e330436a8c26e20ea4167a2a4816878a37322761d509306d3b48f2a3e

SHA512
779ebc0a26a53b305a21b9a810814cd59b7c1b12fc8cd27fcc4581105b363e33a410b45a6f3bb36271a3e9a39a78ffc8cb74671577e95913e5debdbf228244d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB05.tmp.bat

Filesize
148B

MD5
a311ee0cc098efc012c99797b311ab97

SHA1
afeb640d98f1b35568ec8044ec1458d6ae080e5b

SHA256
d41bfddc9775c293d077f8fc460555e9fd29130970035737cb1d6c4b38488de2

SHA512
6a243a974d70fd2139b1ff115bf27a667f1344f1666b6db9ee80620c876c171a0155f72c201ece966708297428ad29bc69bcadabf775c65ef7e34181d3b441ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7B7.tmp.bat

Filesize
148B

MD5
6ce2dafcf7d928c35d12303e0ae8986d

SHA1
88e81e3cd19fa257129dc2247eb9af9bdccf214a

SHA256
44aad676c709e809d8c4e5371c731d944fe42f69960faa3ee25db6d615189c1d

SHA512
5cc552b977555f3ff90859e3969c10728d3a8ead97dc7923cc637bee5df118b1ae4e3768d4baeab6b0b78c5c495eff6133f09331c733e859448be4e6ece3ca89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC052.tmp.bat

Filesize
148B

MD5
a2334f2bbd34af4fb52f7556ac6a8ade

SHA1
3c93515848c9df481e9887452b025510e8561614

SHA256
3ce7484229d625175a2840866eedba99b62d9a698abee4097c041d65ebe35606

SHA512
fe57af43a94692ed0b045ed1be8b04a68192ad238605e6a6ddbf2248760920e91840c46823729bb3b685b192b48a01af6ec687565e484b5c5bc6bb0ae8d7a48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp.bat

Filesize
148B

MD5
6e27b6ac728c48c4495715a27de60272

SHA1
bd48efc086a896cee4469bd8b0d1f2b3c2fc6376

SHA256
31416856c48f1298c0814cf138ef02c9dd7162054cd86c6d8746151e136ce066

SHA512
6d5654a48e2bade4d2333b646229a45a39b82dad956e55f2786c227a966e6bc1a4fbe1a8daf1aebfb16711de174155fe0199bece17fcf14f8e3383d832e3e9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0FC.tmp.bat

Filesize
148B

MD5
b8979757cfd3903bbccacd229e7f6a40

SHA1
2d3b9a8ce28021ba52bcfb6ba4c7703ca602c46a

SHA256
53200ada3509e73aac85f1073baa918a3172a26c40ebad50758667d21aa90d78

SHA512
7a6c98cea7f093298a1f6faa8c9b4c2b186ae6f0a04d2dcbfc4856eaf095d9342071572c882f0bf35573b873aef7910ae26f047b69ea98853c330cdada703c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.bat

Filesize
148B

MD5
0b3b735c34d5014954ac0b2000d7618c

SHA1
a8c6ee00eb77f12cb4bc6c3b5acdcfd6c8002492

SHA256
701501e3440b025b6c4d65667566f33579fc09fd4b6882ff6d7daca2767b75bf

SHA512
c957808e27ea3abfae75b3c2c3841e9b23f038b4f4855a0dbd584fd5b9fa7d910c4d30ef32091d16d62538ffcff58facc37b577eb8edf99b5dfd3245a62685ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD97.tmp.bat

Filesize
147B

MD5
7a87eb87d3cbff357e1af76463522eba

SHA1
b2ae86e1d461f18be928b4ad9dad3e001d9c161c

SHA256
01a4a36a0a0a2604eb09f8286c6abbce77d86f79cfeed4371d2efe3bc7c0582d

SHA512
ea6d8f482b9082d5aa61e6a02f5b0fa9a06c9fd26aed019415f1b20b8a0c9911ab8eb338efde14e97e88fcf33a858c85dc440ea62889135cdda3aa5edfe05cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1C5.tmp.bat

Filesize
148B

MD5
9ab23f1ba8a0d00c0e4a383e6790fc49

SHA1
9c9eea38df8e42709be26dc51658b0e32be3ef0f

SHA256
3e60316ee91fb101eeb21b0e9d1d3ec1be6c3078906d8c460c61aa64335e21d1

SHA512
171d01f6164bdfe9f6f69fa995a350db485d826f5ee8c93fb1fd8965acb71c8b6080cc41c2c53646e88ad5402126d74da5acfc0abf55b94fd2cf11f82d39a5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.bat

Filesize
148B

MD5
fd0d8731291306d88c87ee073dc15cc3

SHA1
c03c4b4c226f1999a78df26e17985eb3b26b5500

SHA256
38fa3423c70835b2df4e61d0d0942d215eef77224d07a9ed399a0f2c3e3859c0

SHA512
df04eb036b244572a45037a8ce88cd004fed1ffa39b64aef0eb03c79866768c26b74466dd8ba7d2bca62564efa0f359d937b504794c842df852994a9cf587d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF359.tmp.bat

Filesize
148B

MD5
e62ee366bc25a9d71290cc29776e6b73

SHA1
efe0d1637a10ad8c72079266f38b8bd837b44e13

SHA256
aa20da6209e5efa3e37276dbf9e101cfb6cd032be60d1abb25b14aec7ec99ff2

SHA512
3779c926d8c024db750166965ae820c73078d45eb77e3bb79746e4955626149600ae90ff7a0903fe8e5492f6abc6060720c130d63ba186ebbeb630e37dbb3fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.bat

Filesize
148B

MD5
3e3884dc19bd595363d311f2095be096

SHA1
c461f51edd7741df6b64eeb1b777b883abcb8d13

SHA256
91dcfb9a1405c0f751d17421a4d62aa54e6db91ebb243f4774647d9b8b2bbb1d

SHA512
0948cbc7846d555cb5dd17292b017fed1ed3bcea4104d5f93970fa509937dbee9b39d9bb89b798a3f57e7d7ee43228e0c95d5c9f93981f65a9f43cbff74a4d8b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/2184-40-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2184-16-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2756-0-0x00007FFE47C33000-0x00007FFE47C35000-memory.dmp

Filesize
8KB

Download
memory/2756-17-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2756-2-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2756-1-0x0000000000660000-0x000000000087A000-memory.dmp

Filesize
2.1MB

Download
memory/2780-25-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2780-19-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/2780-15-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download