Overview

overview

10

Static

static

3

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    2.1MB

  • MD5

    a07c79f9e2dd72f3b884928ee384344e

  • SHA1

    88df6b54a3e53a501b09b32de2def406820879fa

  • SHA256

    35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61

  • SHA512

    cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd

  • SSDEEP

    49152:5ZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:5Zostak7RGuqGJZXdpmIn

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes
  • delay

    1

  • install

    true

  • install_file

    Load.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 28 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:1384
              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:468
                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                  8⤵
                  • Checks computer location settings
                  PID:960
                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                    9⤵
                    • Checks computer location settings
                    PID:5060
                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                      10⤵
                      • Checks computer location settings
                      PID:3116
                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                        11⤵
                        • Checks computer location settings
                        PID:556
                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                          12⤵
                          • Checks computer location settings
                          PID:4864
                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                            13⤵
                            • Checks computer location settings
                            PID:4412
                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                              14⤵
                              • Checks computer location settings
                              PID:2924
                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                15⤵
                                • Checks computer location settings
                                PID:3360
                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                  16⤵
                                  • Checks computer location settings
                                  PID:4512
                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                    17⤵
                                    • Checks computer location settings
                                    PID:2344
                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                      18⤵
                                        PID:4000
                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2376
                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                      17⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4672
                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4328
                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4736
                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                14⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3092
                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                              13⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:3476
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                14⤵
                                  PID:4356
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                    15⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4360
                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                              12⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3500
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                13⤵
                                  PID:1088
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                    14⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3772
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE3B9.tmp.bat""
                                  13⤵
                                    PID:3936
                                    • C:\Windows\system32\timeout.exe
                                      timeout 3
                                      14⤵
                                      • Delays execution with timeout.exe
                                      PID:2260
                                    • C:\Users\Admin\AppData\Roaming\Load.exe
                                      "C:\Users\Admin\AppData\Roaming\Load.exe"
                                      14⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2020
                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                11⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2928
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                  12⤵
                                    PID:4304
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1208
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB4C.tmp.bat""
                                    12⤵
                                      PID:2256
                                      • C:\Windows\system32\timeout.exe
                                        timeout 3
                                        13⤵
                                        • Delays execution with timeout.exe
                                        PID:3400
                                      • C:\Users\Admin\AppData\Roaming\Load.exe
                                        "C:\Users\Admin\AppData\Roaming\Load.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4548
                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                  10⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1200
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                    11⤵
                                      PID:2020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                        12⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2176
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD244.tmp.bat""
                                      11⤵
                                        PID:4768
                                        • C:\Windows\system32\timeout.exe
                                          timeout 3
                                          12⤵
                                          • Delays execution with timeout.exe
                                          PID:1648
                                        • C:\Users\Admin\AppData\Roaming\Load.exe
                                          "C:\Users\Admin\AppData\Roaming\Load.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3184
                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                    9⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1540
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                      10⤵
                                        PID:2404
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                          11⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4600
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCAC2.tmp.bat""
                                        10⤵
                                          PID:5100
                                          • C:\Windows\system32\timeout.exe
                                            timeout 3
                                            11⤵
                                            • Delays execution with timeout.exe
                                            PID:3672
                                          • C:\Users\Admin\AppData\Roaming\Load.exe
                                            "C:\Users\Admin\AppData\Roaming\Load.exe"
                                            11⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3652
                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                      8⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4012
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                        9⤵
                                          PID:640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                            10⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1676
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat""
                                          9⤵
                                            PID:2528
                                            • C:\Windows\system32\timeout.exe
                                              timeout 3
                                              10⤵
                                              • Delays execution with timeout.exe
                                              PID:1412
                                            • C:\Users\Admin\AppData\Roaming\Load.exe
                                              "C:\Users\Admin\AppData\Roaming\Load.exe"
                                              10⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4360
                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                        7⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        PID:312
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                          8⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                            9⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1320
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB759.tmp.bat""
                                          8⤵
                                            PID:4508
                                            • C:\Windows\system32\timeout.exe
                                              timeout 3
                                              9⤵
                                              • Delays execution with timeout.exe
                                              PID:788
                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                        6⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:1448
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                          7⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:320
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                            8⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:216
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE60.tmp.bat""
                                          7⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4144
                                          • C:\Windows\system32\timeout.exe
                                            timeout 3
                                            8⤵
                                            • Delays execution with timeout.exe
                                            PID:2880
                                          • C:\Users\Admin\AppData\Roaming\Load.exe
                                            "C:\Users\Admin\AppData\Roaming\Load.exe"
                                            8⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3400
                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                      5⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2684
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                        6⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                          7⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4556
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA558.tmp.bat""
                                        6⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4516
                                        • C:\Windows\system32\timeout.exe
                                          timeout 3
                                          7⤵
                                          • Delays execution with timeout.exe
                                          PID:2096
                                        • C:\Users\Admin\AppData\Roaming\Load.exe
                                          "C:\Users\Admin\AppData\Roaming\Load.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3740
                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                    4⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4580
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                      5⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                        6⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2172
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DB7.tmp.bat""
                                      5⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2768
                                      • C:\Windows\system32\timeout.exe
                                        timeout 3
                                        6⤵
                                        • Delays execution with timeout.exe
                                        PID:3876
                                      • C:\Users\Admin\AppData\Roaming\Load.exe
                                        "C:\Users\Admin\AppData\Roaming\Load.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1864
                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1736
                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2160
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3080
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2056
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat""
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:5088
                                  • C:\Windows\system32\timeout.exe
                                    timeout 3
                                    4⤵
                                    • Delays execution with timeout.exe
                                    PID:4592

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log
                              Filesize

                              1KB

                              MD5

                              baf55b95da4a601229647f25dad12878

                              SHA1

                              abc16954ebfd213733c4493fc1910164d825cac8

                              SHA256

                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                              SHA512

                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
                              Filesize

                              654B

                              MD5

                              2ff39f6c7249774be85fd60a8f9a245e

                              SHA1

                              684ff36b31aedc1e587c8496c02722c6698c1c4e

                              SHA256

                              e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                              SHA512

                              1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                              Filesize

                              74KB

                              MD5

                              4fc5086bcb8939429aea99f7322e619b

                              SHA1

                              8d3bd7d005710a8ae0bd0143d18b437be20018d7

                              SHA256

                              e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

                              SHA512

                              04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat
                              Filesize

                              148B

                              MD5

                              109c21ccc014b21668286df2ad62a64e

                              SHA1

                              369e265fd7d24e236448587cbecf30ae3370d1e0

                              SHA256

                              610dc83130a76902e98a585a67f64026f66e0eb4aea1b4864ef2ba0e796b10d1

                              SHA512

                              2ec27e84703e7b9b9e5292e0dbcb5ecd4be7c9353edab594c7e5dc4b83be66ea396b7f518d33b7bbe4b2b0edb2fcbb6bf1a1846fe37f355e3c6f38956253eb64

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmp9DB7.tmp.bat
                              Filesize

                              148B

                              MD5

                              9c342fc8d8901d9ceba59bdc61702129

                              SHA1

                              d332593a961926e152a4244baacb7b35dd1b001e

                              SHA256

                              7c37af1130589baa504fa80c749687ebfd5c5bdafc88e3128d5bb9dace3ddf14

                              SHA512

                              c0c505bd03dcadae60ec545c1e2f9529556d47c9b257e39460c7cbb664cfe76ded811c1fb6c673e3d7203fc7212b74cd2853f9b1808b87cd0383d76b2b9a6156

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpA558.tmp.bat
                              Filesize

                              148B

                              MD5

                              d0534d5096ff9562a8b571642e18b2a0

                              SHA1

                              e3acbeda26af8a4aa6fb73113998b149520a6349

                              SHA256

                              8f194a90da5423d8cdaba12ca6d1bb3391923b6f0b501e7e03071b1a6e622e9d

                              SHA512

                              0d82f54e15d9dc64878b5b0e67a99ffdbeb4d6931ea2f859a29f0dc4b3978d2fcec151b55d4d0a640e95b6465190c0c1bfe0dd7e62ce778d61964bae7d5d531a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpAE60.tmp.bat
                              Filesize

                              148B

                              MD5

                              fed7e98d89cbbc001478cfae5e00def5

                              SHA1

                              5c573052e89b605c6f19fa3b7b4ef21cc8957e39

                              SHA256

                              0f408b9ff2dc8ab944e4c5c7c7a992ffef0602cdabadf156805e8ffcf28cafa5

                              SHA512

                              5dad3aa5b169dd19149d6c6f12ce2bad1ec250fd3ca68c0989f9b384027edfbf58387ce17bb6c4a42dcc56ec9a1823dd8117c555790bf25863a4104e9eaec6fe

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat
                              Filesize

                              148B

                              MD5

                              5b32e248299e531170e034fea12ac7de

                              SHA1

                              750d59f21ff005b42626fbf74d34b3e09045aa4d

                              SHA256

                              c8165374878082e2842658945bbf7799f5957400f585ef2dfdafff66092e10a2

                              SHA512

                              ff889c71c6c1d583cc9826ae5e5c7095cd5fac854c9ac142963b9086ae05b9b07c1804fa9c1cc46403eb22d226bb478b4f34586d016e3d81c3f39f65423c6ac6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpCAC2.tmp.bat
                              Filesize

                              148B

                              MD5

                              bc1879d9117fda675934ab68d3e25675

                              SHA1

                              807c8e22e976b807f1a0c65b2e1652385627ed75

                              SHA256

                              9c504c6e70745985dcf6beef1336614e334bccd83115fe7fc0fd8cf5a4efa5ca

                              SHA512

                              c75ab9ca2d0b5da82e117a2fd95988e2fc76a6a36a733c64e0f31709f9d777b67eecb0620e4d289b17ef55eafcc0073e57b1d99d2d8ed584dc8b5af51cc4acf7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpD244.tmp.bat
                              Filesize

                              148B

                              MD5

                              972064703824e5caec3546a3500d5a72

                              SHA1

                              5732e46ba0bd6353ab7f3c6c898765f33c6e9644

                              SHA256

                              53379a70ef06bb7edaf67f2b68d581c21b226f94633f56b32a5a1096cec22ff8

                              SHA512

                              2f433f92bc7fa6b02cd176b52ac6923e2b0d7f28705699ad44d17665346c3b62282c9b60e73ced43d01cb7f80cbb78a57d4d8c646a70242bb3572b3613295b48

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpDB4C.tmp.bat
                              Filesize

                              148B

                              MD5

                              09a4dac16501a25641504872badcff0b

                              SHA1

                              b4be3833bc5e8b2a55200a7a22a9dc6dfa1181e7

                              SHA256

                              2753ba2c2cb28863de27315bb6c3b55b697e7a708bcf4e1562df812977d4d233

                              SHA512

                              246df0ccb90c4b4ae3fb7211956baba4a284ae8028edcdcd3ce6025d32b41262e960ea2a6f64a4033cfd02a1fea01746fbbe1b927a64b466e0199d92fa2e6b99

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpE3B9.tmp.bat
                              Filesize

                              148B

                              MD5

                              b5d55af763bbbf7ff20bcaa5e3fe31ba

                              SHA1

                              72b02e1eec9408af70bac82b0641e3ec6f83c179

                              SHA256

                              bbd91f6e681158005b6361755bae20905a950f6091db28a0173b06868c51b007

                              SHA512

                              06d91415fe592e15a2f3325ab5416e54442ec518c1628c56e92055331a7d99d169927b4ecdb2802fc92537871354ee1ee3d729bb1afd8be43f89fb5be5f7e1d1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                              Filesize

                              8B

                              MD5

                              cf759e4c5f14fe3eec41b87ed756cea8

                              SHA1

                              c27c796bb3c2fac929359563676f4ba1ffada1f5

                              SHA256

                              c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                              SHA512

                              c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                              Download Submit

                            • memory/2160-30-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2160-20-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2160-19-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2160-15-0x00000000003B0000-0x00000000003C8000-memory.dmp

                              Filesize

                              96KB

                              Download

                            • memory/3696-23-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3696-16-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4220-0-0x00007FFBFB083000-0x00007FFBFB085000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4220-17-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4220-2-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4220-1-0x00000000000B0000-0x00000000002CA000-memory.dmp

                              Filesize

                              2.1MB

                              Download