asyncrat | hxxps://gofile[.]io/d/gMSfrL

Analysis

max time kernel
42s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20241007-fr
resource tags

arch:x64arch:x86image:win10v2004-20241007-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
14-12-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/gMSfrL

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Jakemalabrad-55999.portmap.host:3333

Jakemalabrad-44006.portmap.host:3333

127.0.0.1:3333

Jakemalabrad-44789.portmap.host:3333

193.161.193.99:3333

Jakemalabrad-61647.portmap.io:3333

81.51.33.42:3333

Attributes

delay
1
install
true
install_file
Windows.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d000000023b48-50.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 2 IoCs

pid	Process
208	Solara.exe
836	Windows.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1904	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786644653508129"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	chrome.exe
4144	chrome.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
208	Solara.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe
836	Windows.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeDebugPrivilege	208	Solara.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeDebugPrivilege	836	Windows.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe
Token: SeShutdownPrivilege	4144	chrome.exe
Token: SeCreatePagefilePrivilege	4144	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe
4144	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2660	4144	chrome.exe	82
PID 4144 wrote to memory of 2660	4144	chrome.exe	82
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4976	4144	chrome.exe	83
PID 4144 wrote to memory of 4028	4144	chrome.exe	84
PID 4144 wrote to memory of 4028	4144	chrome.exe	84
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85
PID 4144 wrote to memory of 4568	4144	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/gMSfrL
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d4eacc40,0x7ff9d4eacc4c,0x7ff9d4eacc58
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1588,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:3
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3360,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4748,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5128,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5140,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5272,i,1186303657464758760,3685231838021981098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:3168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3840

C:\Users\Admin\Downloads\Solara.exe
"C:\Users\Admin\Downloads\Solara.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
  2⤵
  PID:5108
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDF06.tmp.bat""
  2⤵
  PID:4848
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- - C:\Users\Admin\AppData\Roaming\Windows.exe
    "C:\Users\Admin\AppData\Roaming\Windows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
66a55bea1009eabddcaafef1b3218ae8

SHA1
443ec92af3fc79feac5589c2844ae600c388c815

SHA256
c472bba5e6c3c9a5041bd0f86d564e1807d1403c63a5c5a8c6a524fd8d03941b

SHA512
b0aed7b173495ba5ccf0ec0caaca92ad0b8549dcf1086b7a6394e4bc675b175819c8764419e52ce380918fdb6a285e84e4dfbc3e6b72753ce49b260f1f1e7c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
368e8ee5123c8850926befe25d71444b

SHA1
53025830a2f9569e6a62a2b9501475f7eceb76cc

SHA256
1ffab67d361ca2efd5ee64f49cd76655880c549f3db945f46991c9365f335052

SHA512
889f3cc7a4ae6b08a6031aa8c66614fcbfd88cd182b51762538e0f77147517ba810026ee047073bec6bc391b74993e73a2b314dd479ee8fbb4e2b11117354c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
69ce92b84d412dcc003714477199afb1

SHA1
56f1a54a39f02c6689f8c5b5ee4027deebec29ea

SHA256
a72e71f4617c8a6268d7e7a868a83886dbd4e3f80e6e5e5fb2b99c745090a4ec

SHA512
ee1e6deafc474a1edf5c96ca06616ea0780525ad8f90b2cf470e886dd451d5f605739f98d80d121474d4553dd2b293987bea9128571358570e46ecdeb8e0e52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d422f7057d7096219fb87dfbb5cbf2f

SHA1
5747d69b40b859965f90b26a9251c96183e0569a

SHA256
fea77cfec9a4ac8733c217dbd3759b158a25a76f520b09bcfd0320db7420ce70

SHA512
e3d1c9ec5655eaf5afcab6aaa34c8122c57a9076beb3b4743ef4092b0dbbef7cba34e5043f0583f48361e3f548ef29f5fadc58a10892fac4f717bfc121d361f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d83c3d563f80dab657707562e569225d

SHA1
a18d76e063ff95e3b8930bffd89528c7c1f952da

SHA256
539a2fa8061e02efc04e5fe870f0e235081ad1c3395ac4ca4f5be889723b42a3

SHA512
c34335f13909b3436c6edef863e1e533680c8404e687885ca19c69394c99aefc6ce60718b470d7f198623352dd3e782092116e47bf925820f66cb598182953f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b401a3f3df9f1eecc4e6122563ea4c7

SHA1
ff08fcbfb8714a3005a1665ffb1f7651e6ce996b

SHA256
0e88d9bdb41a47bef493360a3ee22708764bb3f43210aa7c293b62d2f596f320

SHA512
e92b1a60b3ab6ff74307938c2c0661b27fcb425e8b2189e959a85b6a8ef84eb7a3fbdad5f0dd72524f570c5814f650fc98cabe20389b0f0e38b5933eeec36e96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
d7f27f645fdbe87ff424fa2628c38703

SHA1
e1acb5d60d1184293bed0dbb142ac1b115b0ab94

SHA256
5eaeacce7e882adac8168fe20895ead5111afd64d1917bc3bd41306a1f7e488e

SHA512
7576b0026c2c213cad1aaf4aace5c3aaac111d27e217fb06c02a7ef1f7692887699fb0c9cd5df6e3214e79430531d0f8e0295c4b77b7d13b15854836df5ffce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
4c8e6c9c71de0ca2fa34cfab13aeb79b

SHA1
3ac032db707bfaece2da262b177b153759c3ff4a

SHA256
b5f964d3e4f823285e35bdbad3b7ef689a6519ee812c84ff037174070c5e65d1

SHA512
bd08b390a259e8170b673f48c49bd5f0c2b51a1a22c8166bd30319f311d1dba1381f99b14ae6abf1c14285e8618c8582aa4586eb383de0651bcbdc00f9691a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF06.tmp.bat

Filesize
151B

MD5
e852477a5692aa61fe63428e13547851

SHA1
238606bb3002d8fa5fb563b03d3c26172d4579b3

SHA256
6b5cdcc3f5a107ec4467d64d2ae1d8b7fd83a8b3a37ee2fae9318fc8d5707941

SHA512
6288c17bc17422049f4e6955145e3fd9504ec6e0e59052b6c198499b471b7d15dbbdef8f71eb2e1bfde7d211762dfd0ad1141fd246ea1c4a9cbd35d15f009328

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 295859.crdownload

Filesize
63KB

MD5
5a32f39c8a01248e227b9c29205a0904

SHA1
d6cbf6f58910aba9ee722a6a9ab9ea8df0e62f39

SHA256
04cd680243d8a59bbc437e83c2713b22793b8848a9fb3945854bd02ffd400e88

SHA512
e59d867bfc350e60e60ee7b11b5ed69f6fddc49af69a90fdac1aad98d26f4eb735df72f0bd4741378eac7be5cd533b2cae57142b02723de0518e7a78b89c8080

Download Submit
memory/208-76-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/208-84-0x00007FF9C1D20000-0x00007FF9C27E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-83-0x00007FF9C1D20000-0x00007FF9C27E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-78-0x0000000002E20000-0x0000000002E62000-memory.dmp

Filesize
264KB

Download
memory/208-77-0x00007FF9C1D20000-0x00007FF9C27E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-75-0x00007FF9C1D23000-0x00007FF9C1D25000-memory.dmp

Filesize
8KB

Download
memory/836-98-0x000000001B350000-0x000000001B452000-memory.dmp

Filesize
1.0MB

Download