asyncrat | 60207694e5d4fce322f54c781f56945961aefa050d6ea539bb4e2c7c252b724f

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOSA.exe
Size

10.3MB
MD5

a0f74ad23ce748a132b23889a7151865
SHA1

42d2a566db9d318cb0a708f15fbe113942bf0b74
SHA256

f0085976b11707aa4c9b57afc33e0bb94612fd31f2541064aff03f8cb85d643d
SHA512

157549067ec7bf4593091d4a3bce7222f609493925e4950c908a1348b2194fa2cc51e15e2e25de7d3fcbc2518605e11bdf2d149dc77a55359abe0dac829eafc8
SSDEEP

196608:GLpc+BGt3M5CcscVk1OgQRszjQMLwrtUSu+Kuib752HkDOKu3BX4aUvhFC:GWEGa5CcZmQRrUmtUSu9dbV2Exu3Bovm

Score

10^/10

asyncrat default execution persistence pyinstaller rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.19:9090

147.185.221.19:54226

127.0.0.1:9090

127.0.0.1:29034

147.185.221.20:9090

147.185.221.20:29034

10.0.2.15:9090

10.0.2.15:52033

147.185.221.19:52033

Mutex

upqizvsjqe

Attributes

delay
1
install
true
install_file
Epic Games.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe	family_asyncrat

Executes dropped EXE 18 IoCs

Processes:

._cache_SOSA.exeSynaptics.exe._cache_Synaptics.exeSOSAREAL.exeSOSAREAL.exeTL.exeSOSAREAL.exeClient.exe._cache_Client.exeSOSAREAL.exe._cache_TL.exekanker.exeNOBLOCKTM - Copy.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.exeEpic Games.exekanker.exesteam.exe

pid	process
2748	._cache_SOSA.exe
2628	Synaptics.exe
2752	._cache_Synaptics.exe
2404	SOSAREAL.exe
1032	SOSAREAL.exe
1980	TL.exe
1608	SOSAREAL.exe
568	Client.exe
2568	._cache_Client.exe
1432	SOSAREAL.exe
632	._cache_TL.exe
2956	kanker.exe
2860	NOBLOCKTM - Copy.exe
3036	._cache_kanker.exe
2036	._cache_NOBLOCKTM - Copy.exe
1888	Epic Games.exe
324	kanker.exe
2328	steam.exe

Loads dropped DLL 21 IoCs

Processes:

SOSA.exeSynaptics.exe._cache_Synaptics.exe._cache_SOSA.exeSOSAREAL.exeClient.exeSOSAREAL.exeSOSAREAL.exeTL.exeSOSAREAL.exekanker.exeNOBLOCKTM - Copy.exe

pid	process
1932	SOSA.exe
1932	SOSA.exe
1932	SOSA.exe
2628	Synaptics.exe
2628	Synaptics.exe
2752	._cache_Synaptics.exe
2748	._cache_SOSA.exe
2000
1940
1032	SOSAREAL.exe
568	Client.exe
568	Client.exe
2404	SOSAREAL.exe
1608	SOSAREAL.exe
1980	TL.exe
1980	TL.exe
1432	SOSAREAL.exe
2956	kanker.exe
2956	kanker.exe
2860	NOBLOCKTM - Copy.exe
2860	NOBLOCKTM - Copy.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

SOSA.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" SOSA.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2476 powershell.exe
1808 powershell.exe
2716 powershell.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2620 timeout.exe
1304 timeout.exe
2984 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2980 schtasks.exe
2188 schtasks.exe
1736 schtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SOSA.exe

pid	process
2476	powershell.exe
1808	powershell.exe
2716	powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe	pyinstaller

pid	process
2620	timeout.exe
1304	timeout.exe
2984	timeout.exe

pid	process
2980	schtasks.exe
2188	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe._cache_Client.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.exeEpic Games.exekanker.exesteam.exe

pid	process
2716	powershell.exe
2476	powershell.exe
1808	powershell.exe
2568	._cache_Client.exe
2568	._cache_Client.exe
2568	._cache_Client.exe
2568	._cache_Client.exe
2568	._cache_Client.exe
2568	._cache_Client.exe
3036	._cache_kanker.exe
3036	._cache_kanker.exe
3036	._cache_kanker.exe
2036	._cache_NOBLOCKTM - Copy.exe
2036	._cache_NOBLOCKTM - Copy.exe
2036	._cache_NOBLOCKTM - Copy.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
324	kanker.exe
324	kanker.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
2328	steam.exe
2328	steam.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe
1888	Epic Games.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exe._cache_Client.exepowershell.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.exeEpic Games.exekanker.exesteam.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2568	._cache_Client.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	3036	._cache_kanker.exe
Token: SeDebugPrivilege	2036	._cache_NOBLOCKTM - Copy.exe
Token: SeDebugPrivilege	1888	Epic Games.exe
Token: SeDebugPrivilege	324	kanker.exe
Token: SeDebugPrivilege	2328	steam.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Epic Games.exekanker.exesteam.exe

pid process

1888 Epic Games.exe
324 kanker.exe
2328 steam.exe

pid	process
1888	Epic Games.exe
324	kanker.exe
2328	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SOSA.exeSynaptics.exe._cache_SOSA.exe._cache_Synaptics.exeSOSAREAL.exeClient.exeSOSAREAL.exeTL.exe._cache_TL.exekanker.exe

description	pid	process	target process
PID 1932 wrote to memory of 2748	1932	SOSA.exe	._cache_SOSA.exe
PID 1932 wrote to memory of 2748	1932	SOSA.exe	._cache_SOSA.exe
PID 1932 wrote to memory of 2748	1932	SOSA.exe	._cache_SOSA.exe
PID 1932 wrote to memory of 2748	1932	SOSA.exe	._cache_SOSA.exe
PID 1932 wrote to memory of 2628	1932	SOSA.exe	Synaptics.exe
PID 1932 wrote to memory of 2628	1932	SOSA.exe	Synaptics.exe
PID 1932 wrote to memory of 2628	1932	SOSA.exe	Synaptics.exe
PID 1932 wrote to memory of 2628	1932	SOSA.exe	Synaptics.exe
PID 2628 wrote to memory of 2752	2628	Synaptics.exe	._cache_Synaptics.exe
PID 2628 wrote to memory of 2752	2628	Synaptics.exe	._cache_Synaptics.exe
PID 2628 wrote to memory of 2752	2628	Synaptics.exe	._cache_Synaptics.exe
PID 2628 wrote to memory of 2752	2628	Synaptics.exe	._cache_Synaptics.exe
PID 2748 wrote to memory of 2716	2748	._cache_SOSA.exe	powershell.exe
PID 2748 wrote to memory of 2716	2748	._cache_SOSA.exe	powershell.exe
PID 2748 wrote to memory of 2716	2748	._cache_SOSA.exe	powershell.exe
PID 2752 wrote to memory of 2476	2752	._cache_Synaptics.exe	powershell.exe
PID 2752 wrote to memory of 2476	2752	._cache_Synaptics.exe	powershell.exe
PID 2752 wrote to memory of 2476	2752	._cache_Synaptics.exe	powershell.exe
PID 2752 wrote to memory of 2404	2752	._cache_Synaptics.exe	SOSAREAL.exe
PID 2752 wrote to memory of 2404	2752	._cache_Synaptics.exe	SOSAREAL.exe
PID 2752 wrote to memory of 2404	2752	._cache_Synaptics.exe	SOSAREAL.exe
PID 2748 wrote to memory of 1032	2748	._cache_SOSA.exe	SOSAREAL.exe
PID 2748 wrote to memory of 1032	2748	._cache_SOSA.exe	SOSAREAL.exe
PID 2748 wrote to memory of 1032	2748	._cache_SOSA.exe	SOSAREAL.exe
PID 2752 wrote to memory of 1980	2752	._cache_Synaptics.exe	TL.exe
PID 2752 wrote to memory of 1980	2752	._cache_Synaptics.exe	TL.exe
PID 2752 wrote to memory of 1980	2752	._cache_Synaptics.exe	TL.exe
PID 2752 wrote to memory of 1980	2752	._cache_Synaptics.exe	TL.exe
PID 1032 wrote to memory of 1608	1032	SOSAREAL.exe	SOSAREAL.exe
PID 1032 wrote to memory of 1608	1032	SOSAREAL.exe	SOSAREAL.exe
PID 1032 wrote to memory of 1608	1032	SOSAREAL.exe	SOSAREAL.exe
PID 2752 wrote to memory of 568	2752	._cache_Synaptics.exe	Client.exe
PID 2752 wrote to memory of 568	2752	._cache_Synaptics.exe	Client.exe
PID 2752 wrote to memory of 568	2752	._cache_Synaptics.exe	Client.exe
PID 2752 wrote to memory of 568	2752	._cache_Synaptics.exe	Client.exe
PID 568 wrote to memory of 2568	568	Client.exe	._cache_Client.exe
PID 568 wrote to memory of 2568	568	Client.exe	._cache_Client.exe
PID 568 wrote to memory of 2568	568	Client.exe	._cache_Client.exe
PID 568 wrote to memory of 2568	568	Client.exe	._cache_Client.exe
PID 2404 wrote to memory of 1432	2404	SOSAREAL.exe	SOSAREAL.exe
PID 2748 wrote to memory of 2260	2748	._cache_SOSA.exe	WerFault.exe
PID 2748 wrote to memory of 2260	2748	._cache_SOSA.exe	WerFault.exe
PID 2748 wrote to memory of 2260	2748	._cache_SOSA.exe	WerFault.exe
PID 2404 wrote to memory of 1432	2404	SOSAREAL.exe	SOSAREAL.exe
PID 2404 wrote to memory of 1432	2404	SOSAREAL.exe	SOSAREAL.exe
PID 1980 wrote to memory of 632	1980	TL.exe	._cache_TL.exe
PID 1980 wrote to memory of 632	1980	TL.exe	._cache_TL.exe
PID 1980 wrote to memory of 632	1980	TL.exe	._cache_TL.exe
PID 1980 wrote to memory of 632	1980	TL.exe	._cache_TL.exe
PID 632 wrote to memory of 1808	632	._cache_TL.exe	powershell.exe
PID 632 wrote to memory of 1808	632	._cache_TL.exe	powershell.exe
PID 632 wrote to memory of 1808	632	._cache_TL.exe	powershell.exe
PID 632 wrote to memory of 2956	632	._cache_TL.exe	kanker.exe
PID 632 wrote to memory of 2956	632	._cache_TL.exe	kanker.exe
PID 632 wrote to memory of 2956	632	._cache_TL.exe	kanker.exe
PID 632 wrote to memory of 2956	632	._cache_TL.exe	kanker.exe
PID 632 wrote to memory of 2860	632	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 632 wrote to memory of 2860	632	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 632 wrote to memory of 2860	632	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 632 wrote to memory of 2860	632	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 2956 wrote to memory of 3036	2956	kanker.exe	._cache_kanker.exe
PID 2956 wrote to memory of 3036	2956	kanker.exe	._cache_kanker.exe
PID 2956 wrote to memory of 3036	2956	kanker.exe	._cache_kanker.exe
PID 2956 wrote to memory of 3036	2956	kanker.exe	._cache_kanker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAawBuACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2748 -s 956
3⤵
PID:2260

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAawBuACMAPgA="
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432

C:\Users\Admin\AppData\Local\Temp\TL.exe
"C:\Users\Admin\AppData\Local\Temp\TL.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAdAB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdABhACMAPgA="
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\kanker.exe
"C:\Users\Admin\AppData\Local\Temp\kanker.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "kanker" /tr '"C:\Users\Admin\AppData\Roaming\kanker.exe"' & exit
8⤵
PID:1988

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "kanker" /tr '"C:\Users\Admin\AppData\Roaming\kanker.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp33DC.tmp.bat""
8⤵
PID:2392

C:\Windows\system32\timeout.exe
timeout 3
9⤵
- Delays execution with timeout.exe
PID:1304

C:\Users\Admin\AppData\Roaming\kanker.exe
"C:\Users\Admin\AppData\Roaming\kanker.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:324

C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860

C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steam" /tr '"C:\Users\Admin\AppData\Roaming\steam.exe"' & exit
8⤵
PID:2840

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "steam" /tr '"C:\Users\Admin\AppData\Roaming\steam.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3801.tmp.bat""
8⤵
PID:2720

C:\Windows\system32\timeout.exe
timeout 3
9⤵
- Delays execution with timeout.exe
PID:2984

C:\Users\Admin\AppData\Roaming\steam.exe
"C:\Users\Admin\AppData\Roaming\steam.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Epic Games" /tr '"C:\Users\Admin\AppData\Roaming\Epic Games.exe"' & exit
6⤵
PID:2024

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Epic Games" /tr '"C:\Users\Admin\AppData\Roaming\Epic Games.exe"'
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp313E.tmp.bat""
6⤵
PID:1696

C:\Windows\system32\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:2620

C:\Users\Admin\AppData\Roaming\Epic Games.exe
"C:\Users\Admin\AppData\Roaming\Epic Games.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
10.3MB

MD5
a0f74ad23ce748a132b23889a7151865

SHA1
42d2a566db9d318cb0a708f15fbe113942bf0b74

SHA256
f0085976b11707aa4c9b57afc33e0bb94612fd31f2541064aff03f8cb85d643d

SHA512
157549067ec7bf4593091d4a3bce7222f609493925e4950c908a1348b2194fa2cc51e15e2e25de7d3fcbc2518605e11bdf2d149dc77a55359abe0dac829eafc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
Filesize
74KB

MD5
706f70e375f9649764877c2cb998c0ef

SHA1
616ce79c2eda05112ac5db1c200849a32dcfd129

SHA256
dbcfe6afb45f63aae4afdce64a493895607c98bf241272d43397a9cc9e8511ab

SHA512
72beadcf16c684d79ee20b92a09da0a2a81191387910b96b6f27fc01b1bfb9222a0bca1064aae7fe9caa1bf2a70867683ecf3fb6d5ef2c795b718b4d9a987437

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe
Filesize
74KB

MD5
20b0761336c5b0811ebfd3ce052a065a

SHA1
028760051e74205d80253152ba9d638537536a3d

SHA256
db35164ac870bfdde1f5883ad6156ce6e6e9b09d673813432f292aeddfc0c2f2

SHA512
edef14c446a7750fabeccb27165e99b7ee194b5433a078e137c9f0d3d9a61fd0c88036283adb04b9e19d2c7f65365ff91e52a1f7d90431d5137ca6bfdc932d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe
Filesize
1.6MB

MD5
23917c5054286be61fdd2c5b21544ea3

SHA1
9f013c9b7a1fad2d71da1b794d67b3dfdbb27fab

SHA256
dd53e859b36dd2a9b80f637e065729d4dfb33704f727bd6735cd10d579c0f6f3

SHA512
cd6a014402baa72a29d92d2a03fec1657df771d79d028377e6284918b79f53ac9708ac1d9d62c11f7dd22233b9fe4a654c78d49a03419221c9291c0bb62f1c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe
Filesize
74KB

MD5
0a060b59661a27c6447d6558ceaa551d

SHA1
45a558d5eb4b65c35c1681500f60463d967cf6de

SHA256
054d7092d1e82b4e40a26fe5c5d4dd618d24d4f6beac756ee9bcfe2fe1e29ace

SHA512
91f261d801e211defc63f958ac377e515790794da3c6f820fe93097e3d11ed02b4bc0839e45a7f71dbbbcd53c8c3463718e79783b26ea7d16f078907ea4aaf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe
Filesize
828KB

MD5
a1b498723fda03e583ef35e2c1a90d3e

SHA1
cbc749bf7d6fcc9266c6e794fc94009f1f6ca448

SHA256
23292a648da1e75a5e3c8fb8c540aab8e62060fc0a207305c9e52a27710ea360

SHA512
0456d1ebdc37ec89c733026d5fa77e272bcfb4da35b29cd294a34748c9b83fe2eb31014a7b5a1a33205a478204ca801f83e84688abc76e275a6bdbe1cb03aa4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
Filesize
6.4MB

MD5
4ecd7183076c4d8229664cee5199dde1

SHA1
a5902727332c61356128a6f6492798e26535fd82

SHA256
203b1ecdbcd0747b3c8e3fdd19a92e49a7e35054ae85b615b12eb8cb7248bed0

SHA512
5895136dcc5439b2c8de03d0f80cdf9f1c1236eb1dcead39179d16d706dbae45ae5dcff442e1f4cab6d4005eeba7e1b1699c81184f55a3414ec858cf312cf92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TL.exe
Filesize
2.4MB

MD5
cda4b73a6bedd2012492cef842266d00

SHA1
3f85f116a39fc2bee3f4d3d3689ecd012a4011ae

SHA256
cc9542c10f7a411c36d56f838d566423fbf9faae3982f891253e45965bbc760a

SHA512
1212bee805744285e6536cc5952329a39513679412857d866b27a08a240bc9cc3bfb0ec7d49615274e9c67a5e4f62531eaea177a07b5c7f59e565af4bfe4ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10322\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\kanker.exe
Filesize
827KB

MD5
362211242adea0bc4bc379570f90c4e0

SHA1
75db2dc49b2572b63af89ffb19c37dcbacb0af01

SHA256
1b5f3aa8e061af7c7bedb09ce5e45edb5382d8db09b8f8de953b28146dedeeae

SHA512
63d32a69d38e8a4a8780fb24be39431b80e935ce388d240b459de31f85a01f9bc68cfb6986564f8ca1abc94bcd3aa68e31d4a221230be4829df540de6d352344

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp313E.tmp.bat
Filesize
154B

MD5
eb113bb36df0bbe322e1f82be09077b9

SHA1
08ac4ce1c2c199f21044fe55e16be9a9b9fda676

SHA256
242d425a20856736f33e52540a876822c7144212e71923610c8053c58e5a3de1

SHA512
4bbe3959b6cd436bace0c94db7cbd42434105e9f8613ec2c248bc55fa039119fdff2d05e22604c27cb7ad21ae893660abefae42ccf61ee753ee2ab5ec812c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33DC.tmp.bat
Filesize
150B

MD5
75a4c093ae15373bf3e8511b3d8a42db

SHA1
d51ebf02679bdb55cbfc30286824079069c5ff3d

SHA256
73e8769eda153667e139a3c41b0fdd05cd22741b53e6545aa7b36ca6d4509f9d

SHA512
9e9a01474af08a2d6347b3b72047a1fe72884bb1c9352cf4f12633d48c7e80f2adba94a135e124a00c96ff005a79fa5de7e55ca52ae845f2cc932cb492697337

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3801.tmp.bat
Filesize
149B

MD5
8c6b5f84c2c4726b230ba7474a7a61ea

SHA1
d0140abdcac09bd31bcdd7c9604edff582758e5d

SHA256
49066f902e7a35c8b4125e6bdf23eff5454399a8e479e5dae6760bcc7b58e055

SHA512
e24a2067b3248279b8b337670c07456ea283a4819572660e549e1bf2d8294c6a32a0abed2de8a3e00f77ebe28d89bfc6f14547bf14cd753b16e374dce2629453

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
18972c06927bafa58d3294aa01532b5b

SHA1
6f76d308537d5e27199f005c42ba10ac90314f77

SHA256
8b3369e3b3dccf793f973b5d58083a2ba180d6e8a47174f78db0892422e7928c

SHA512
4e8a428a44b517eb666ef13ce6ad851b4dfe76f3dc669d1807aa34920ab25daa1090460d3dd1f0ad8d0503c260da9280414c4b2effb9cf531dc7c085b21a41e3

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe
Filesize
9.6MB

MD5
f484246f21009726c1288185bf6183b0

SHA1
25f151525874bcee069a6471fe14f99aa39f6e59

SHA256
f5d7707af78a01efd52d0199b7c778a259b538c71cc25786297542bfe8152063

SHA512
0e6d2eaaf5f6751d0a50296d27f9dd93c28c0b5f21fc6da508e420c79b0ddeacd35871c783ee348982b1628b1eaad0c1653a6aaea5f06fbd4142c4b5292f7da1

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
828KB

MD5
790a83c2929779cdce5e3fba414664eb

SHA1
38abba9ae68e87930481e4c2678d5f39a79ad956

SHA256
e14f61780ae9a3a7b44b61acaffce448bf4ff4ba67e948889f22e2ada1dcb272

SHA512
b4611a08ff03510c1c24ca699d18e2e0b2be04eeec9163fb2158b5b3f948fbb7fc41b82a3f75f427cdfdbae2de893cc73bdf04237e761e84b23fecce0e42bd72

Download Submit
memory/324-231-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

Filesize
96KB

Download
memory/568-118-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/632-128-0x0000000000950000-0x0000000000AF6000-memory.dmp

Filesize
1.6MB

Download
memory/1888-229-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/1932-25-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/1932-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-125-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/2036-180-0x0000000000B50000-0x0000000000B68000-memory.dmp

Filesize
96KB

Download
memory/2328-233-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/2568-115-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/2628-234-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/2628-240-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/2628-272-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/2716-98-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2716-99-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2748-26-0x0000000000030000-0x00000000009C6000-memory.dmp

Filesize
9.6MB

Download
memory/2752-36-0x0000000001000000-0x0000000001996000-memory.dmp

Filesize
9.6MB

Download
memory/2860-169-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2956-158-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3036-160-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download