asyncrat | 60207694e5d4fce322f54c781f56945961aefa050d6ea539bb4e2c7c252b724f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOSA.exe
Size

10.3MB
MD5

a0f74ad23ce748a132b23889a7151865
SHA1

42d2a566db9d318cb0a708f15fbe113942bf0b74
SHA256

f0085976b11707aa4c9b57afc33e0bb94612fd31f2541064aff03f8cb85d643d
SHA512

157549067ec7bf4593091d4a3bce7222f609493925e4950c908a1348b2194fa2cc51e15e2e25de7d3fcbc2518605e11bdf2d149dc77a55359abe0dac829eafc8
SSDEEP

196608:GLpc+BGt3M5CcscVk1OgQRszjQMLwrtUSu+Kuib752HkDOKu3BX4aUvhFC:GWEGa5CcZmQRrUmtUSu9dbV2Exu3Bovm

Score

10^/10

asyncrat default execution persistence pyinstaller rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.19:9090

147.185.221.19:54226

127.0.0.1:9090

127.0.0.1:29034

147.185.221.20:9090

147.185.221.20:29034

10.0.2.15:9090

10.0.2.15:52033

147.185.221.19:52033

Mutex

upqizvsjqe

Attributes

delay
1
install
true
install_file
Epic Games.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe	family_asyncrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NOBLOCKTM - Copy.exe._cache_NOBLOCKTM - Copy.exe._cache_SOSA.exeSynaptics.exe._cache_Synaptics.exe._cache_TL.exekanker.exeSOSA.exeTL.exeClient.exe._cache_Client.exe._cache_kanker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	NOBLOCKTM - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_NOBLOCKTM - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_SOSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_TL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	kanker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	SOSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	TL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	._cache_kanker.exe

Executes dropped EXE 16 IoCs

Processes:

._cache_SOSA.exeSynaptics.exeSOSAREAL.exeTL.exeClient.exe._cache_Synaptics.exeSOSAREAL.exe._cache_TL.exe._cache_Client.exekanker.exeNOBLOCKTM - Copy.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.exeEpic Games.exesteam.exekanker.exe

pid	process
1556	._cache_SOSA.exe
4780	Synaptics.exe
3372	SOSAREAL.exe
4716	TL.exe
4172	Client.exe
4372	._cache_Synaptics.exe
4928	SOSAREAL.exe
4992	._cache_TL.exe
3164	._cache_Client.exe
1424	kanker.exe
464	NOBLOCKTM - Copy.exe
4860	._cache_kanker.exe
3824	._cache_NOBLOCKTM - Copy.exe
2752	Epic Games.exe
2780	steam.exe
1504	kanker.exe

Loads dropped DLL 4 IoCs

Processes:

SOSAREAL.exe

pid process

4928 SOSAREAL.exe
4928 SOSAREAL.exe
4928 SOSAREAL.exe
4928 SOSAREAL.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

SOSA.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" SOSA.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3496 powershell.exe
3024 powershell.exe
4980 powershell.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4928	SOSAREAL.exe
4928	SOSAREAL.exe
4928	SOSAREAL.exe
4928	SOSAREAL.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SOSA.exe

pid	process
3496	powershell.exe
3024	powershell.exe
4980	powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe	pyinstaller

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

3376 timeout.exe
2024 timeout.exe
2192 timeout.exe

pid	process
3376	timeout.exe
2024	timeout.exe
2192	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 6 IoCs

Processes:

SOSA.exeSynaptics.exeTL.exeClient.exekanker.exeNOBLOCKTM - Copy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SOSA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	kanker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NOBLOCKTM - Copy.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1840 schtasks.exe
5052 schtasks.exe
5036 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4788 EXCEL.EXE

pid	process
1840	schtasks.exe
5052	schtasks.exe
5036	schtasks.exe

pid	process
4788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe._cache_Client.exe._cache_kanker.exe

pid	process
3024	powershell.exe
3024	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
3496	powershell.exe
3496	powershell.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3496	powershell.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
3164	._cache_Client.exe
4860	._cache_kanker.exe
4860	._cache_kanker.exe
4860	._cache_kanker.exe
4860	._cache_kanker.exe
4860	._cache_kanker.exe
4860	._cache_kanker.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exe._cache_Client.exepowershell.exepowershell.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.exeEpic Games.exesteam.exekanker.exe

description	pid	process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3164	._cache_Client.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4860	._cache_kanker.exe
Token: SeDebugPrivilege	3824	._cache_NOBLOCKTM - Copy.exe
Token: SeDebugPrivilege	2752	Epic Games.exe
Token: SeDebugPrivilege	2780	steam.exe
Token: SeDebugPrivilege	1504	kanker.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXEEpic Games.exekanker.exesteam.exe

pid process

4788 EXCEL.EXE
4788 EXCEL.EXE
4788 EXCEL.EXE
4788 EXCEL.EXE
2752 Epic Games.exe
1504 kanker.exe
2780 steam.exe

pid	process
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
2752	Epic Games.exe
1504	kanker.exe
2780	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SOSA.exe._cache_SOSA.exeSynaptics.exeSOSAREAL.exeTL.exeClient.exe._cache_Synaptics.exeSOSAREAL.exe._cache_TL.exekanker.exeNOBLOCKTM - Copy.exe._cache_Client.execmd.execmd.exe._cache_kanker.exe._cache_NOBLOCKTM - Copy.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1556	2016	SOSA.exe	._cache_SOSA.exe
PID 2016 wrote to memory of 1556	2016	SOSA.exe	._cache_SOSA.exe
PID 2016 wrote to memory of 4780	2016	SOSA.exe	Synaptics.exe
PID 2016 wrote to memory of 4780	2016	SOSA.exe	Synaptics.exe
PID 2016 wrote to memory of 4780	2016	SOSA.exe	Synaptics.exe
PID 1556 wrote to memory of 3024	1556	._cache_SOSA.exe	powershell.exe
PID 1556 wrote to memory of 3024	1556	._cache_SOSA.exe	powershell.exe
PID 1556 wrote to memory of 3372	1556	._cache_SOSA.exe	SOSAREAL.exe
PID 1556 wrote to memory of 3372	1556	._cache_SOSA.exe	SOSAREAL.exe
PID 1556 wrote to memory of 4716	1556	._cache_SOSA.exe	TL.exe
PID 1556 wrote to memory of 4716	1556	._cache_SOSA.exe	TL.exe
PID 1556 wrote to memory of 4716	1556	._cache_SOSA.exe	TL.exe
PID 1556 wrote to memory of 4172	1556	._cache_SOSA.exe	Client.exe
PID 1556 wrote to memory of 4172	1556	._cache_SOSA.exe	Client.exe
PID 1556 wrote to memory of 4172	1556	._cache_SOSA.exe	Client.exe
PID 4780 wrote to memory of 4372	4780	Synaptics.exe	._cache_Synaptics.exe
PID 4780 wrote to memory of 4372	4780	Synaptics.exe	._cache_Synaptics.exe
PID 3372 wrote to memory of 4928	3372	SOSAREAL.exe	SOSAREAL.exe
PID 3372 wrote to memory of 4928	3372	SOSAREAL.exe	SOSAREAL.exe
PID 4716 wrote to memory of 4992	4716	TL.exe	._cache_TL.exe
PID 4716 wrote to memory of 4992	4716	TL.exe	._cache_TL.exe
PID 4172 wrote to memory of 3164	4172	Client.exe	._cache_Client.exe
PID 4172 wrote to memory of 3164	4172	Client.exe	._cache_Client.exe
PID 4372 wrote to memory of 4980	4372	._cache_Synaptics.exe	powershell.exe
PID 4372 wrote to memory of 4980	4372	._cache_Synaptics.exe	powershell.exe
PID 4928 wrote to memory of 4468	4928	SOSAREAL.exe	cmd.exe
PID 4928 wrote to memory of 4468	4928	SOSAREAL.exe	cmd.exe
PID 4992 wrote to memory of 3496	4992	._cache_TL.exe	powershell.exe
PID 4992 wrote to memory of 3496	4992	._cache_TL.exe	powershell.exe
PID 4992 wrote to memory of 1424	4992	._cache_TL.exe	kanker.exe
PID 4992 wrote to memory of 1424	4992	._cache_TL.exe	kanker.exe
PID 4992 wrote to memory of 1424	4992	._cache_TL.exe	kanker.exe
PID 4928 wrote to memory of 4504	4928	SOSAREAL.exe	cmd.exe
PID 4928 wrote to memory of 4504	4928	SOSAREAL.exe	cmd.exe
PID 4992 wrote to memory of 464	4992	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 4992 wrote to memory of 464	4992	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 4992 wrote to memory of 464	4992	._cache_TL.exe	NOBLOCKTM - Copy.exe
PID 1424 wrote to memory of 4860	1424	kanker.exe	._cache_kanker.exe
PID 1424 wrote to memory of 4860	1424	kanker.exe	._cache_kanker.exe
PID 464 wrote to memory of 3824	464	NOBLOCKTM - Copy.exe	._cache_NOBLOCKTM - Copy.exe
PID 464 wrote to memory of 3824	464	NOBLOCKTM - Copy.exe	._cache_NOBLOCKTM - Copy.exe
PID 3164 wrote to memory of 1676	3164	._cache_Client.exe	cmd.exe
PID 3164 wrote to memory of 1676	3164	._cache_Client.exe	cmd.exe
PID 3164 wrote to memory of 3692	3164	._cache_Client.exe	cmd.exe
PID 3164 wrote to memory of 3692	3164	._cache_Client.exe	cmd.exe
PID 3692 wrote to memory of 3376	3692	cmd.exe	timeout.exe
PID 3692 wrote to memory of 3376	3692	cmd.exe	timeout.exe
PID 1676 wrote to memory of 5052	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 5052	1676	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 3908	4860	._cache_kanker.exe	cmd.exe
PID 4860 wrote to memory of 3908	4860	._cache_kanker.exe	cmd.exe
PID 4860 wrote to memory of 2240	4860	._cache_kanker.exe	cmd.exe
PID 4860 wrote to memory of 2240	4860	._cache_kanker.exe	cmd.exe
PID 3824 wrote to memory of 4468	3824	._cache_NOBLOCKTM - Copy.exe	cmd.exe
PID 3824 wrote to memory of 4468	3824	._cache_NOBLOCKTM - Copy.exe	cmd.exe
PID 3824 wrote to memory of 3312	3824	._cache_NOBLOCKTM - Copy.exe	cmd.exe
PID 3824 wrote to memory of 3312	3824	._cache_NOBLOCKTM - Copy.exe	cmd.exe
PID 2240 wrote to memory of 2024	2240	cmd.exe	timeout.exe
PID 2240 wrote to memory of 2024	2240	cmd.exe	timeout.exe
PID 3908 wrote to memory of 5036	3908	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 5036	3908	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 1840	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 1840	4468	cmd.exe	schtasks.exe
PID 3312 wrote to memory of 2192	3312	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAawBuACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
"C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls & title SOSA CARD GEN BY lcm_2080
5⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\TL.exe
"C:\Users\Admin\AppData\Local\Temp\TL.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAdAB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdABhACMAPgA="
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Local\Temp\kanker.exe
"C:\Users\Admin\AppData\Local\Temp\kanker.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "kanker" /tr '"C:\Users\Admin\AppData\Roaming\kanker.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "kanker" /tr '"C:\Users\Admin\AppData\Roaming\kanker.exe"'
8⤵
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp665B.tmp.bat""
7⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:2024

C:\Users\Admin\AppData\Roaming\kanker.exe
"C:\Users\Admin\AppData\Roaming\kanker.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "steam" /tr '"C:\Users\Admin\AppData\Roaming\steam.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "steam" /tr '"C:\Users\Admin\AppData\Roaming\steam.exe"'
8⤵
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp668A.tmp.bat""
7⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:2192

C:\Users\Admin\AppData\Roaming\steam.exe
"C:\Users\Admin\AppData\Roaming\steam.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Epic Games" /tr '"C:\Users\Admin\AppData\Roaming\Epic Games.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Epic Games" /tr '"C:\Users\Admin\AppData\Roaming\Epic Games.exe"'
6⤵
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F85.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:3376

C:\Users\Admin\AppData\Roaming\Epic Games.exe
"C:\Users\Admin\AppData\Roaming\Epic Games.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAawBuACMAPgA="
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
10.3MB

MD5
a0f74ad23ce748a132b23889a7151865

SHA1
42d2a566db9d318cb0a708f15fbe113942bf0b74

SHA256
f0085976b11707aa4c9b57afc33e0bb94612fd31f2541064aff03f8cb85d643d

SHA512
157549067ec7bf4593091d4a3bce7222f609493925e4950c908a1348b2194fa2cc51e15e2e25de7d3fcbc2518605e11bdf2d149dc77a55359abe0dac829eafc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
Filesize
74KB

MD5
706f70e375f9649764877c2cb998c0ef

SHA1
616ce79c2eda05112ac5db1c200849a32dcfd129

SHA256
dbcfe6afb45f63aae4afdce64a493895607c98bf241272d43397a9cc9e8511ab

SHA512
72beadcf16c684d79ee20b92a09da0a2a81191387910b96b6f27fc01b1bfb9222a0bca1064aae7fe9caa1bf2a70867683ecf3fb6d5ef2c795b718b4d9a987437

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NOBLOCKTM - Copy.exe
Filesize
74KB

MD5
20b0761336c5b0811ebfd3ce052a065a

SHA1
028760051e74205d80253152ba9d638537536a3d

SHA256
db35164ac870bfdde1f5883ad6156ce6e6e9b09d673813432f292aeddfc0c2f2

SHA512
edef14c446a7750fabeccb27165e99b7ee194b5433a078e137c9f0d3d9a61fd0c88036283adb04b9e19d2c7f65365ff91e52a1f7d90431d5137ca6bfdc932d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_SOSA.exe
Filesize
9.6MB

MD5
f484246f21009726c1288185bf6183b0

SHA1
25f151525874bcee069a6471fe14f99aa39f6e59

SHA256
f5d7707af78a01efd52d0199b7c778a259b538c71cc25786297542bfe8152063

SHA512
0e6d2eaaf5f6751d0a50296d27f9dd93c28c0b5f21fc6da508e420c79b0ddeacd35871c783ee348982b1628b1eaad0c1653a6aaea5f06fbd4142c4b5292f7da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_TL.exe
Filesize
1.6MB

MD5
23917c5054286be61fdd2c5b21544ea3

SHA1
9f013c9b7a1fad2d71da1b794d67b3dfdbb27fab

SHA256
dd53e859b36dd2a9b80f637e065729d4dfb33704f727bd6735cd10d579c0f6f3

SHA512
cd6a014402baa72a29d92d2a03fec1657df771d79d028377e6284918b79f53ac9708ac1d9d62c11f7dd22233b9fe4a654c78d49a03419221c9291c0bb62f1c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_kanker.exe
Filesize
74KB

MD5
0a060b59661a27c6447d6558ceaa551d

SHA1
45a558d5eb4b65c35c1681500f60463d967cf6de

SHA256
054d7092d1e82b4e40a26fe5c5d4dd618d24d4f6beac756ee9bcfe2fe1e29ace

SHA512
91f261d801e211defc63f958ac377e515790794da3c6f820fe93097e3d11ed02b4bc0839e45a7f71dbbbcd53c8c3463718e79783b26ea7d16f078907ea4aaf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
828KB

MD5
790a83c2929779cdce5e3fba414664eb

SHA1
38abba9ae68e87930481e4c2678d5f39a79ad956

SHA256
e14f61780ae9a3a7b44b61acaffce448bf4ff4ba67e948889f22e2ada1dcb272

SHA512
b4611a08ff03510c1c24ca699d18e2e0b2be04eeec9163fb2158b5b3f948fbb7fc41b82a3f75f427cdfdbae2de893cc73bdf04237e761e84b23fecce0e42bd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOBLOCKTM - Copy.exe
Filesize
828KB

MD5
a1b498723fda03e583ef35e2c1a90d3e

SHA1
cbc749bf7d6fcc9266c6e794fc94009f1f6ca448

SHA256
23292a648da1e75a5e3c8fb8c540aab8e62060fc0a207305c9e52a27710ea360

SHA512
0456d1ebdc37ec89c733026d5fa77e272bcfb4da35b29cd294a34748c9b83fe2eb31014a7b5a1a33205a478204ca801f83e84688abc76e275a6bdbe1cb03aa4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOSAREAL.exe
Filesize
6.4MB

MD5
4ecd7183076c4d8229664cee5199dde1

SHA1
a5902727332c61356128a6f6492798e26535fd82

SHA256
203b1ecdbcd0747b3c8e3fdd19a92e49a7e35054ae85b615b12eb8cb7248bed0

SHA512
5895136dcc5439b2c8de03d0f80cdf9f1c1236eb1dcead39179d16d706dbae45ae5dcff442e1f4cab6d4005eeba7e1b1699c81184f55a3414ec858cf312cf92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TL.exe
Filesize
2.4MB

MD5
cda4b73a6bedd2012492cef842266d00

SHA1
3f85f116a39fc2bee3f4d3d3689ecd012a4011ae

SHA256
cc9542c10f7a411c36d56f838d566423fbf9faae3982f891253e45965bbc760a

SHA512
1212bee805744285e6536cc5952329a39513679412857d866b27a08a240bc9cc3bfb0ec7d49615274e9c67a5e4f62531eaea177a07b5c7f59e565af4bfe4ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_bz2.pyd
Filesize
82KB

MD5
a62207fc33140de460444e191ae19b74

SHA1
9327d3d4f9d56f1846781bcb0a05719dea462d74

SHA256
ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

SHA512
90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_ctypes.pyd
Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_decimal.pyd
Filesize
247KB

MD5
692c751a1782cc4b54c203546f238b73

SHA1
a103017afb7badaece8fee2721c9a9c924afd989

SHA256
c70f05f6bc564fe400527b30c29461e9642fb973f66eec719d282d3d0b402f93

SHA512
1b1ad0ca648bd50ce6e6af4be78ad818487aa336318b272417a2e955ead546c9e0864b515150cd48751a03ca8c62f9ec91306cda41baea52452e3fcc24d57d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_hashlib.pyd
Filesize
63KB

MD5
787b82d4466f393366657b8f1bc5f1a9

SHA1
658639cddda55ac3bfc452db4ec9cf88851e606b

SHA256
241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37

SHA512
afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_lzma.pyd
Filesize
155KB

MD5
0c7ea68ca88c07ae6b0a725497067891

SHA1
c2b61a3e230b30416bc283d1f3ea25678670eb74

SHA256
f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

SHA512
fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_socket.pyd
Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\base_library.zip
Filesize
1.4MB

MD5
6d46c3fdbf9b6f1fddf25e7cc9dd9a46

SHA1
67577a1d4eba38ce730e1fea829b88aed8032d87

SHA256
9e5701bd796e5f95bf1e6b4faecfdefc8e77a92fc7639d0be729818c8eafe2a7

SHA512
93d4e630c513d5fa2f7b3726d114158ceba55f4d3d60c248382e30c69f3c3e3edb890363e017e6b1ef6af61b62a82320818484e7018d96c586e861200334e98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\libcrypto-1_1.dll
Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\select.pyd
Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\unicodedata.pyd
Filesize
1.1MB

MD5
58f7988b50cba7b793884f580c7083e1

SHA1
d52c06b19861f074e41d8b521938dee8b56c1f2e

SHA256
e36d14cf49ca2af44fae8f278e883341167bc380099dac803276a11e57c9cfa1

SHA512
397fa46b90582f8a8cd7df23b722204c38544717bf546837c45e138b39112f33a1850be790e248fca5b5ecd9ed7c91cd1af1864f72717d9805c486db0505fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maiui4wp.cv4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kanker.exe
Filesize
827KB

MD5
362211242adea0bc4bc379570f90c4e0

SHA1
75db2dc49b2572b63af89ffb19c37dcbacb0af01

SHA256
1b5f3aa8e061af7c7bedb09ce5e45edb5382d8db09b8f8de953b28146dedeeae

SHA512
63d32a69d38e8a4a8780fb24be39431b80e935ce388d240b459de31f85a01f9bc68cfb6986564f8ca1abc94bcd3aa68e31d4a221230be4829df540de6d352344

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZnZUq6L.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F85.tmp.bat
Filesize
154B

MD5
bef3659b9451537029850c10bb7a2191

SHA1
ce3e212b2912ffdfe4db5bd7dad8039ebec722ab

SHA256
0cc032b743274899625c2c35511483ecaea84f5993dfc2f1e2fc4ba4e3db64ba

SHA512
bfdec19c26648edbbdef1e368ceb73b62c250748da6e8ca94c04f4635ab9d12c958dbf45165187182bfd563e5c721bc1a0c5e1b72bb905a7932f3040e877e5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp665B.tmp.bat
Filesize
150B

MD5
3f6c3b19ea85d2204d9e72ea323a74fc

SHA1
10cff1f9e4efb8bea817de2783fa1edb4fa661a7

SHA256
5139f808c6c4c8d3ce334f5368b8c60aff416bef452f9af5cf88046b725caabd

SHA512
1383236679afb3449847049d7a36255aee2049adefe9551e0ad082ffdbf8daf6d348cf29232f224dfbc1c935213f81d4c0df4714be6935c30d9188b09a764c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp668A.tmp.bat
Filesize
149B

MD5
28918d39b89354266a54ebb26484eb61

SHA1
2e5d2baa05699eef357078020099f4bd8eae2790

SHA256
ee7f7205080123a01af63325aae47c3aa4fbab1af24c2a112343a6d0207dcfb6

SHA512
32ca94d54583a2abcd9ca96f6e02139cf0dfe9f6b1443b1e809179ba9aa2c5f18eca3bd82356cf474f9713b21fe46e2e2fca794dffefa647744a92cd27fa8c29

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/464-578-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1424-562-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1556-230-0x00007FFB1C320000-0x00007FFB1CDE1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-71-0x0000000000130000-0x0000000000AC6000-memory.dmp

Filesize
9.6MB

Download
memory/1556-65-0x00007FFB1C323000-0x00007FFB1C325000-memory.dmp

Filesize
8KB

Download
memory/1556-131-0x00007FFB1C320000-0x00007FFB1CDE1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-130-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/2016-0-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/3024-213-0x00000211EBE60000-0x00000211EBE82000-memory.dmp

Filesize
136KB

Download
memory/3164-393-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/3824-579-0x0000000000870000-0x0000000000888000-memory.dmp

Filesize
96KB

Download
memory/4172-392-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4716-390-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/4780-638-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/4780-601-0x0000000000400000-0x0000000000E50000-memory.dmp

Filesize
10.3MB

Download
memory/4788-370-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

Filesize
64KB

Download
memory/4788-395-0x00007FFAF7FD0000-0x00007FFAF7FE0000-memory.dmp

Filesize
64KB

Download
memory/4788-396-0x00007FFAF7FD0000-0x00007FFAF7FE0000-memory.dmp

Filesize
64KB

Download
memory/4788-368-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

Filesize
64KB

Download
memory/4788-367-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

Filesize
64KB

Download
memory/4788-371-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

Filesize
64KB

Download
memory/4788-369-0x00007FFAFA8D0000-0x00007FFAFA8E0000-memory.dmp

Filesize
64KB

Download
memory/4860-563-0x00000000007E0000-0x00000000007F8000-memory.dmp

Filesize
96KB

Download
memory/4992-391-0x0000000000170000-0x0000000000316000-memory.dmp

Filesize
1.6MB

Download