Malware Analysis Report

2025-05-05 22:24

Sample ID 231007-ng9klsdf65
Target sigma.7z
SHA256 6be2d2500804b8a1665a27d8ace969c18b11792d6585c4d5de7d43db445902fd
Tags
agilenet agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6be2d2500804b8a1665a27d8ace969c18b11792d6585c4d5de7d43db445902fd

Threat Level: Known bad

The file sigma.7z was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 11:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 11:23

Reported

2023-10-07 11:29

Platform

win7-20230831-en

Max time kernel

301s

Max time network

324s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 dev.virtualearth.net udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 8.8.8.8:53 sentry.chea.to udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 104.26.8.75:443 sentry.chea.to tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 8.8.8.8:53 maps.googleapis.com udp
NL 142.250.179.138:443 maps.googleapis.com tcp
US 104.26.8.75:443 sentry.chea.to tcp

Files

memory/2456-0-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/2456-1-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-2-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-3-0x0000000077700000-0x0000000077710000-memory.dmp

memory/2456-4-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

memory/2456-5-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-6-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-7-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-8-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/2456-9-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

memory/2456-10-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-11-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-12-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-13-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-14-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-15-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-16-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-17-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-18-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-19-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-20-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-21-0x0000000006ED0000-0x0000000006F0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll

MD5 519f34494d7484d85ecfad85f23bac05
SHA1 8f1be6ce8501ca1def6d02fde760d48169677bc5
SHA256 1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512 d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

memory/2456-26-0x00000000082B0000-0x00000000082E8000-memory.dmp

memory/2456-27-0x00000000090C0000-0x0000000009154000-memory.dmp

memory/2456-28-0x0000000006F30000-0x0000000006F38000-memory.dmp

memory/2456-29-0x0000000008320000-0x0000000008328000-memory.dmp

memory/2456-30-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

memory/2456-31-0x00000000082F0000-0x00000000082FA000-memory.dmp

memory/2456-32-0x0000000008310000-0x0000000008318000-memory.dmp

memory/2456-33-0x0000000008330000-0x000000000833A000-memory.dmp

memory/2456-34-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-36-0x0000000009150000-0x0000000009176000-memory.dmp

memory/2456-35-0x0000000008340000-0x0000000008354000-memory.dmp

memory/2456-38-0x0000000008760000-0x0000000008768000-memory.dmp

memory/2456-37-0x0000000008750000-0x0000000008758000-memory.dmp

memory/2456-40-0x0000000008B70000-0x0000000008B94000-memory.dmp

memory/2456-41-0x00000000099C0000-0x0000000009A1A000-memory.dmp

memory/2456-42-0x0000000008B90000-0x0000000008B9C000-memory.dmp

memory/2456-43-0x0000000008BA0000-0x0000000008BB4000-memory.dmp

memory/2456-44-0x0000000029FA0000-0x000000002A282000-memory.dmp

memory/2456-45-0x0000000009F40000-0x0000000009F88000-memory.dmp

memory/2456-46-0x0000000022D40000-0x0000000022DF2000-memory.dmp

memory/2456-48-0x000000000A130000-0x000000000A14A000-memory.dmp

memory/2456-47-0x0000000009A20000-0x0000000009A2E000-memory.dmp

memory/2456-49-0x000000000A150000-0x000000000A16A000-memory.dmp

memory/2456-50-0x0000000024160000-0x00000000241E0000-memory.dmp

memory/2456-51-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-52-0x000000000A180000-0x000000000A19C000-memory.dmp

memory/2456-53-0x00000000240F0000-0x0000000024138000-memory.dmp

memory/2456-54-0x000000000A1A0000-0x000000000A1A8000-memory.dmp

memory/2456-55-0x0000000026580000-0x0000000026626000-memory.dmp

memory/2456-56-0x00000000241E0000-0x0000000024214000-memory.dmp

memory/2456-57-0x0000000024A20000-0x0000000024A6A000-memory.dmp

memory/2456-58-0x0000000024140000-0x0000000024156000-memory.dmp

memory/2456-59-0x0000000024B00000-0x0000000024B32000-memory.dmp

memory/2456-60-0x0000000026E30000-0x0000000026EA6000-memory.dmp

memory/2456-61-0x0000000025440000-0x0000000025458000-memory.dmp

memory/2456-62-0x0000000025460000-0x0000000025492000-memory.dmp

memory/2456-63-0x00000000276F0000-0x00000000276F8000-memory.dmp

memory/2456-64-0x000000000A1B0000-0x000000000A1BA000-memory.dmp

memory/2456-65-0x0000000000EA0000-0x0000000005854000-memory.dmp

memory/2456-66-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

memory/1088-67-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1960-68-0x0000000002820000-0x0000000002821000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-07 11:23

Reported

2023-10-07 11:53

Platform

win10v2004-20230915-en

Max time kernel

1802s

Max time network

1137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\sigma\CheatoSpoofer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 sentry.chea.to udp
US 104.26.8.75:443 sentry.chea.to tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 75.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 dev.virtualearth.net udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 8.8.8.8:53 maps.googleapis.com udp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
NL 172.217.168.234:443 maps.googleapis.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 145.193.156.52.in-addr.arpa udp
US 8.8.8.8:53 234.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 sentry.chea.to udp
US 172.67.69.130:443 sentry.chea.to tcp
US 8.8.8.8:53 dev.virtualearth.net udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 8.8.8.8:53 maps.googleapis.com udp
NL 142.250.179.138:443 maps.googleapis.com tcp
US 8.8.8.8:53 130.69.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp

Files

memory/1248-0-0x00007FF47ABE0000-0x00007FF47AFB1000-memory.dmp

memory/1248-1-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-2-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-3-0x00007FFDE4B20000-0x00007FFDE4B30000-memory.dmp

memory/1248-4-0x00007FFDC6E90000-0x00007FFDC7951000-memory.dmp

memory/1248-5-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-6-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-7-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-8-0x00007FF47ABE0000-0x00007FF47AFB1000-memory.dmp

memory/1248-9-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-10-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-11-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-12-0x000001E0B8CB0000-0x000001E0B8CB1000-memory.dmp

memory/1248-14-0x000001E0B8CB0000-0x000001E0B8CB1000-memory.dmp

memory/1248-13-0x00007FFDC6E90000-0x00007FFDC7951000-memory.dmp

memory/1248-15-0x000001E0BA150000-0x000001E0BA18E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll

MD5 519f34494d7484d85ecfad85f23bac05
SHA1 8f1be6ce8501ca1def6d02fde760d48169677bc5
SHA256 1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512 d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

memory/1248-20-0x000001E0BA190000-0x000001E0BA1C8000-memory.dmp

memory/1248-21-0x000001E0D2A20000-0x000001E0D2AB4000-memory.dmp

memory/1248-22-0x000001E0B8D60000-0x000001E0B8D68000-memory.dmp

memory/1248-24-0x000001E0B9CB0000-0x000001E0B9CB8000-memory.dmp

memory/1248-25-0x000001E0B8D80000-0x000001E0B8D88000-memory.dmp

memory/1248-26-0x000001E0B9CA0000-0x000001E0B9CAA000-memory.dmp

memory/1248-27-0x000001E0B9CC0000-0x000001E0B9CC8000-memory.dmp

memory/1248-28-0x000001E0B9CE0000-0x000001E0B9CEA000-memory.dmp

memory/1248-23-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-29-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-30-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-32-0x000001E0D2B00000-0x000001E0D2B26000-memory.dmp

memory/1248-31-0x000001E0B9CF0000-0x000001E0B9D04000-memory.dmp

memory/1248-34-0x000001E0BA370000-0x000001E0BA378000-memory.dmp

memory/1248-33-0x000001E0BA360000-0x000001E0BA368000-memory.dmp

memory/1248-37-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-38-0x000001E0D2B50000-0x000001E0D2BAA000-memory.dmp

memory/1248-36-0x000001E0D2B30000-0x000001E0D2B54000-memory.dmp

memory/1248-39-0x000001E0D2BB0000-0x000001E0D2BBC000-memory.dmp

memory/1248-40-0x000001E0D2BC0000-0x000001E0D2BD4000-memory.dmp

memory/1248-41-0x000001E0B8CB0000-0x000001E0B8CB1000-memory.dmp

memory/1248-42-0x000001E0D2BE0000-0x000001E0D2C28000-memory.dmp

memory/1248-44-0x000001E0D2CE0000-0x000001E0D2CEE000-memory.dmp

memory/1248-43-0x000001E0D2C30000-0x000001E0D2CE2000-memory.dmp

memory/1248-45-0x000001E0D2E30000-0x000001E0D2E4A000-memory.dmp

memory/1248-46-0x000001E0D2E70000-0x000001E0D2E8A000-memory.dmp

memory/1248-47-0x000001E0D2EE0000-0x000001E0D2F02000-memory.dmp

memory/1248-48-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-49-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-50-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqe3ct2z.2is.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1248-51-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-61-0x000001E0D33A0000-0x000001E0D34B5000-memory.dmp

memory/1248-62-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-63-0x000001E0D2F50000-0x000001E0D2F82000-memory.dmp

memory/1248-64-0x000001E0D2F80000-0x000001E0D2FF6000-memory.dmp

memory/1248-65-0x000001E0D3010000-0x000001E0D3028000-memory.dmp

memory/1248-66-0x000001E0D3030000-0x000001E0D3062000-memory.dmp

memory/1248-67-0x000001E0D2F40000-0x000001E0D2F48000-memory.dmp

memory/1248-68-0x000001E0D3060000-0x000001E0D306A000-memory.dmp

memory/1248-69-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-70-0x000001E0D33A0000-0x000001E0D34B5000-memory.dmp

memory/1248-72-0x000001E0D3260000-0x000001E0D3324000-memory.dmp

memory/1248-73-0x000001E0D34C0000-0x000001E0D36B6000-memory.dmp

memory/1248-71-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-75-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-76-0x000001E0D3320000-0x000001E0D339E000-memory.dmp

memory/1248-77-0x000001E0D4450000-0x000001E0D459E000-memory.dmp

memory/1248-78-0x000001E0D2ED0000-0x000001E0D2EE4000-memory.dmp

memory/1248-79-0x000001E0D46A0000-0x000001E0D486E000-memory.dmp

memory/1248-80-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-81-0x000001E0D33A0000-0x000001E0D34B5000-memory.dmp

memory/1248-92-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-93-0x000001E0D2810000-0x000001E0D2820000-memory.dmp

memory/1248-94-0x000001E0D6A70000-0x000001E0D6B70000-memory.dmp

memory/1248-95-0x000001E0D6B90000-0x000001E0D6B9E000-memory.dmp

memory/1248-96-0x000001E0D6BB0000-0x000001E0D6BB8000-memory.dmp

memory/1248-97-0x000001E0D6BC0000-0x000001E0D6BDA000-memory.dmp

memory/1248-98-0x000001E0D7010000-0x000001E0D7016000-memory.dmp

memory/1248-99-0x000001E0D7020000-0x000001E0D702A000-memory.dmp

memory/1248-100-0x000001E0D7030000-0x000001E0D7036000-memory.dmp

memory/1248-101-0x000001E0D7040000-0x000001E0D7048000-memory.dmp

memory/1248-102-0x000001E0D7050000-0x000001E0D705A000-memory.dmp

memory/1248-112-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1248-114-0x000001E0D33A0000-0x000001E0D34B5000-memory.dmp

memory/1248-113-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/1224-118-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-119-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-120-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-125-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-124-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-126-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-127-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-128-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-129-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/1224-130-0x00000233C6980000-0x00000233C6981000-memory.dmp

memory/4528-133-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-134-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-138-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-139-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-140-0x0000000000700000-0x00000000050B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll

MD5 519f34494d7484d85ecfad85f23bac05
SHA1 8f1be6ce8501ca1def6d02fde760d48169677bc5
SHA256 1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512 d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

C:\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll

MD5 519f34494d7484d85ecfad85f23bac05
SHA1 8f1be6ce8501ca1def6d02fde760d48169677bc5
SHA256 1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9
SHA512 d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

C:\Users\Admin\AppData\Local\Sentry\9588CF3ABD7EF58A0A76612B90AB4AC3D3B45E66\.installation

MD5 09eb424ba95dc8c3df5bc17d4cc6a823
SHA1 ed9ab62320b1dca877852e841d77457d8adace53
SHA256 d75e9a1253cc39c6511f70fad94f575daf8d3fb3bdf2caf9eba6531295a2a8ec
SHA512 f970dbde017987e7f3c3d250280cd2406a5f71fb5ff14beabf4e15efc4ad64b67ab773996d9e200a9e27db75733d37e8530ce070b963dc8cf104f16c46b39d9f

memory/4528-164-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-165-0x000002341AC20000-0x000002341AD35000-memory.dmp

memory/4528-170-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-171-0x000002341AC20000-0x000002341AD35000-memory.dmp

memory/4528-176-0x0000000000700000-0x00000000050B4000-memory.dmp

memory/4528-177-0x0000000000700000-0x00000000050B4000-memory.dmp