Malware Analysis Report

2024-11-13 19:35

Sample ID 231107-adhqtsac39
Target baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe
SHA256 baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
Tags
nullmixer smokeloader vidar 706 aspackv2 backdoor dropper stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Threat Level: Known bad

The file baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe was found to be: Known bad.

Malicious Activity Summary

nullmixer smokeloader vidar 706 aspackv2 backdoor dropper stealer trojan

Vidar

SmokeLoader

NullMixer

Vidar Stealer

Checks computer location settings

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: RenamesItself

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-07 00:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-07 00:05

Reported

2023-11-07 00:08

Platform

win10v2004-20231020-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000054578188120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe545780886757c8002e000000dee10100000001000000000000000000000000000000a8631a014100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000da2d746b7703da01f6e9ce578003da0130b9325c0e11da0114000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000006757d000100054656d7000003a0009000400efbe545780886757e3002e000000f2e1010000000100000000000000000000000000000059a2d400540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000006757e30010004c6f63616c003c0009000400efbe545780886757e3002e000000f1e10100000001000000000000000000000000000000d6a118014c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 60003100000000006757d7001000375a533039357e310000480009000400efbe6757c9006757e3002e000000ad24020000000b000000000000000000000000000000b473570037007a00530030003900350039004600420033003700000018000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1496 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1496 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1424 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe
PID 1424 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe
PID 1424 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe
PID 396 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe
PID 1812 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe
PID 1812 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe
PID 1440 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe
PID 1440 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe
PID 2220 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
PID 2220 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
PID 2220 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe
PID 452 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe
PID 452 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe
PID 5060 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe
PID 5060 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe
PID 5060 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe
PID 3868 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3868 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3868 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe
PID 1136 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe
PID 1136 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe
PID 3840 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp
PID 3840 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp
PID 3840 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp
PID 3208 wrote to memory of 4608 N/A N/A C:\Windows\system32\taskmgr.exe
PID 3208 wrote to memory of 4608 N/A N/A C:\Windows\system32\taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe

"C:\Users\Admin\AppData\Local\Temp\baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe

Fri1553f0ee90.exe

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe

Fri15af75ee9b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe

Fri156ec98815f89c.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe

Fri155442fc38b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe

Fri1544861ac3fe6a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe

Fri157e25afd971.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 396 -ip 396

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe

C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp" /SL5="$3020A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1028

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 theonlinesportsgroup.net udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 gavenetwork.bar udp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 2no.co udp
DE 148.251.234.93:443 2no.co tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
N/A 127.0.0.1:63109 tcp
N/A 127.0.0.1:63111 tcp
US 8.8.8.8:53 romkaxarit.tumblr.com udp
US 74.114.154.22:443 romkaxarit.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 varmisende.com udp
US 8.8.8.8:53 fernandomayol.com udp
US 8.8.8.8:53 nextlytm.com udp
US 8.8.8.8:53 people4jan.com udp
US 208.91.197.46:80 people4jan.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 asfaltwerk.com udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 46.197.91.208.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d9366087110cd9379c6649f37b633b1d
SHA1 4469d8b0ea434fc75fb4eaa32bdf02fa82eafb36
SHA256 390c4e002d1528bdc271161696caec48a5c02b3610024071858f8f4a18444163
SHA512 3c53bc7e0add77993d41e1d05a00d4be07a8b0ae30477928710d9f8ade6873fefa4af2bb41cfca3c5fb9cbc57d551ac0c5b5cb13118de323998664aff560d2d2

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d9366087110cd9379c6649f37b633b1d
SHA1 4469d8b0ea434fc75fb4eaa32bdf02fa82eafb36
SHA256 390c4e002d1528bdc271161696caec48a5c02b3610024071858f8f4a18444163
SHA512 3c53bc7e0add77993d41e1d05a00d4be07a8b0ae30477928710d9f8ade6873fefa4af2bb41cfca3c5fb9cbc57d551ac0c5b5cb13118de323998664aff560d2d2

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d9366087110cd9379c6649f37b633b1d
SHA1 4469d8b0ea434fc75fb4eaa32bdf02fa82eafb36
SHA256 390c4e002d1528bdc271161696caec48a5c02b3610024071858f8f4a18444163
SHA512 3c53bc7e0add77993d41e1d05a00d4be07a8b0ae30477928710d9f8ade6873fefa4af2bb41cfca3c5fb9cbc57d551ac0c5b5cb13118de323998664aff560d2d2

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe

MD5 020689bc6369f6fb7fce7649d5785e94
SHA1 8424558e8508878b28f5b422787aadbb56ae1fbe
SHA256 feb2bf9aa9980805acaf0020d2787151f7409381e6f243411adcbd4bc3368f0c
SHA512 d653bf9dcab119bddb9aa9053ebc92baea68d66b2b7f88fb8aae120c7cebd788281dae121eebc72d5450b138d8fb36d8efeaafac78036b57b845be42e4d1c556

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe

MD5 020689bc6369f6fb7fce7649d5785e94
SHA1 8424558e8508878b28f5b422787aadbb56ae1fbe
SHA256 feb2bf9aa9980805acaf0020d2787151f7409381e6f243411adcbd4bc3368f0c
SHA512 d653bf9dcab119bddb9aa9053ebc92baea68d66b2b7f88fb8aae120c7cebd788281dae121eebc72d5450b138d8fb36d8efeaafac78036b57b845be42e4d1c556

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\setup_install.exe

MD5 020689bc6369f6fb7fce7649d5785e94
SHA1 8424558e8508878b28f5b422787aadbb56ae1fbe
SHA256 feb2bf9aa9980805acaf0020d2787151f7409381e6f243411adcbd4bc3368f0c
SHA512 d653bf9dcab119bddb9aa9053ebc92baea68d66b2b7f88fb8aae120c7cebd788281dae121eebc72d5450b138d8fb36d8efeaafac78036b57b845be42e4d1c556

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/396-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-58-0x00000000007F0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/396-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/396-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/396-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe

MD5 e0278a3d724beb75c246a005265da920
SHA1 72b844127214acf747663f1870be11995f7cbbb6
SHA256 f9fa123d33be47a6b279a783b20671139c8a96dfcf8f8c04c08a8432f8ec9f04
SHA512 099917349ec6cf23d7faf9323483ad9b4db07a69564d40585c10556396d61b3ef64eec686db89b91e1bd8f1b7274ecdfbfcea8ebbefef3f5eeb92424251a6838

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe

MD5 14d77d404de21055cfaa98fd20623c72
SHA1 0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
SHA256 9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
SHA512 678d64872d6797ff1f87ff818995f55d921d8722d77a3bf45b6622cc1efb90caf6e8c6196a5679a1aa6d295e2566ba3ddfed6b5d3a6ea3f513e9965264af68a4

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe

MD5 766ae1aa919cd76f089e3d0ae112b013
SHA1 5624196deb291f98f2083996de0b85bd8bae9732
SHA256 be58a67cc424ccf2ba095a9ed199fdbf183d8cc144a2425de5263059485dde6a
SHA512 8b84cddb7dc838f16dad182a7ea1c73329281948aa62b7f90ae39fec2b871038111ea036951bfe5cf4cb88b3d65a69a964836eb0ae630df5d4da88789bec5bb3

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe

MD5 89b48c2d597f74bbfeb9bcb3df410a81
SHA1 4a1ff552926f5caf1892a2c96fa4fd0e1fb5fbf5
SHA256 a7ac72fffdad0067658b52af3ad260c0b41b9e20876230743910b8715a74ea48
SHA512 cb5a41b98b6715dedd633c18e8746e8fa336bbd125f58494e9501eab1506aced698ab647d569945e3450a87c7bb31c84511089a846dcd31b0e6c6e21a76ff01e

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe

MD5 eeeb478e6db34388e571c5564cc4714a
SHA1 4b774443e5a1dd712559b8aa079c039b213077ee
SHA256 ef0cb785c6b8670e941e791341b692a60f32ca96bbe91ebfd615970ac1165403
SHA512 159e078114cebda9c47a700a893ab6f5bea377a64a5f0e8dd35bec89bae936a4c9124465f69ac916358058c6244c8b1e3e20c8e17988b7df02c591b20e8526b4

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe

MD5 a7a04ae2471610f55a3b76c91c8ca580
SHA1 e54012f335b2ca27974812333094441a42bf2ca4
SHA256 d85a27512bdc5d2a24e0273813e495d7992631b86c70d401b19f4b1265750d3d
SHA512 dde8cce39956e89541febfc48c88c2b27a319f5807a7dcd4f2c879cf92c0886e915b04cc3c4bd1f8edf1629b447a8de606fae297e00346b22a10e671bc2a4e46

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri155442fc38b.exe

MD5 e0278a3d724beb75c246a005265da920
SHA1 72b844127214acf747663f1870be11995f7cbbb6
SHA256 f9fa123d33be47a6b279a783b20671139c8a96dfcf8f8c04c08a8432f8ec9f04
SHA512 099917349ec6cf23d7faf9323483ad9b4db07a69564d40585c10556396d61b3ef64eec686db89b91e1bd8f1b7274ecdfbfcea8ebbefef3f5eeb92424251a6838

memory/2288-83-0x00000000009C0000-0x00000000009C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri15af75ee9b.exe

MD5 766ae1aa919cd76f089e3d0ae112b013
SHA1 5624196deb291f98f2083996de0b85bd8bae9732
SHA256 be58a67cc424ccf2ba095a9ed199fdbf183d8cc144a2425de5263059485dde6a
SHA512 8b84cddb7dc838f16dad182a7ea1c73329281948aa62b7f90ae39fec2b871038111ea036951bfe5cf4cb88b3d65a69a964836eb0ae630df5d4da88789bec5bb3

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri157e25afd971.exe

MD5 89b48c2d597f74bbfeb9bcb3df410a81
SHA1 4a1ff552926f5caf1892a2c96fa4fd0e1fb5fbf5
SHA256 a7ac72fffdad0067658b52af3ad260c0b41b9e20876230743910b8715a74ea48
SHA512 cb5a41b98b6715dedd633c18e8746e8fa336bbd125f58494e9501eab1506aced698ab647d569945e3450a87c7bb31c84511089a846dcd31b0e6c6e21a76ff01e

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1553f0ee90.exe

MD5 14d77d404de21055cfaa98fd20623c72
SHA1 0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
SHA256 9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
SHA512 678d64872d6797ff1f87ff818995f55d921d8722d77a3bf45b6622cc1efb90caf6e8c6196a5679a1aa6d295e2566ba3ddfed6b5d3a6ea3f513e9965264af68a4

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri1544861ac3fe6a.exe

MD5 eeeb478e6db34388e571c5564cc4714a
SHA1 4b774443e5a1dd712559b8aa079c039b213077ee
SHA256 ef0cb785c6b8670e941e791341b692a60f32ca96bbe91ebfd615970ac1165403
SHA512 159e078114cebda9c47a700a893ab6f5bea377a64a5f0e8dd35bec89bae936a4c9124465f69ac916358058c6244c8b1e3e20c8e17988b7df02c591b20e8526b4

C:\Users\Admin\AppData\Local\Temp\7zS0959FB37\Fri156ec98815f89c.exe

MD5 a7a04ae2471610f55a3b76c91c8ca580
SHA1 e54012f335b2ca27974812333094441a42bf2ca4
SHA256 d85a27512bdc5d2a24e0273813e495d7992631b86c70d401b19f4b1265750d3d
SHA512 dde8cce39956e89541febfc48c88c2b27a319f5807a7dcd4f2c879cf92c0886e915b04cc3c4bd1f8edf1629b447a8de606fae297e00346b22a10e671bc2a4e46

memory/3840-84-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4912-87-0x00000000005C0000-0x00000000005EC000-memory.dmp

memory/4912-89-0x00007FF99BEA0000-0x00007FF99C961000-memory.dmp

memory/4912-90-0x0000000002560000-0x0000000002580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0DHKT.tmp\Fri157e25afd971.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/2288-93-0x00007FF99BEA0000-0x00007FF99C961000-memory.dmp

memory/3848-95-0x0000000003D60000-0x0000000003D69000-memory.dmp

memory/4484-94-0x0000000002E70000-0x0000000002EA6000-memory.dmp

memory/4484-96-0x00000000055E0000-0x0000000005C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-97BNA.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/3848-105-0x0000000000400000-0x0000000002152000-memory.dmp

memory/4484-106-0x0000000005490000-0x00000000054B2000-memory.dmp

memory/4484-107-0x0000000073310000-0x0000000073AC0000-memory.dmp

memory/4484-108-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/4484-110-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/4884-109-0x0000000003DE0000-0x0000000003EB3000-memory.dmp

memory/4484-112-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52g02pfm.pf3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4912-111-0x0000000002550000-0x0000000002560000-memory.dmp

memory/4484-125-0x0000000005E60000-0x00000000061B4000-memory.dmp

memory/3116-126-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3840-129-0x0000000000400000-0x000000000046D000-memory.dmp

memory/396-130-0x0000000000400000-0x000000000051B000-memory.dmp

memory/3848-133-0x0000000002180000-0x0000000002280000-memory.dmp

memory/396-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-139-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/396-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4912-141-0x00007FF99BEA0000-0x00007FF99C961000-memory.dmp

memory/4484-138-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/396-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4484-142-0x0000000006470000-0x000000000648E000-memory.dmp

memory/4884-135-0x0000000002220000-0x0000000002320000-memory.dmp

memory/2288-132-0x000000001B710000-0x000000001B720000-memory.dmp

memory/396-131-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4884-128-0x0000000000400000-0x00000000021BE000-memory.dmp

memory/4484-143-0x0000000006A50000-0x0000000006A9C000-memory.dmp

memory/3208-144-0x0000000002C10000-0x0000000002C25000-memory.dmp

memory/3848-146-0x0000000000400000-0x0000000002152000-memory.dmp

memory/4484-149-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/4484-150-0x00000000069D0000-0x0000000006A02000-memory.dmp

memory/4484-151-0x0000000074430000-0x000000007447C000-memory.dmp

memory/4484-161-0x00000000069B0000-0x00000000069CE000-memory.dmp

memory/4484-162-0x0000000007510000-0x00000000075B3000-memory.dmp

memory/4484-163-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/4484-164-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/4484-165-0x0000000007820000-0x000000000782A000-memory.dmp

memory/4484-166-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/4484-167-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/4484-168-0x00000000079D0000-0x00000000079DE000-memory.dmp

memory/4484-169-0x00000000079E0000-0x00000000079F4000-memory.dmp

memory/4484-170-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/4484-171-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

memory/4484-174-0x0000000073310000-0x0000000073AC0000-memory.dmp

memory/2288-175-0x00007FF99BEA0000-0x00007FF99C961000-memory.dmp

memory/2288-179-0x000000001B710000-0x000000001B720000-memory.dmp

memory/4884-180-0x0000000002220000-0x0000000002320000-memory.dmp

C:\Users\Admin\AppData\Roaming\eetujca

MD5 766ae1aa919cd76f089e3d0ae112b013
SHA1 5624196deb291f98f2083996de0b85bd8bae9732
SHA256 be58a67cc424ccf2ba095a9ed199fdbf183d8cc144a2425de5263059485dde6a
SHA512 8b84cddb7dc838f16dad182a7ea1c73329281948aa62b7f90ae39fec2b871038111ea036951bfe5cf4cb88b3d65a69a964836eb0ae630df5d4da88789bec5bb3

memory/4608-191-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-192-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-193-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-197-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-198-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-199-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-200-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-201-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-202-0x0000021365420000-0x0000021365421000-memory.dmp

memory/4608-203-0x0000021365420000-0x0000021365421000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 2b43b01ac7375088e857d95681bf5f8f
SHA1 4e364b0e518b3a56e86c39bd0a6758812d88708a
SHA256 070e2fc7d8f7be9aa6b2c6d2ba896366a84d76cb3ff615c6db3e1244ec52d0ff
SHA512 8a5f2fe23c8b3cb4811244e45430274d9899ecc5f7a7d78469537afbe27eaeeb9c528785628e4ee1f04ccef89808eea3ec6e0265f6e1935b8f8097b7337ba7f7