Malware Analysis Report

2024-08-06 17:47

Sample ID 240306-p2twbsbb2w
Target Infected.exe
SHA256 97d7d7503f44c25e525cb9f189c40778cc391aae4d113d47da7d255f3c6168e1
Tags
rat test asyncrat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97d7d7503f44c25e525cb9f189c40778cc391aae4d113d47da7d255f3c6168e1

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

rat test asyncrat persistence

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Grants admin privileges

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Runs net.exe

Enumerates processes with tasklist

Suspicious behavior: AddClipboardFormatListener

Gathers network information

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Delays execution with timeout.exe

Gathers system information

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Command and Scripting Interpreter
T1059
Persistence
TA0003
Account Manipulation
T1098
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-06 12:49

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 12:49

Reported

2024-03-06 13:06

Platform

win10v2004-20240226-en

Max time kernel

920s

Max time network

959s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Grants admin privileges

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeomqs.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{39B7D779-CF3F-4D58-8FC3-850A212DE089} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{93192EBE-CBAC-4B2F-9DD6-E3EDE8E6FB65} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{8CFB9F47-E84E-47DA-98F3-602F7FE7098C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{638AFB66-CF0B-44BC-BE0C-4E55EC5C4829} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{727D3A05-9E64-4EEC-A29E-2FD3A9DAE62F} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{B77D0762-088F-46AB-8CBB-89F331A3EFA3} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeomqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeomqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 4688 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 4688 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 4688 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2304 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4172 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4172 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4172 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\sigma.exe
PID 4172 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\sigma.exe
PID 1868 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\sigma.exe C:\Windows\SYSTEM32\cmd.exe
PID 1868 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\sigma.exe C:\Windows\SYSTEM32\cmd.exe
PID 2972 wrote to memory of 5136 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2972 wrote to memory of 5136 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2972 wrote to memory of 3944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 2972 wrote to memory of 3944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 2972 wrote to memory of 1928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 1928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 4040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 4040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2324 wrote to memory of 4160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2324 wrote to memory of 4160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 5068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 5068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 5068 wrote to memory of 1600 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5068 wrote to memory of 1600 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 5824 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 5824 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 5824 wrote to memory of 5840 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5824 wrote to memory of 5840 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 5868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 5868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 5868 wrote to memory of 6048 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5868 wrote to memory of 6048 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 6096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2972 wrote to memory of 6096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2972 wrote to memory of 6132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2972 wrote to memory of 6132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2972 wrote to memory of 2932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 2972 wrote to memory of 2932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 2972 wrote to memory of 5496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 2972 wrote to memory of 5496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 2972 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 2972 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 2972 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2972 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2972 wrote to memory of 2432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\sc.exe
PID 2972 wrote to memory of 2432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\sc.exe
PID 1868 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\sigma.exe C:\Windows\System32\cmd.exe
PID 1868 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\sigma.exe C:\Windows\System32\cmd.exe
PID 228 wrote to memory of 5052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 5052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qeomqs.exe
PID 5052 wrote to memory of 700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qeomqs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8935.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\sigma.exe

"C:\Users\Admin\AppData\Roaming\sigma.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -an

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qeomqs.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qeomqs.exe"'

C:\Users\Admin\AppData\Local\Temp\qeomqs.exe

"C:\Users\Admin\AppData\Local\Temp\qeomqs.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 fl-survivor.gl.at.ply.gg udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp

Files

memory/4688-0-0x0000000000500000-0x0000000000516000-memory.dmp

memory/4688-1-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmp

memory/4688-2-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/4688-7-0x00007FFD893D0000-0x00007FFD895C5000-memory.dmp

memory/4688-8-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8935.tmp.bat

MD5 748c4f856cd4ad69a9d664bd40d3e44a
SHA1 b3ac2c32b2562d5b89085c46467a4b05fb91a13a
SHA256 9cc5cae762cbd07cc640f08e431e6b8a17c60a354a073b11d4c36c6cffc08019
SHA512 959364bbae501b764dce02bd1de8a33af488369ff9e796120d07f3e9b77310e3f1f406811b9647217dc04b737da4044926ec3a5006c083d697600677fe9536d7

C:\Users\Admin\AppData\Roaming\sigma.exe

MD5 23a233a3f2421f84917d70adb4ef6010
SHA1 b37531e113f2f15e2f26a3c2019de6da8e5ac0da
SHA256 97d7d7503f44c25e525cb9f189c40778cc391aae4d113d47da7d255f3c6168e1
SHA512 a30393ae5f6549bf04b729e5ee05130a48dcab98f57703fc2785d44a14466e4e7bd30d2def18552c73c3f4b844466a2ec27ebb2fe2ceeb040935e95e1e8dffba

memory/1868-13-0x00007FFD6AA00000-0x00007FFD6B4C1000-memory.dmp

memory/1868-14-0x00007FFD893D0000-0x00007FFD895C5000-memory.dmp

memory/1868-17-0x000000001D3B0000-0x000000001D426000-memory.dmp

memory/1868-18-0x00000000030C0000-0x00000000030F4000-memory.dmp

memory/1868-19-0x0000000003240000-0x000000000325E000-memory.dmp

memory/1868-20-0x00007FFD6AA00000-0x00007FFD6B4C1000-memory.dmp

memory/1868-21-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-22-0x00007FFD893D0000-0x00007FFD895C5000-memory.dmp

memory/1868-23-0x000000001D130000-0x000000001D160000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1868-25-0x000000001CAF0000-0x000000001CB14000-memory.dmp

memory/1868-26-0x00000000016A0000-0x00000000016D2000-memory.dmp

memory/1868-27-0x0000000001720000-0x0000000001752000-memory.dmp

memory/1868-28-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-29-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-30-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-31-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-32-0x000000001D530000-0x000000001D562000-memory.dmp

memory/1868-33-0x000000001C9F0000-0x000000001CA5A000-memory.dmp

memory/1868-34-0x000000001D030000-0x000000001D0E2000-memory.dmp

memory/1868-35-0x000000001CAC0000-0x000000001CAF2000-memory.dmp

memory/1868-36-0x000000001D0E0000-0x000000001D0FC000-memory.dmp

memory/1868-37-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/1868-38-0x000000001D100000-0x000000001D132000-memory.dmp

memory/5052-41-0x00007FFD6AA00000-0x00007FFD6B4C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4fyq3ml.2jf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5052-47-0x0000024C2AC10000-0x0000024C2AC20000-memory.dmp

memory/5052-40-0x0000024C2AB90000-0x0000024C2ABB2000-memory.dmp

memory/5052-52-0x0000024C2AC10000-0x0000024C2AC20000-memory.dmp

memory/5052-53-0x0000024C2AC10000-0x0000024C2AC20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qeomqs.exe

MD5 e504e3fc36fe4d6f182c98923979a779
SHA1 3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6
SHA256 70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0
SHA512 63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

C:\Users\Admin\AppData\Local\Temp\qeomqs.exe

MD5 150e250d3a8c45ba20f563808fcb57e7
SHA1 02bb3ce7adbd2b8d21fad7706d9c18d2b28f2972
SHA256 307e0afc3609ef2f4fc979180bbc129fe92af1bb6c9bbc5d00dcb94752b40f2d
SHA512 53f10b46bdc9084217c1ba279b9ec6824e733c07dc39dcba306ff7825ddc5bd6726de226ae59e04ca5dea53a44a33d5073ae9b48fec83b159f97fd122d7f3e32

memory/5052-58-0x00007FFD6AA00000-0x00007FFD6B4C1000-memory.dmp

memory/700-59-0x00007FFD895D0000-0x00007FFD895D2000-memory.dmp

memory/700-60-0x0000000140000000-0x0000000142153000-memory.dmp

memory/700-62-0x0000000140000000-0x0000000142153000-memory.dmp

memory/1868-66-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/700-67-0x0000000140000000-0x0000000142153000-memory.dmp

memory/1868-68-0x000000001E070000-0x000000001E0A2000-memory.dmp