Malware Analysis Report

2025-04-03 14:02

Sample ID 241109-2hkjrsterd
Target 76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN
SHA256 76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5ee
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5ee

Threat Level: Shows suspicious behavior

The file 76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks for any installed AV software in registry

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:34

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:34

Reported

2024-11-09 22:37

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Eset\Nod C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\ResourceUpdateService\ResourceUpdateService.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus3.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-9PQM6.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\247_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\about.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-1KR8F.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-VKVOB.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\pavcomm.dll C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\iscanruntime.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-JH6FI.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-49F6I.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-A7215.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-4UKO2.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-AA047.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\splash.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\tagline.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\PROGRA~2\ADVANC~1\DSC_Config.xml C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\PavApi.dll C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-2JV7M.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-QH0GM.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\247.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\247_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\splash.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-3C14E.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-4FGSB.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\247.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-H1HCD.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-JR32M.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-F7NAF.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-39ENQ.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\PROGRA~2\ADVANC~1\247_Config.xml C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\_avg7api.dll C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-TSJDN.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-ONKOU.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\PROGRA~2\ADVANC~1\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\assetscan.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-TR02T.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\ResourceUpdateService\is-Q7O97.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\package.zip C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\about.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-GBLBO.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\tagline.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus2.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-G770T.tmp C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\debug.log C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 472 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 472 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 472 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2840 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp
PID 2840 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp
PID 2840 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp
PID 3896 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 3896 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PID 3896 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PID 3896 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe

"C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestart

C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp" /SL5="$6022E,8488367,56832,C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestart

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe" package.zip

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe"

C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe" /autoinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 upload1.am.remote.management udp
US 172.64.148.20:443 upload1.am.remote.management tcp
US 8.8.8.8:53 upload2.am.remote.management udp
US 8.8.8.8:53 20.148.64.172.in-addr.arpa udp
US 172.64.148.20:443 upload2.am.remote.management tcp
US 8.8.8.8:53 upload3.am.remote.management udp
US 104.18.39.236:443 upload3.am.remote.management tcp
US 8.8.8.8:53 236.39.18.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe

MD5 a9fda75bdeaf94eab2de124669c766dd
SHA1 70ac76a542550dffd54f06ce3509b505b8a3ad6b
SHA256 82279224e559612f512b62c8c04d3ce622b84ca50627aeda1bd3e86bfa702f25
SHA512 b232eb7af7a1ac5249cafc2a3ce1720a06d4e6df09585c991bcadbf527978e1d1d2506d70e0697c36043d78426b686ab120f45b9c6b6516f71e7531a1417d970

memory/2840-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2840-16-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G04EV.tmp\agent.tmp

MD5 a2c4d52c66b4b399facadb8cc8386745
SHA1 c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA256 6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA512 2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

memory/3896-23-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\package.zip

MD5 835b4f1cf0d7d45b334d156d7f9fe173
SHA1 3cf8c0a330923795858e1397d0d57847f9d28e40
SHA256 72c2958364475901d3f8dfd8055441507aa70ecc54b32b4b568aeac5c08eaa9e
SHA512 08c50e76a0c53e853bbd109c8eca0d89be330ae7f9cb892a4516c15ee950350549648934c707f0f0544ca149e3252f1990016d1aac70f73cce49e620f7111743

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

MD5 30d02475127e706a012fd60a47a67499
SHA1 b3c8f766ade73bbd63041bfda2a7ba28a1840016
SHA256 75875638f19e552b3482d89069025d9fd6a49412398e4ee84df306a2560d588f
SHA512 5c30a287cf67e546858b0a39a850db90df08c82c1f26672e944ed228057fc8b319e9323400407d78ba06a438bc6a783a975dded6c7fca89af511a0a006f548cd

C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp

MD5 fcb4c9763f9f349690b128e04893e683
SHA1 3b9aebc5500ec0af591b94ed26fdebb06ab7ce62
SHA256 a2acbb1b55df6a88829fbc4eb7881d8c39af8d4fb97d07cc9dc7bdba2229ea22
SHA512 9ae7e8e16fe499048d86936a005cc84ab8293bdce4585d57cee0c5092c4ff872533b11b53be7b094ba3dd58f8190daa122e6cb2ebb20062dd18a2f1cc7f20293

C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp

MD5 3c4ea39c75489a593915e1dcd3ac1626
SHA1 0415d936fed4266aa7f086d48574d75a2562e4f9
SHA256 5a8c508fd0a0a75a649ccb939454a0db0c5240f08551a179cb41e332bdbf7f18
SHA512 1621a580aa0830da653cdc642178fdddfccdeaf64180fc6bdabead572111edadcb3d119170a764e0dcd60bad6e8ed7f0b07736083a909a31911e188f9fc09f45

C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini

MD5 c95009163f41e855ee0dcae6476fcb3b
SHA1 cb29bc60548f2a2c38e2b390cf7eca879af8d1fd
SHA256 a436ae66e5d89ae104eaba86ae92448c66a158e75ae3adab7cea3c207bde8c9d
SHA512 a8de49cd57e15713134937817534fbc839fa6f54bb603ede1517a94caf404ce27c3511bab8c94943bb7ba59ed877970de61b5624b5816618583c2a9a22918cf3

C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

MD5 d5c641c0baab002680bb4170924bba14
SHA1 f6b6c3756f29c0af6129d316360043903e53a2db
SHA256 7b1fd98dd50b1474a8cbafd3ba885d21841bd9293fdcd3443c5fb299c7a85c38
SHA512 50c2e3945b12e1e4ad870cb0262dfa06d7c791ee337809cafc1524ff5c975914c1c4037f6d3063f3068fc5587042408bab409fea2319fd8819c8ffb6a9352768

C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini

MD5 ffd92e6f73528219d99bb72a18705d41
SHA1 2b4e2459ba16123fffc135d55073c5ec11664098
SHA256 4687b051feb7eb6d3d6e8ca221f28077ad3f81faa698b95e2e81f4c0113951ac
SHA512 4a9263f4f9b540e2bf4da00da2dc3ba471057355fef80193563ee040bcb2f8eb4c77e33c17c6c0e68a5670353e46430151ba04eafc2c7bcdb3b6276163d33ff1

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 3648987b2d434ed638e11672d7a4e80a
SHA1 593c1782d48ee1ace833e8e1cd6ada98233a6226
SHA256 6b04cb7c775380a4d87ec0e13aeed0ef0cc1c5669c09943794aee49118404abe
SHA512 2be7c092a70f7c82f677f21dcbbcde17a12e6d538086187c2c081e23ba42ecf835a5cb61344c8ea2246074ccc65b6ca1ce49db5c6c173bda1107846ad0e98821

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 56a77e643ca1445009de4c5290f5ccab
SHA1 8359639be77dee031cd19d842c47e2ecf480352c
SHA256 6f09fb8e0693b992f11155eba27bdea62662ee2fa2ec81d674c809e36a965b1d
SHA512 1702548f87a8750036f0b8aa396c6661d234fa14ffc59e60df7649bc26a887bb0c04a336ba0675caee6df34817612a3bff7ee5f273cfe43b2e040c6bb79ce997

memory/3896-149-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2840-150-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 1b6972e99bdf57ee6397a3fab179b32f
SHA1 e30afd447b3afa67e2fef574e0ec160b8bc46fa3
SHA256 260ca319b2d3e0fe45a5becbc61eb829e6192afd2f3bbf356c7d4a06620ac4d0
SHA512 0d97a2395e285d6aec3b19dbb4d96883d600ca61f89a7fc4bb03618ebd481f2e899d4add1c0e79b4fd7966f767b4dc011e154cf1a419b54998b1d13cdff27796

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 54faf62902531f2d0de822f6047ee228
SHA1 1b7c6ef000a5e13ef07b593a7a361b30d969293b
SHA256 728868e6ed80b96e5a8034401958add0f065dcf502e6cce92ef95b30202ad5cf
SHA512 423c77c5906e54fc4bd267ae692f774cef7b89a826e5147ec1b1265e24ace0e76db8667b3c5ac75bc8163796ff4728cdf7f4a63c3a60c924cd97425385a29656

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 fe86b94981cb503b4bc7b2fd240edca8
SHA1 a03245329b63c9e9e17306aabc27a95b03c04a44
SHA256 b11692beecc985189774fd362130e823330a9579c4aa08f5a9a68469c0f50f4c
SHA512 93c25ca4e36a4471e57b4aa85805a829c35996b27b6bff7e76d4b50ab566b23f97d44f7ff0f481c9814cabce1f1d873c47213e64bc9832f1824ab58350d11682

C:\PROGRA~2\ADVANC~1\1.lng

MD5 e4361def38811d2f295b5686bd2c2b5b
SHA1 91002014191d2e09616f619a81c7cafb652e2815
SHA256 0e5882114864d4a708b472d524063867fa770958b770b67fc0af7f8ed4757ad2
SHA512 f1ee01ec34edfe27f5f48be84f0a36a572e709bd46d29114617785954576e71ab55d8a8090256a5efff6d2a63c1625dac0a3275b9dbc55ba69d6e1861c14a755

C:\PROGRA~2\ADVANC~1\services.ini

MD5 7e3633ed291fceeac2484d2e1133fee4
SHA1 5f07cab96e6c1b547959b44bab5759a89bc2a4ea
SHA256 b3ff7c0a671e3d6cf02c2422fd7f0705bf4e22775e1b91e1fd4cf604bfc47646
SHA512 6efa3027cebdac7f2bcb1ef4afe6fce4809071fd94415db31844fbef6a791aff2bca04b964ec5793c73d5ee51b2e05310b1d622acc1f84aa7966af26a2775f16

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 6312f8faf8febc6b834b5ba0140e877e
SHA1 807be537a7743592020bd3a61c63ceef1d171ad6
SHA256 9986da1ababfb14306a9cc3bc16184e17cd7486431b4179b65be4ab909de40bf
SHA512 272b3b40382f368f70f0a5a19b15b58116ab12c74d461d7cfd0344e0e449417397c204dedea040702a00220c143a09020ab500636a05fe16acaa2dc3872fa4dc

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 b6bfe26863785e24e9dd11cff0ecc1a0
SHA1 bd8f44a2f133a42266fc1403d35b0ad511350a61
SHA256 63ab8652b6c1b67019fe59887b4468272232ba4bd85d16975b6c8a512bf9f7f4
SHA512 4eb277cb9e1ab5c6568f2b49a86b6b1d7df26285ddb50677c39c188272e0de19650f8a20866e254cf479b52890edaaec6e71271bc5cd07b15b35d216de4ff09c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:34

Reported

2024-11-09 22:37

Platform

win7-20240903-en

Max time kernel

67s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Eset\Nod C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\assetscan.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\PavApi.dll C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-2A8PK.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\package.zip C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-7PB5J.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-E5OQJ.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus3.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-PGMD8.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\247.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\about.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\pavcomm.dll C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-MUNJS.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\iscanruntime.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\ResourceUpdateService\is-DAONB.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-76SK9.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\splash.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-BPSQK.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\247.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\ResourceUpdateService\ResourceUpdateService.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-TOKRS.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\247_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\PROGRA~2\ADVANC~1\247_Config.xml C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-Q2JTR.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-6DUJ8.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-OS7L5.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\about.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-40570.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-8GG2U.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-K5JLD.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-7UCE9.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\splash.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\tagline.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\_avg7api.dll C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-3QI6K.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\debug.log C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File created C:\PROGRA~2\ADVANC~1\DSC_Config.xml C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\wsus2.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-09ARK.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-VJEML.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-GCA9T.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-ECRAS.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\is-L8778.tmp C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
File created C:\Program Files (x86)\Advanced Monitoring Agent\images\247_header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\header.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\Program Files (x86)\Advanced Monitoring Agent\images\tagline.bmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A
File opened for modification C:\PROGRA~2\ADVANC~1\settings.ini C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1073-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67B30939-3B35-11D2-A595-002018648BA7} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1077-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1074-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1071-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1081-989B-0000E87B4FB1}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1}\InprocServer32 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41564737-3200-1072-989B-0000E87B4FB1} C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2272 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2860 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp
PID 2848 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe
PID 2848 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PID 2848 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PID 2848 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PID 2848 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe

"C:\Users\Admin\AppData\Local\Temp\76c94f33ac5b462865a872d441712d9e14b25ca14122cff66b6809680047b5eeN.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestart

C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp" /SL5="$50150,8488367,56832,C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestart

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe" package.zip

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe"

C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

"C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe" /autoinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 upload1.am.remote.management udp
US 104.18.39.236:443 upload1.am.remote.management tcp
US 8.8.8.8:53 upload2.am.remote.management udp
US 104.18.39.236:443 upload2.am.remote.management tcp
US 8.8.8.8:53 upload3.am.remote.management udp
US 172.64.148.20:443 upload3.am.remote.management tcp

Files

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\agent.exe

MD5 a9fda75bdeaf94eab2de124669c766dd
SHA1 70ac76a542550dffd54f06ce3509b505b8a3ad6b
SHA256 82279224e559612f512b62c8c04d3ce622b84ca50627aeda1bd3e86bfa702f25
SHA512 b232eb7af7a1ac5249cafc2a3ce1720a06d4e6df09585c991bcadbf527978e1d1d2506d70e0697c36043d78426b686ab120f45b9c6b6516f71e7531a1417d970

memory/2860-12-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2860-9-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VVU30.tmp\agent.tmp

MD5 a2c4d52c66b4b399facadb8cc8386745
SHA1 c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA256 6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA512 2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

\Users\Admin\AppData\Local\Temp\is-44AK4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2848-20-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\package.zip

MD5 835b4f1cf0d7d45b334d156d7f9fe173
SHA1 3cf8c0a330923795858e1397d0d57847f9d28e40
SHA256 72c2958364475901d3f8dfd8055441507aa70ecc54b32b4b568aeac5c08eaa9e
SHA512 08c50e76a0c53e853bbd109c8eca0d89be330ae7f9cb892a4516c15ee950350549648934c707f0f0544ca149e3252f1990016d1aac70f73cce49e620f7111743

\Program Files (x86)\Advanced Monitoring Agent\winagent.exe

MD5 d5c641c0baab002680bb4170924bba14
SHA1 f6b6c3756f29c0af6129d316360043903e53a2db
SHA256 7b1fd98dd50b1474a8cbafd3ba885d21841bd9293fdcd3443c5fb299c7a85c38
SHA512 50c2e3945b12e1e4ad870cb0262dfa06d7c791ee337809cafc1524ff5c975914c1c4037f6d3063f3068fc5587042408bab409fea2319fd8819c8ffb6a9352768

C:\Program Files (x86)\Advanced Monitoring Agent\unzip.exe

MD5 30d02475127e706a012fd60a47a67499
SHA1 b3c8f766ade73bbd63041bfda2a7ba28a1840016
SHA256 75875638f19e552b3482d89069025d9fd6a49412398e4ee84df306a2560d588f
SHA512 5c30a287cf67e546858b0a39a850db90df08c82c1f26672e944ed228057fc8b319e9323400407d78ba06a438bc6a783a975dded6c7fca89af511a0a006f548cd

C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc_header.bmp

MD5 fcb4c9763f9f349690b128e04893e683
SHA1 3b9aebc5500ec0af591b94ed26fdebb06ab7ce62
SHA256 a2acbb1b55df6a88829fbc4eb7881d8c39af8d4fb97d07cc9dc7bdba2229ea22
SHA512 9ae7e8e16fe499048d86936a005cc84ab8293bdce4585d57cee0c5092c4ff872533b11b53be7b094ba3dd58f8190daa122e6cb2ebb20062dd18a2f1cc7f20293

C:\Program Files (x86)\Advanced Monitoring Agent\images\dsc.bmp

MD5 3c4ea39c75489a593915e1dcd3ac1626
SHA1 0415d936fed4266aa7f086d48574d75a2562e4f9
SHA256 5a8c508fd0a0a75a649ccb939454a0db0c5240f08551a179cb41e332bdbf7f18
SHA512 1621a580aa0830da653cdc642178fdddfccdeaf64180fc6bdabead572111edadcb3d119170a764e0dcd60bad6e8ed7f0b07736083a909a31911e188f9fc09f45

C:\Program Files (x86)\Advanced Monitoring Agent\settings.ini

MD5 c95009163f41e855ee0dcae6476fcb3b
SHA1 cb29bc60548f2a2c38e2b390cf7eca879af8d1fd
SHA256 a436ae66e5d89ae104eaba86ae92448c66a158e75ae3adab7cea3c207bde8c9d
SHA512 a8de49cd57e15713134937817534fbc839fa6f54bb603ede1517a94caf404ce27c3511bab8c94943bb7ba59ed877970de61b5624b5816618583c2a9a22918cf3

memory/2848-120-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2860-122-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 887a3a87b8a65e6bf9ad341712ee1b52
SHA1 fee5108df6f3e332088ef8e9cabaa5627987ef6a
SHA256 505a339f5c3856332e802ec8a886d94b74320f37208c320aa78f098eb2097a51
SHA512 0d62e70ce756936b7d596caf66851499e2c90f3e2476e29ca8a06e0875be971e4aee1064403796cc4dde24972f608de3b040e7453ec7afb00d04cdda29de555f

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 64dd6b51ef94b846e85a2588d1d3cdeb
SHA1 92508e4525d0b21a6eb60a8e039bd5f9d32e7213
SHA256 93b8e2d125739fba7375537c1a5dd0c003199ba684cd9106f0716f758001e638
SHA512 85e3b2dbad081fe7125fdb4c03f5f8a67bed44e10a703c1154b88bcc99ddfe0c6ebdc6c0558b1d655639b1fc296ecf2a3d3c916f999c2424869aeb84e57b7261

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 d8493e867c0a0de257b7b47dda712909
SHA1 8314d87c9630e486e248aff16718389b8481e5c3
SHA256 c49a76d74700a8547dfb47033f176948ec62be18b73725bb6d7d3746bcec7136
SHA512 cb6e501741a5fdb61cb2a96a6e7a0cd380b3091ab64efe44b8424bea7de22a2ec2cefc0d2e61863d14be8c667d76c6b6bada1f3b367c63f30bd4083f8df72b7a

C:\Program Files (x86)\Advanced Monitoring Agent\debug.log

MD5 fd2a9efaf3d1307de0e8aef06ac2c9b4
SHA1 e94654b67ffc78a466e3b2e30ebd9b5d28e668d6
SHA256 feee783af1b4223744b0f0cfad5b800187a5efb94c960b148779d33b195bf7d8
SHA512 1df3e3dce6a204404a013bb856f6bf6e21eb9b3373187304985019406f0015f61d6282b2e162788566cae2c39b6a2eaaca1398e0f4751858be77fce5dc3d0006

C:\PROGRA~2\ADVANC~1\1.lng

MD5 e4361def38811d2f295b5686bd2c2b5b
SHA1 91002014191d2e09616f619a81c7cafb652e2815
SHA256 0e5882114864d4a708b472d524063867fa770958b770b67fc0af7f8ed4757ad2
SHA512 f1ee01ec34edfe27f5f48be84f0a36a572e709bd46d29114617785954576e71ab55d8a8090256a5efff6d2a63c1625dac0a3275b9dbc55ba69d6e1861c14a755

C:\PROGRA~2\ADVANC~1\services.ini

MD5 7e3633ed291fceeac2484d2e1133fee4
SHA1 5f07cab96e6c1b547959b44bab5759a89bc2a4ea
SHA256 b3ff7c0a671e3d6cf02c2422fd7f0705bf4e22775e1b91e1fd4cf604bfc47646
SHA512 6efa3027cebdac7f2bcb1ef4afe6fce4809071fd94415db31844fbef6a791aff2bca04b964ec5793c73d5ee51b2e05310b1d622acc1f84aa7966af26a2775f16

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 9326b3c183490c751b4a6a6253cf633d
SHA1 74e669cf713be2cf74eceb4ccf98875203c5c7c5
SHA256 868bb37811e7fe4a70c6cfa78b6526fbcecf7833ba78528f99751b18943fef02
SHA512 f549518257455351ac5fd96c569ad8ebfa6b01a2675f01a44d060de69aa0650af03fc3603d73aa33101eb135e224b2f66caa67923b94fa539b49ff4569a37b2e

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 49b2c0d25ae7e4e102da2984de14a65d
SHA1 4cb4c7af9ca7e0cc9fa0ecd29497b764b68a2d46
SHA256 a60a253e616c8f622c941e341795f958b2fb34f6cfa3a9bf3cac13ec3baa1c95
SHA512 ee69057cac387237f8174bf9025feb3cf225ec4abbc5c955e81fb6c3af7b732176b97c6896d9e62ec6841da5ac231b62694e5cd14bb8f648ddaa352cf74056c4

C:\PROGRA~2\ADVANC~1\settings.ini

MD5 1e38a996b075ce5a8cfbdb36cf72d947
SHA1 fd7706d67faf689509ce0e6fc009833a738c15cc
SHA256 108c15739ffd79a2cab9720b27d42bc37420f35432016186269a5f1f6575e5a8
SHA512 340dce7e2e22529403a146983c69f0f99c1bfe04a0b064c8794ee136a839a2cc564acb01cc3254b992f25a0dd27384fcf66f4d6fac73b14fbcc6d931e965906b