Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
toolspab2 (1).exe
windows7_x64
10toolspab2 (1).exe
windows10_x64
10toolspab2 (10).exe
windows7_x64
10toolspab2 (10).exe
windows10_x64
10toolspab2 (11).exe
windows7_x64
10toolspab2 (11).exe
windows10_x64
10toolspab2 (12).exe
windows7_x64
10toolspab2 (12).exe
windows10_x64
10toolspab2 (13).exe
windows7_x64
10toolspab2 (13).exe
windows10_x64
10toolspab2 (14).exe
windows7_x64
10toolspab2 (14).exe
windows10_x64
10toolspab2 (15).exe
windows7_x64
10toolspab2 (15).exe
windows10_x64
10toolspab2 (16).exe
windows7_x64
10toolspab2 (16).exe
windows10_x64
10toolspab2 (17).exe
windows7_x64
10toolspab2 (17).exe
windows10_x64
10toolspab2 (18).exe
windows7_x64
10toolspab2 (18).exe
windows10_x64
10toolspab2 (19).exe
windows7_x64
10toolspab2 (19).exe
windows10_x64
10toolspab2 (2).exe
windows7_x64
10toolspab2 (2).exe
windows10_x64
10toolspab2 (20).exe
windows7_x64
10toolspab2 (20).exe
windows10_x64
10toolspab2 (21).exe
windows7_x64
10toolspab2 (21).exe
windows10_x64
10toolspab2 (22).exe
windows7_x64
10toolspab2 (22).exe
windows10_x64
10toolspab2 (23).exe
windows7_x64
10toolspab2 (23).exe
windows10_x64
10Resubmissions
12/07/2021, 16:55
210712-cvz622xsbj 1010/07/2021, 13:25
210710-pdfh7kft96 1009/07/2021, 23:00
210709-hewxkm1xlj 1009/07/2021, 16:08
210709-5ql27kyjqa 1009/07/2021, 14:08
210709-pt977a4bhe 1008/07/2021, 22:09
210708-3ypfnj5j7x 1008/07/2021, 13:30
210708-4hsk7y9f2x 1008/07/2021, 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
1800s -
max time network
1449s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10/07/2021, 13:25
Static task
static1
Behavioral task
behavioral1
Sample
toolspab2 (1).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
toolspab2 (1).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
toolspab2 (10).exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
toolspab2 (10).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
toolspab2 (11).exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
toolspab2 (11).exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
toolspab2 (12).exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
toolspab2 (12).exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
toolspab2 (13).exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
toolspab2 (13).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
toolspab2 (14).exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
toolspab2 (14).exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
toolspab2 (15).exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
toolspab2 (15).exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
toolspab2 (16).exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
toolspab2 (16).exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
toolspab2 (17).exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
toolspab2 (17).exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
toolspab2 (18).exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
toolspab2 (18).exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
toolspab2 (19).exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
toolspab2 (19).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
toolspab2 (2).exe
Resource
win7v20210408
Behavioral task
behavioral24
Sample
toolspab2 (2).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
toolspab2 (20).exe
Resource
win7v20210408
Behavioral task
behavioral26
Sample
toolspab2 (20).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
toolspab2 (21).exe
Resource
win7v20210408
Behavioral task
behavioral28
Sample
toolspab2 (21).exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
toolspab2 (22).exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
toolspab2 (22).exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
toolspab2 (23).exe
Resource
win7v20210410
General
-
Target
toolspab2 (16).exe
-
Size
315KB
-
MD5
1d20e1f65938e837ef1b88f10f1bd6c3
-
SHA1
703d7098dbfc476d2181b7fc041cc23e49c368f1
-
SHA256
05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
-
SHA512
f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Malware Config
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Extracted
redline
1
45.32.235.238:45555
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral16/memory/3904-151-0x0000000000417E96-mapping.dmp family_redline behavioral16/memory/3904-149-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral16/memory/3904-165-0x0000000005790000-0x0000000005D96000-memory.dmp family_redline behavioral16/files/0x000200000001abad-169.dat family_redline behavioral16/files/0x000200000001abad-170.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
pid Process 3212 gsaedcw 3756 590E.exe 1080 5A66.exe 3840 5D07.exe 3900 60E1.exe 1992 62F5.exe 3200 68A3.exe 3904 5D07.exe 3792 6CBB.exe 212 7298.exe 580 gsaedcw 3756 wKFM3gJf85.exe 4080 wKFM3gJf85.exe 1612 sqlcmd.exe 2144 sqlcmd.exe 204 sqlcmd.exe 896 sqlcmd.exe 3900 sqlcmd.exe 3756 sqlcmd.exe 400 sqlcmd.exe 3872 sqlcmd.exe 340 sqlcmd.exe 200 sqlcmd.exe 2120 sqlcmd.exe 3160 sqlcmd.exe 3304 sqlcmd.exe 1812 sqlcmd.exe 2108 sqlcmd.exe 4012 sqlcmd.exe 736 sqlcmd.exe 3596 sqlcmd.exe 1612 sqlcmd.exe 2196 sqlcmd.exe 2316 gsaedcw 1624 gsaedcw 1408 sqlcmd.exe 2936 sqlcmd.exe 2680 sqlcmd.exe 3112 sqlcmd.exe 156 sqlcmd.exe 2064 sqlcmd.exe 932 sqlcmd.exe 1368 sqlcmd.exe 3600 sqlcmd.exe 296 sqlcmd.exe 2632 sqlcmd.exe 1292 sqlcmd.exe 3540 sqlcmd.exe 684 sqlcmd.exe 352 sqlcmd.exe 384 sqlcmd.exe 812 sqlcmd.exe 348 sqlcmd.exe 1324 sqlcmd.exe 1256 sqlcmd.exe 2352 gsaedcw 1732 gsaedcw 2152 sqlcmd.exe 3264 sqlcmd.exe 2960 sqlcmd.exe 3804 sqlcmd.exe 3660 sqlcmd.exe 3240 sqlcmd.exe 3684 sqlcmd.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7298.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7298.exe -
Deletes itself 1 IoCs
pid Process 3044 Process not Found -
Loads dropped DLL 8 IoCs
pid Process 3024 toolspab2 (16).exe 3900 60E1.exe 3900 60E1.exe 3900 60E1.exe 3900 60E1.exe 3900 60E1.exe 1624 gsaedcw 1732 gsaedcw -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral16/files/0x000200000001abad-169.dat themida behavioral16/files/0x000200000001abad-170.dat themida behavioral16/memory/212-174-0x0000000000CE0000-0x0000000000CE1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7298.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 212 7298.exe -
Suspicious use of SetThreadContext 35 IoCs
description pid Process procid_target PID 3944 set thread context of 3024 3944 toolspab2 (16).exe 78 PID 3840 set thread context of 3904 3840 5D07.exe 85 PID 3212 set thread context of 580 3212 gsaedcw 94 PID 3756 set thread context of 4080 3756 wKFM3gJf85.exe 97 PID 1612 set thread context of 2144 1612 sqlcmd.exe 110 PID 204 set thread context of 896 204 sqlcmd.exe 114 PID 3900 set thread context of 3756 3900 sqlcmd.exe 116 PID 400 set thread context of 3872 400 sqlcmd.exe 118 PID 340 set thread context of 200 340 sqlcmd.exe 120 PID 2120 set thread context of 3160 2120 sqlcmd.exe 122 PID 3304 set thread context of 1812 3304 sqlcmd.exe 124 PID 2108 set thread context of 4012 2108 sqlcmd.exe 126 PID 736 set thread context of 3596 736 sqlcmd.exe 128 PID 1612 set thread context of 2196 1612 sqlcmd.exe 130 PID 2316 set thread context of 1624 2316 gsaedcw 132 PID 1408 set thread context of 2936 1408 sqlcmd.exe 134 PID 2680 set thread context of 3112 2680 sqlcmd.exe 136 PID 156 set thread context of 2064 156 sqlcmd.exe 138 PID 932 set thread context of 1368 932 sqlcmd.exe 140 PID 3600 set thread context of 296 3600 sqlcmd.exe 142 PID 2632 set thread context of 1292 2632 sqlcmd.exe 144 PID 3540 set thread context of 684 3540 sqlcmd.exe 146 PID 352 set thread context of 384 352 sqlcmd.exe 148 PID 812 set thread context of 348 812 sqlcmd.exe 150 PID 1324 set thread context of 1256 1324 sqlcmd.exe 152 PID 2352 set thread context of 1732 2352 gsaedcw 154 PID 2152 set thread context of 3264 2152 sqlcmd.exe 156 PID 2960 set thread context of 3804 2960 sqlcmd.exe 158 PID 3660 set thread context of 3240 3660 sqlcmd.exe 160 PID 3684 set thread context of 3536 3684 sqlcmd.exe 162 PID 3064 set thread context of 3532 3064 sqlcmd.exe 164 PID 2528 set thread context of 3148 2528 sqlcmd.exe 166 PID 64 set thread context of 592 64 sqlcmd.exe 168 PID 808 set thread context of 788 808 sqlcmd.exe 170 PID 4016 set thread context of 3472 4016 sqlcmd.exe 172 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (16).exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (16).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (16).exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gsaedcw -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 2292 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3816 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3024 toolspab2 (16).exe 3024 toolspab2 (16).exe 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 Process not Found -
Suspicious behavior: MapViewOfSection 21 IoCs
pid Process 3024 toolspab2 (16).exe 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 1624 gsaedcw 1732 gsaedcw -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeDebugPrivilege 3904 5D07.exe Token: SeDebugPrivilege 212 7298.exe Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3756 590E.exe 1080 5A66.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3044 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3944 wrote to memory of 3024 3944 toolspab2 (16).exe 78 PID 3044 wrote to memory of 3756 3044 Process not Found 81 PID 3044 wrote to memory of 3756 3044 Process not Found 81 PID 3044 wrote to memory of 3756 3044 Process not Found 81 PID 3044 wrote to memory of 1080 3044 Process not Found 82 PID 3044 wrote to memory of 1080 3044 Process not Found 82 PID 3044 wrote to memory of 1080 3044 Process not Found 82 PID 3044 wrote to memory of 3840 3044 Process not Found 83 PID 3044 wrote to memory of 3840 3044 Process not Found 83 PID 3044 wrote to memory of 3840 3044 Process not Found 83 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3044 wrote to memory of 3900 3044 Process not Found 86 PID 3044 wrote to memory of 3900 3044 Process not Found 86 PID 3044 wrote to memory of 3900 3044 Process not Found 86 PID 3044 wrote to memory of 1992 3044 Process not Found 87 PID 3044 wrote to memory of 1992 3044 Process not Found 87 PID 3044 wrote to memory of 1992 3044 Process not Found 87 PID 3044 wrote to memory of 3200 3044 Process not Found 88 PID 3044 wrote to memory of 3200 3044 Process not Found 88 PID 3044 wrote to memory of 3200 3044 Process not Found 88 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3840 wrote to memory of 3904 3840 5D07.exe 85 PID 3044 wrote to memory of 3792 3044 Process not Found 89 PID 3044 wrote to memory of 3792 3044 Process not Found 89 PID 3044 wrote to memory of 3792 3044 Process not Found 89 PID 3044 wrote to memory of 212 3044 Process not Found 90 PID 3044 wrote to memory of 212 3044 Process not Found 90 PID 3044 wrote to memory of 212 3044 Process not Found 90 PID 3044 wrote to memory of 804 3044 Process not Found 91 PID 3044 wrote to memory of 804 3044 Process not Found 91 PID 3044 wrote to memory of 804 3044 Process not Found 91 PID 3044 wrote to memory of 804 3044 Process not Found 91 PID 3044 wrote to memory of 788 3044 Process not Found 92 PID 3044 wrote to memory of 788 3044 Process not Found 92 PID 3044 wrote to memory of 788 3044 Process not Found 92 PID 3044 wrote to memory of 2184 3044 Process not Found 93 PID 3044 wrote to memory of 2184 3044 Process not Found 93 PID 3044 wrote to memory of 2184 3044 Process not Found 93 PID 3044 wrote to memory of 2184 3044 Process not Found 93 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3212 wrote to memory of 580 3212 gsaedcw 94 PID 3044 wrote to memory of 3776 3044 Process not Found 95 PID 3044 wrote to memory of 3776 3044 Process not Found 95 PID 3044 wrote to memory of 3776 3044 Process not Found 95 PID 3900 wrote to memory of 3756 3900 60E1.exe 96 PID 3900 wrote to memory of 3756 3900 60E1.exe 96 PID 3900 wrote to memory of 3756 3900 60E1.exe 96 PID 3900 wrote to memory of 1076 3900 60E1.exe 98 PID 3900 wrote to memory of 1076 3900 60E1.exe 98 PID 3900 wrote to memory of 1076 3900 60E1.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3024
-
-
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw2⤵
- Executes dropped EXE
PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\590E.exeC:\Users\Admin\AppData\Local\Temp\590E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3756
-
C:\Users\Admin\AppData\Local\Temp\5A66.exeC:\Users\Admin\AppData\Local\Temp\5A66.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080
-
C:\Users\Admin\AppData\Local\Temp\5D07.exeC:\Users\Admin\AppData\Local\Temp\5D07.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\5D07.exeC:\Users\Admin\AppData\Local\Temp\5D07.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\60E1.exeC:\Users\Admin\AppData\Local\Temp\60E1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\wKFM3gJf85.exe"C:\Users\Admin\AppData\Local\Temp\wKFM3gJf85.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\wKFM3gJf85.exe"C:\Users\Admin\AppData\Local\Temp\wKFM3gJf85.exe"3⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"4⤵
- Creates scheduled task(s)
PID:1916
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\60E1.exe"2⤵PID:1076
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\62F5.exeC:\Users\Admin\AppData\Local\Temp\62F5.exe1⤵
- Executes dropped EXE
PID:1992
-
C:\Users\Admin\AppData\Local\Temp\68A3.exeC:\Users\Admin\AppData\Local\Temp\68A3.exe1⤵
- Executes dropped EXE
PID:3200
-
C:\Users\Admin\AppData\Local\Temp\6CBB.exeC:\Users\Admin\AppData\Local\Temp\6CBB.exe1⤵
- Executes dropped EXE
PID:3792
-
C:\Users\Admin\AppData\Local\Temp\7298.exeC:\Users\Admin\AppData\Local\Temp\7298.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:804
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:788
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2184
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3776
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1992
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2812
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:780
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2772
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
PID:2292
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:204 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:896
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3900 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3756
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:400 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3872
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:340 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:200
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3160
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3304 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:4012
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:736 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3596
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316 -
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1624
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3112
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:156 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:932 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:1368
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:296
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:684
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:352 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:384
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:812 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:348
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1324 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2352 -
C:\Users\Admin\AppData\Roaming\gsaedcwC:\Users\Admin\AppData\Roaming\gsaedcw2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1732
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2152 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3264
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3804
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3660 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
PID:3240
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3684 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:3536
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
PID:3064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:3532
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
PID:2528 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:3148
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
PID:64 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:592
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
PID:808 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:788
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Suspicious use of SetThreadContext
PID:4016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵PID:3472
-