amadey | 4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

Analysis

max time kernel
159s
max time network
167s
platform
windows7_x64
resource
win7v20210408
submitted
07-10-2021 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Size

578KB
MD5

0f7a33360cfb19513d6d5261c1dc1394
SHA1

bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a
SHA256

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358
SHA512

d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Score

10^/10

amadey redline infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

2.70

185.215.113.45/g4MbvE/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1624-197-0x000000000041B246-mapping.dmp	family_redline
behavioral1/memory/1992-204-0x0000000002670000-0x00000000032BA000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

sqtvvs.exesqtvvs.exesqtvvs.exe309151772.exesqtvvs.exe309151772.exesqtvvs.exe

pid process

240 sqtvvs.exe
1768 sqtvvs.exe
1000 sqtvvs.exe
1784 309151772.exe
1816 sqtvvs.exe
1624 309151772.exe
2016 sqtvvs.exe

pid	process
240	sqtvvs.exe
1768	sqtvvs.exe
1000	sqtvvs.exe
1784	309151772.exe
1816	sqtvvs.exe
1624	309151772.exe
2016	sqtvvs.exe

Loads dropped DLL 8 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exesqtvvs.exesqtvvs.exe309151772.exe

pid	process
336	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
240	sqtvvs.exe
1768	sqtvvs.exe
1768	sqtvvs.exe
1768	sqtvvs.exe
1768	sqtvvs.exe
1000	sqtvvs.exe
1784	309151772.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sqtvvs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sqtvvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\309151772.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\309151772.\\309151772.exe"	sqtvvs.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exesqtvvs.exe309151772.exe

description	pid	process	target process
PID 1944 set thread context of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 240 set thread context of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 1000 set thread context of 1816	1000	sqtvvs.exe	sqtvvs.exe
PID 1784 set thread context of 1624	1784	309151772.exe	309151772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1212 schtasks.exe

pid	process
1212	schtasks.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
1764	powershell.exe
1764	powershell.exe
1188	powershell.exe
1188	powershell.exe
240	powershell.exe
240	powershell.exe
1992	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exepowershell.exepowershell.exepowershell.exepowershell.exe309151772.exe

description	pid	process
Token: SeDebugPrivilege	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1624	309151772.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exesqtvvs.execmd.exetaskeng.exe

description	pid	process	target process
PID 1944 wrote to memory of 1764	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1944 wrote to memory of 1764	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1944 wrote to memory of 1764	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1944 wrote to memory of 1764	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1944 wrote to memory of 1744	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1744	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1744	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1744	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1732	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1732	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1732	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 1732	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1944 wrote to memory of 336	1944	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 336 wrote to memory of 240	336	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 336 wrote to memory of 240	336	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 336 wrote to memory of 240	336	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 336 wrote to memory of 240	336	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 240 wrote to memory of 1188	240	sqtvvs.exe	powershell.exe
PID 240 wrote to memory of 1188	240	sqtvvs.exe	powershell.exe
PID 240 wrote to memory of 1188	240	sqtvvs.exe	powershell.exe
PID 240 wrote to memory of 1188	240	sqtvvs.exe	powershell.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 240 wrote to memory of 1768	240	sqtvvs.exe	sqtvvs.exe
PID 1768 wrote to memory of 1676	1768	sqtvvs.exe	cmd.exe
PID 1768 wrote to memory of 1676	1768	sqtvvs.exe	cmd.exe
PID 1768 wrote to memory of 1676	1768	sqtvvs.exe	cmd.exe
PID 1768 wrote to memory of 1676	1768	sqtvvs.exe	cmd.exe
PID 1768 wrote to memory of 1212	1768	sqtvvs.exe	schtasks.exe
PID 1768 wrote to memory of 1212	1768	sqtvvs.exe	schtasks.exe
PID 1768 wrote to memory of 1212	1768	sqtvvs.exe	schtasks.exe
PID 1768 wrote to memory of 1212	1768	sqtvvs.exe	schtasks.exe
PID 1676 wrote to memory of 1684	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 1684	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 1684	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 1684	1676	cmd.exe	reg.exe
PID 1588 wrote to memory of 1000	1588	taskeng.exe	sqtvvs.exe
PID 1588 wrote to memory of 1000	1588	taskeng.exe	sqtvvs.exe
PID 1588 wrote to memory of 1000	1588	taskeng.exe	sqtvvs.exe
PID 1588 wrote to memory of 1000	1588	taskeng.exe	sqtvvs.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe
PID 1768 wrote to memory of 1784	1768	sqtvvs.exe	309151772.exe

C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
"C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
  "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
  "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
  "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
    "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
      "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
        6⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe
        
        "C:\Users\Admin\AppData\Local\Temp\309151772.\309151772.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1784
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\309151772.\309151772.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe
        
        "C:\Users\Admin\AppData\Local\Temp\309151772.\309151772.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624

C:\Windows\system32\taskeng.exe
taskeng.exe {750DD243-4BAF-4767-B669-9C6014053396} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
    "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
    3⤵
    - Executes dropped EXE
    PID:1816
- C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5
6cbddec4b2cd4d060fbff99e84cd271c

SHA1
9127a5802657129ecf7bc62f4a463a2e62c82822

SHA256
0df1c8101eef7da4dc0b8ca2c54fa46b42100823e8ee7994343ab0ecf7729173

SHA512
0f6ca0d3656c0adb78dc598ea635473e669c7f5a4264c80d9164be201945428cd5d567eb50d60e95721612811d66b60b79d01bb1c591db88de7a1809a09b9258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0

MD5
8baa6e3bb52ecfe2939b51bf30de006a

SHA1
0a39c1e831b8f923eb705420a683a6610f430566

SHA256
c521081db2643da0124176ab42639be7da28dcc14e038f797e88f74fbf13a49c

SHA512
28cd676b574fed338d44f986afff52b8d0d8949fb900594e5677b78c176f390a08a830310c264a0d73ed0ddd3296322a1d99ad4ccd4bd275cab1d0c93ea57f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5
0aa60165cd36196768da59f21ffa959f

SHA1
c913a31b5af80dddc1e9971496e6386c0fbba9e2

SHA256
28fa8f9023cff141b95e3f00b1347d93ae87734c79ac01616f9ed27a21bb1906

SHA512
bbe18c61d61a716a46ffbe74941f210b0fd17051fee79fcccb4b3e0cbee4c0d6c36dc98abecf399603a96fa0b7c61580153062c3b8d1c16b18508b44d421c435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0

MD5
42ed303b27c186d6be7140ec6f96b573

SHA1
9ae27ec0e063a489b0ae66fa9e800a6955a71514

SHA256
4d66ca8f29dd150707b84709c28f5a864b07c90afccd7a61586a84ff56428df3

SHA512
405316ef1ac7d511772eb71cc6518d428bb4221d329d21db6eb1def04694126a85798636dfb49f57a711f98b4754f9909019c3e991b1610adcfea08e9294b192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
74dd6869a84a8840e72421d4d2feb868

SHA1
c25cac3c0f9c4256ce98f6663e7baa27ad1c1d9e

SHA256
f997315db7d86972dac8c4962800f2fe8bf1407e5b1b20776883ddca302fc44f

SHA512
6d71272f7cf33db941b4c5d690327f24e47a4e166ee5c36f124f52cd3941ed030beb3783cb3cece68cd4ae836e9173c84fcd6b940b80f1a4f632d3fc53afb403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
b6d86951142435e1dd9dfa115b4576d6

SHA1
f93dfbc37a3fd58acfd9f0fd36e3609bde3b52b5

SHA256
b888291e5f409c826be8c58144fb46e872682cefea308d5ddbffdffae96e6abe

SHA512
83bed14d57e2ea385b10b5830ce45295fcfb26569454df8fbc781b495ede35453ac88d94717b4da2c8cf4b4fde94343736d1423f1fd527cab907cee3c5362963

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
8060c5d714fb37113328ac9668c98d63

SHA1
c2e7bcfd32eae56a7fd4cf5af97bea7cce604fd0

SHA256
c686e78d6440809593a7b32094e81b3016048071d147de37c087ae919362f1b5

SHA512
4370d21f24c7aa97c9ed8049455c32ef07da0fefb466b6f94873c59850797ae6b0e6b011b4e78e7c9f1e254c281b82d51a4a6499b3d627ea21d4bb83852b1fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_16ead304-8945-4359-9a8b-07013cddc8e0

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a

MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7e662a2f-e896-4e75-a016-3ae8150b1984

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a313f4c8-d26f-4b85-9517-20617d42aab3

MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f17b6474-938a-4a64-91dd-156a338c576c

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
2e8c5b0b347d3d1e41b3c8740b1e3d0c

SHA1
c4e56d888e41a47fc3cd46654d12fc7f32ee2596

SHA256
72a70f51e37a772aca62ebd44b2d29e9dc8c61b49906e61385c4815665a89abd

SHA512
632b9165ccd0496b7da1ea2c618c3b02696d7623cd2d3bcf734a6973ee4cd2a7494c5ddd58b56aaff25d5d74bbe767dd5cc3cd0c109b7569888dafe5b33e5467

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212455352368107708

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212455352368107708

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
eabf984c292c370002f2ce56e18b0fda

SHA1
1a76dee0225558add9698b80d5022792aa728f0e

SHA256
775e030a0e212478e46cc21f320b1831d971bb1ab842f928eff3352552b8b8b6

SHA512
97ba1baf023d40b3c3c42a99a748902887d29b84877582e1d8d8b7dc71a8992b08871e45842f5002f04fe37ebe02373d7ac5adb09a5ddd0490b24279f4f81e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
eabf984c292c370002f2ce56e18b0fda

SHA1
1a76dee0225558add9698b80d5022792aa728f0e

SHA256
775e030a0e212478e46cc21f320b1831d971bb1ab842f928eff3352552b8b8b6

SHA512
97ba1baf023d40b3c3c42a99a748902887d29b84877582e1d8d8b7dc71a8992b08871e45842f5002f04fe37ebe02373d7ac5adb09a5ddd0490b24279f4f81e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
eabf984c292c370002f2ce56e18b0fda

SHA1
1a76dee0225558add9698b80d5022792aa728f0e

SHA256
775e030a0e212478e46cc21f320b1831d971bb1ab842f928eff3352552b8b8b6

SHA512
97ba1baf023d40b3c3c42a99a748902887d29b84877582e1d8d8b7dc71a8992b08871e45842f5002f04fe37ebe02373d7ac5adb09a5ddd0490b24279f4f81e0d

Download Submit
\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
memory/240-178-0x0000000000000000-mapping.dmp

Download
memory/240-73-0x0000000000000000-mapping.dmp

Download
memory/240-76-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/240-190-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/240-87-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/240-189-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/336-68-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/336-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/336-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/336-67-0x0000000000410AEC-mapping.dmp

Download
memory/1000-159-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1000-157-0x0000000000000000-mapping.dmp

Download
memory/1000-164-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1188-140-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1188-136-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1188-138-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1188-141-0x00000000047E2000-0x00000000047E3000-memory.dmp

Filesize
4KB

Download
memory/1188-143-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1188-125-0x0000000000000000-mapping.dmp

Download
memory/1188-142-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1212-134-0x0000000000000000-mapping.dmp

Download
memory/1624-197-0x000000000041B246-mapping.dmp

Download
memory/1624-207-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1676-133-0x0000000000000000-mapping.dmp

Download
memory/1684-137-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1764-122-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1764-65-0x0000000000000000-mapping.dmp

Download
memory/1764-123-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1764-90-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1764-108-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1764-77-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1764-107-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1764-100-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1764-86-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/1764-79-0x0000000002550000-0x000000000319A000-memory.dmp

Filesize
12.3MB

Download
memory/1764-89-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1764-98-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1764-93-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1764-99-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1768-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1768-128-0x0000000000410AEC-mapping.dmp

Download
memory/1784-175-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1784-173-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1784-170-0x0000000000000000-mapping.dmp

Download
memory/1816-181-0x0000000000410AEC-mapping.dmp

Download
memory/1944-60-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1944-64-0x0000000005140000-0x0000000005196000-memory.dmp

Filesize
344KB

Download
memory/1944-63-0x0000000001EA0000-0x0000000001EAA000-memory.dmp

Filesize
40KB

Download
memory/1944-62-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1992-194-0x0000000000000000-mapping.dmp

Download
memory/1992-204-0x0000000002670000-0x00000000032BA000-memory.dmp

Filesize
12.3MB

Download
memory/2016-209-0x0000000000000000-mapping.dmp

Download
memory/2016-213-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download