amadey | 4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

Analysis

max time kernel
158s
max time network
164s
platform
windows10_x64
resource
win10-en-20210920
submitted
07-10-2021 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Size

578KB
MD5

0f7a33360cfb19513d6d5261c1dc1394
SHA1

bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a
SHA256

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358
SHA512

d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Score

10^/10

amadey redline infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

2.70

185.215.113.45/g4MbvE/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3864-667-0x000000000041B246-mapping.dmp	family_redline
behavioral2/memory/3864-690-0x0000000004CF0000-0x00000000052F6000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

sqtvvs.exesqtvvs.exe309151772.exe309151772.exesqtvvs.exe

pid process

1312 sqtvvs.exe
2136 sqtvvs.exe
844 309151772.exe
3864 309151772.exe
3876 sqtvvs.exe

pid	process
1312	sqtvvs.exe
2136	sqtvvs.exe
844	309151772.exe
3864	309151772.exe
3876	sqtvvs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sqtvvs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sqtvvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\309151772.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\309151772.\\309151772.exe"	sqtvvs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exe309151772.exe

description	pid	process	target process
PID 1608 set thread context of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1312 set thread context of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 844 set thread context of 3864	844	309151772.exe	309151772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

812 schtasks.exe

pid	process
812	schtasks.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sqtvvs.exe4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sqtvvs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqtvvs.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exepowershell.exepowershell.exepowershell.exe

pid	process
1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
3408	powershell.exe
3408	powershell.exe
3408	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exesqtvvs.exesqtvvs.execmd.exe309151772.exe

description	pid	process	target process
PID 1608 wrote to memory of 3796	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1608 wrote to memory of 3796	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1608 wrote to memory of 3796	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	powershell.exe
PID 1608 wrote to memory of 3704	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3704	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3704	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 1608 wrote to memory of 3552	1608	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
PID 3552 wrote to memory of 1312	3552	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 3552 wrote to memory of 1312	3552	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 3552 wrote to memory of 1312	3552	4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe	sqtvvs.exe
PID 1312 wrote to memory of 3540	1312	sqtvvs.exe	powershell.exe
PID 1312 wrote to memory of 3540	1312	sqtvvs.exe	powershell.exe
PID 1312 wrote to memory of 3540	1312	sqtvvs.exe	powershell.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 1312 wrote to memory of 2136	1312	sqtvvs.exe	sqtvvs.exe
PID 2136 wrote to memory of 1300	2136	sqtvvs.exe	cmd.exe
PID 2136 wrote to memory of 1300	2136	sqtvvs.exe	cmd.exe
PID 2136 wrote to memory of 1300	2136	sqtvvs.exe	cmd.exe
PID 2136 wrote to memory of 812	2136	sqtvvs.exe	schtasks.exe
PID 2136 wrote to memory of 812	2136	sqtvvs.exe	schtasks.exe
PID 2136 wrote to memory of 812	2136	sqtvvs.exe	schtasks.exe
PID 1300 wrote to memory of 1440	1300	cmd.exe	reg.exe
PID 1300 wrote to memory of 1440	1300	cmd.exe	reg.exe
PID 1300 wrote to memory of 1440	1300	cmd.exe	reg.exe
PID 2136 wrote to memory of 844	2136	sqtvvs.exe	309151772.exe
PID 2136 wrote to memory of 844	2136	sqtvvs.exe	309151772.exe
PID 2136 wrote to memory of 844	2136	sqtvvs.exe	309151772.exe
PID 844 wrote to memory of 3408	844	309151772.exe	powershell.exe
PID 844 wrote to memory of 3408	844	309151772.exe	powershell.exe
PID 844 wrote to memory of 3408	844	309151772.exe	powershell.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe
PID 844 wrote to memory of 3864	844	309151772.exe	309151772.exe

C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
"C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
  "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  PID:3704
- C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe
  "C:\Users\Admin\AppData\Local\Temp\4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
    "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
      "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
        6⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe
        
        "C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
      - C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe
        
        "C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe"
        6⤵
        Executes dropped EXE
        
        PID:3864

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
- Executes dropped EXE
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5
6cbddec4b2cd4d060fbff99e84cd271c

SHA1
9127a5802657129ecf7bc62f4a463a2e62c82822

SHA256
0df1c8101eef7da4dc0b8ca2c54fa46b42100823e8ee7994343ab0ecf7729173

SHA512
0f6ca0d3656c0adb78dc598ea635473e669c7f5a4264c80d9164be201945428cd5d567eb50d60e95721612811d66b60b79d01bb1c591db88de7a1809a09b9258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0

MD5
8baa6e3bb52ecfe2939b51bf30de006a

SHA1
0a39c1e831b8f923eb705420a683a6610f430566

SHA256
c521081db2643da0124176ab42639be7da28dcc14e038f797e88f74fbf13a49c

SHA512
28cd676b574fed338d44f986afff52b8d0d8949fb900594e5677b78c176f390a08a830310c264a0d73ed0ddd3296322a1d99ad4ccd4bd275cab1d0c93ea57f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5
2bae0e8ba5d3ad73d37ea328704a6d4c

SHA1
99d75e8ac2627fad129b83eee9062bb7add34f0f

SHA256
a04c00ca765a0b8d91984914db29a4bf4f4078f54fc5844057b6280fbeae3f4f

SHA512
2fd922d885929bd7f864a865a5155a48a53fb566f55a27b5e406fc0f7a977632df3be10768ff0fe6029b5ea166afdf5e94fa74f4628579067a640b5e8dcd1bb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0

MD5
aae00b5eb5e77146a946aed05311c00c

SHA1
6bbcba03b8af3cde889ecc5cbf795db46c158838

SHA256
836112fa6b530cd8dda7c702b5989d426e0b38334c3da475213a3e32824ff67d

SHA512
45bc7e4947392650c320bae340719ab9a11bb4b842889b40522117ae38345817270faac48020e11252727490cfc82a7e3232e3d238cc5911cacc93f686da1402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\309151772.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sqtvvs.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f32cd6dc515391510b8fbb45d762fe71

SHA1
b134a2a74e29ee68f83b583985f7d366e4febd0a

SHA256
3bd33072df94c3c73484040257889003f1f4929c2b3a88b9036ef07c949d2241

SHA512
e4a5697908da312d0a9cb349d3b33097805eca658fa1b6ff8e920203930bec4cbe8ac652404251763b1d3bdcfc9051ab88c69002398e724088decc11781a09bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
56e068c974a96bee957d188ce85713ad

SHA1
0eb36c663b99139a0a439ed959882bb1bbc5fed8

SHA256
d7886eeeacb390bcf8cf1a0cb43873dee906098e11eb8ed26b1853311dbfdb36

SHA512
cefd0476f984ab92726ab00389e5a07212b42396819edaa3f6a07053ff7c4bf54ce79e27448be3610ed271bcda73d81caf8f2c01345e2056d80afc3def0344f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212481030822282825

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\309151772\309151772.exe

MD5
4bb8b9c11068e2f3eb42f6f9bf7ec426

SHA1
07b6d722a094456cc999951b3ec9ad87d6be0be9

SHA256
e486c003c579b3b6a40f8f111bdb760113513a68ae40efbbb61ffe326a0cdb95

SHA512
e8808de429ea654f6f81b4c7d21f242730bfcf7f079b74d699516d5639bb23b6ce530d36f4a1098e17bab2aea4d307b10289a55e4df1c459a30252ae3ce1f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
0f7a33360cfb19513d6d5261c1dc1394

SHA1
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a

SHA256
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

SHA512
d18a97a22a4e57cb010e683152b113b9586f688d57284b6fcfa1c180fa082907e86b5bcfd1cc13813ae91e518d1cd1087799d97715c3cb6aa16debe8199049a0

Download Submit
memory/812-404-0x0000000000000000-mapping.dmp

Download
memory/844-653-0x0000000000000000-mapping.dmp

Download
memory/844-663-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/1300-403-0x0000000000000000-mapping.dmp

Download
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/1312-149-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/1440-409-0x0000000000000000-mapping.dmp

Download
memory/1608-119-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1608-122-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/1608-120-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/1608-117-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1608-121-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/1608-118-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1608-115-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1608-123-0x0000000006140000-0x0000000006196000-memory.dmp

Filesize
344KB

Download
memory/2136-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2136-395-0x0000000000410AEC-mapping.dmp

Download
memory/3408-665-0x0000000000000000-mapping.dmp

Download
memory/3408-820-0x0000000004103000-0x0000000004104000-memory.dmp

Filesize
4KB

Download
memory/3408-688-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/3408-689-0x0000000004102000-0x0000000004103000-memory.dmp

Filesize
4KB

Download
memory/3540-411-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3540-412-0x0000000002D62000-0x0000000002D63000-memory.dmp

Filesize
4KB

Download
memory/3540-507-0x0000000002D63000-0x0000000002D64000-memory.dmp

Filesize
4KB

Download
memory/3540-506-0x000000007EEE0000-0x000000007EEE1000-memory.dmp

Filesize
4KB

Download
memory/3540-436-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/3540-408-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/3540-393-0x0000000000000000-mapping.dmp

Download
memory/3540-415-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/3552-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3552-128-0x0000000000410AEC-mapping.dmp

Download
memory/3552-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-170-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/3796-147-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3796-154-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/3796-163-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/3796-175-0x0000000009B40000-0x0000000009B41000-memory.dmp

Filesize
4KB

Download
memory/3796-176-0x000000007F260000-0x000000007F261000-memory.dmp

Filesize
4KB

Download
memory/3796-177-0x0000000005083000-0x0000000005084000-memory.dmp

Filesize
4KB

Download
memory/3796-153-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/3796-152-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/3796-150-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3796-148-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/3796-155-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/3796-124-0x0000000000000000-mapping.dmp

Download
memory/3796-178-0x0000000009D60000-0x0000000009D61000-memory.dmp

Filesize
4KB

Download
memory/3796-131-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3796-132-0x0000000005082000-0x0000000005083000-memory.dmp

Filesize
4KB

Download
memory/3796-130-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3796-129-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3796-377-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/3796-371-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/3864-690-0x0000000004CF0000-0x00000000052F6000-memory.dmp

Filesize
6.0MB

Download
memory/3864-667-0x000000000041B246-mapping.dmp

Download