amadey | f3f3e212e84f0c9c375aa5bc3d9de63c2ddc2b5704d784006067390abaae57b3

Analysis

max time kernel
151s
max time network
123s
platform
windows10_x64
resource
win10-en-20211014
submitted
24-10-2021 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toolspab2.exe
Size

334KB
MD5

c33f5b894962328a5167e37c51edecc3
SHA1

c91eb850ab475ff69b6869f30eabcb0fee887e71
SHA256

f3f3e212e84f0c9c375aa5bc3d9de63c2ddc2b5704d784006067390abaae57b3
SHA512

0e331f7f16312edd361cd3e238d92a01952524af1ad8e348731b4fbdb47ef86224b606b3c6a4f67511dceb5a30e77d7357ee9457e16ef99f86283432b04d4937

Score

10^/10

amadey redline smokeloader backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Extracted

Family

amadey

Version

2.70

185.215.113.45/g4MbvE/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1920-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1920-134-0x0000000000418D06-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

4BCA.exe4BCA.exe6658.exe6658.exe7A2F.exe7E9.exe7E9.exesqtvvs.exe

pid process

3348 4BCA.exe
3552 4BCA.exe
2880 6658.exe
1920 6658.exe
3000 7A2F.exe
2436 7E9.exe
832 7E9.exe
4012 sqtvvs.exe

pid	process
3348	4BCA.exe
3552	4BCA.exe
2880	6658.exe
1920	6658.exe
3000	7A2F.exe
2436	7E9.exe
832	7E9.exe
4012	sqtvvs.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7A2F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7A2F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7A2F.exe

Deletes itself 1 IoCs

Processes:

pid process

3008
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3008

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7A2F.exe	themida
behavioral2/memory/3000-147-0x0000000000030000-0x0000000000031000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7A2F.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7A2F.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7A2F.exe

pid process

3000 7A2F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7A2F.exe

pid	process
3000	7A2F.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

toolspab2.exe4BCA.exe6658.exe7E9.exe

description	pid	process	target process
PID 2736 set thread context of 3760	2736	toolspab2.exe	toolspab2.exe
PID 3348 set thread context of 3552	3348	4BCA.exe	4BCA.exe
PID 2880 set thread context of 1920	2880	6658.exe	6658.exe
PID 2436 set thread context of 832	2436	7E9.exe	7E9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab2.exe4BCA.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4BCA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4BCA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4BCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2400 schtasks.exe

pid	process
2400	schtasks.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7E9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	7E9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	7E9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7E9.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	7E9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7E9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2.exe

pid	process
3760	toolspab2.exe
3760	toolspab2.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspab2.exe4BCA.exe

pid process

3760 toolspab2.exe
3552 4BCA.exe

pid	process
3008

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

6658.exe7A2F.exe7E9.exepowershell.exesqtvvs.exe

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	1920	6658.exe
Token: SeDebugPrivilege	3000	7A2F.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	2436	7E9.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	4012	sqtvvs.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

toolspab2.exe4BCA.exe6658.exe7E9.exe7E9.exe

description	pid	process	target process
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 2736 wrote to memory of 3760	2736	toolspab2.exe	toolspab2.exe
PID 3008 wrote to memory of 3348	3008		4BCA.exe
PID 3008 wrote to memory of 3348	3008		4BCA.exe
PID 3008 wrote to memory of 3348	3008		4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3348 wrote to memory of 3552	3348	4BCA.exe	4BCA.exe
PID 3008 wrote to memory of 2880	3008		6658.exe
PID 3008 wrote to memory of 2880	3008		6658.exe
PID 3008 wrote to memory of 2880	3008		6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 2880 wrote to memory of 1920	2880	6658.exe	6658.exe
PID 3008 wrote to memory of 3000	3008		7A2F.exe
PID 3008 wrote to memory of 3000	3008		7A2F.exe
PID 3008 wrote to memory of 3000	3008		7A2F.exe
PID 3008 wrote to memory of 2436	3008		7E9.exe
PID 3008 wrote to memory of 2436	3008		7E9.exe
PID 3008 wrote to memory of 2436	3008		7E9.exe
PID 2436 wrote to memory of 3544	2436	7E9.exe	powershell.exe
PID 2436 wrote to memory of 3544	2436	7E9.exe	powershell.exe
PID 2436 wrote to memory of 3544	2436	7E9.exe	powershell.exe
PID 2436 wrote to memory of 2400	2436	7E9.exe	schtasks.exe
PID 2436 wrote to memory of 2400	2436	7E9.exe	schtasks.exe
PID 2436 wrote to memory of 2400	2436	7E9.exe	schtasks.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 2436 wrote to memory of 832	2436	7E9.exe	7E9.exe
PID 832 wrote to memory of 4012	832	7E9.exe	sqtvvs.exe
PID 832 wrote to memory of 4012	832	7E9.exe	sqtvvs.exe
PID 832 wrote to memory of 4012	832	7E9.exe	sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3760

C:\Users\Admin\AppData\Local\Temp\4BCA.exe
C:\Users\Admin\AppData\Local\Temp\4BCA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\4BCA.exe
C:\Users\Admin\AppData\Local\Temp\4BCA.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Users\Admin\AppData\Local\Temp\6658.exe
C:\Users\Admin\AppData\Local\Temp\6658.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\6658.exe
C:\Users\Admin\AppData\Local\Temp\6658.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\7A2F.exe
C:\Users\Admin\AppData\Local\Temp\7A2F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Users\Admin\AppData\Local\Temp\7E9.exe
C:\Users\Admin\AppData\Local\Temp\7E9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7E9.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DtwQfNsp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8E7.tmp"
2⤵
- Creates scheduled task(s)
PID:2400

C:\Users\Admin\AppData\Local\Temp\7E9.exe
"C:\Users\Admin\AppData\Local\Temp\7E9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
e76686fec5c2554e4d517cea97b70ee0

SHA1
9a5e81d94c3178afae9d4cabf99b4e5159bfc02c

SHA256
4d122af86946dd3f99b7eca4af8151f420db21c627eb6883bac5f12abcdf101b

SHA512
61d8cd211e41e73be4d3c7a3966cd2e8e949f11fdd4f3bd4a42b2a476273f1680eb6c7640ecb0cec3e399c25799d150e2631e0ffb6c2b9c6b7c9961d084e7eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0
MD5
9413c455af38f14ff664bb49b151903c

SHA1
9bc0ff597c433f911746eefeb64454e01e1cab50

SHA256
95a28fa5a61fd0dbd19799b2ea321bc9a90b56e0a1abe2020e0bbb50339b77c3

SHA512
dfcce638b4a8ea8c4c0ea7d69642673df44f18b1fe9c946b9c2e68b04a86243848590b4a444294109467f9e3f0ae71f417c7588592f022093ce441b7cf5c3878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
abac41c3be418544e5e561b64177d637

SHA1
2204433594538824b5c808d7774dfcf92c4a1b7a

SHA256
2870922c7047e6b5703c14988abc5ef5d93009e1fa4ce739ff36a9ad0aa1131f

SHA512
8162bcd8d2af01593ea75fd8bd518ea9dd91b5f61e0fd6c33d6c983ad2e4b5b561d31d456519b507317a98670a358dee6a570a023b89be83ae3ca59411aafc01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0
MD5
5c7a23f1b66d50e298477bcdfe2b6a4f

SHA1
c5eec7e80e243d4834cfee2358104bb0b3c2e9a6

SHA256
696d56f7614b460455eae1696b1e1fe03151326b6b8c84370a689fea44fe4764

SHA512
3dba0a624b104eca3bf39efcd7359e15e9de4a93f6c21626c3ed129bf34f7ac2c34fd60ee097c2aa21631c16445dcaf911f83f916de0b425daf4db72466d8731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6658.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BCA.exe
MD5
661a32c0d713d6ee0d478904c088b2d3

SHA1
24875cfbea7f8b45af94e3bb1ba8fb4541b9fa11

SHA256
b6caee45c87c15b789975b63f5ee6edfb1be6c7ef8c5854c2decdfe501797fc0

SHA512
a1809692b3a8eba590357735c4d5c5cf2716af4c52103662326f02951820846b513604eda0902399cb461d8879208ae9cc0a653a9712ccf9cc4e73221449ccbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BCA.exe
MD5
661a32c0d713d6ee0d478904c088b2d3

SHA1
24875cfbea7f8b45af94e3bb1ba8fb4541b9fa11

SHA256
b6caee45c87c15b789975b63f5ee6edfb1be6c7ef8c5854c2decdfe501797fc0

SHA512
a1809692b3a8eba590357735c4d5c5cf2716af4c52103662326f02951820846b513604eda0902399cb461d8879208ae9cc0a653a9712ccf9cc4e73221449ccbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BCA.exe
MD5
661a32c0d713d6ee0d478904c088b2d3

SHA1
24875cfbea7f8b45af94e3bb1ba8fb4541b9fa11

SHA256
b6caee45c87c15b789975b63f5ee6edfb1be6c7ef8c5854c2decdfe501797fc0

SHA512
a1809692b3a8eba590357735c4d5c5cf2716af4c52103662326f02951820846b513604eda0902399cb461d8879208ae9cc0a653a9712ccf9cc4e73221449ccbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
89064b763c28aee6acd46af84406077e

SHA1
82c03a9a0e097c3eda89fb34615837c1bc2f7415

SHA256
21eecb27d5ecd7bbe138753c81feae747adc5d3aa6ee265dd153905ed03fcfb9

SHA512
5554f98e2b9cdf01b9243366e9782c93174cfd25fbaecd93090c815d2a3974e5ce38a7a80691dc55f7629cb4717cade94d452dc316da40ed3caf069c025a8d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
89064b763c28aee6acd46af84406077e

SHA1
82c03a9a0e097c3eda89fb34615837c1bc2f7415

SHA256
21eecb27d5ecd7bbe138753c81feae747adc5d3aa6ee265dd153905ed03fcfb9

SHA512
5554f98e2b9cdf01b9243366e9782c93174cfd25fbaecd93090c815d2a3974e5ce38a7a80691dc55f7629cb4717cade94d452dc316da40ed3caf069c025a8d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\6658.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6658.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6658.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A2F.exe
MD5
d0c332dd942a7b680063c4eca607f2c4

SHA1
d57b7c95c258c968e7e2f5cd39bf52928cd587fd

SHA256
756f3dc3ceb0db783e3f1cabd10ee6a3af4688147adde714cdea6f226e5f0024

SHA512
70abbdaedfbc7ff4fb06ccd619ad812cb2731e7448d5055a414a609d048fc95067594e2ee74f35284d671b8d618d1914232e20d5cc7d862726a3138c4ec61019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E9.exe
MD5
89064b763c28aee6acd46af84406077e

SHA1
82c03a9a0e097c3eda89fb34615837c1bc2f7415

SHA256
21eecb27d5ecd7bbe138753c81feae747adc5d3aa6ee265dd153905ed03fcfb9

SHA512
5554f98e2b9cdf01b9243366e9782c93174cfd25fbaecd93090c815d2a3974e5ce38a7a80691dc55f7629cb4717cade94d452dc316da40ed3caf069c025a8d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E9.exe
MD5
89064b763c28aee6acd46af84406077e

SHA1
82c03a9a0e097c3eda89fb34615837c1bc2f7415

SHA256
21eecb27d5ecd7bbe138753c81feae747adc5d3aa6ee265dd153905ed03fcfb9

SHA512
5554f98e2b9cdf01b9243366e9782c93174cfd25fbaecd93090c815d2a3974e5ce38a7a80691dc55f7629cb4717cade94d452dc316da40ed3caf069c025a8d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E9.exe
MD5
89064b763c28aee6acd46af84406077e

SHA1
82c03a9a0e097c3eda89fb34615837c1bc2f7415

SHA256
21eecb27d5ecd7bbe138753c81feae747adc5d3aa6ee265dd153905ed03fcfb9

SHA512
5554f98e2b9cdf01b9243366e9782c93174cfd25fbaecd93090c815d2a3974e5ce38a7a80691dc55f7629cb4717cade94d452dc316da40ed3caf069c025a8d32

Download Submit
memory/832-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-185-0x0000000000410AEC-mapping.dmp

Download
memory/1920-169-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/1920-159-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/1920-140-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1920-143-0x0000000005410000-0x0000000005A16000-memory.dmp

Filesize
6.0MB

Download
memory/1920-144-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1920-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-152-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/1920-167-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-138-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1920-134-0x0000000000418D06-mapping.dmp

Download
memory/1920-139-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/2400-182-0x0000000000000000-mapping.dmp

Download
memory/2436-175-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2436-176-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/2436-177-0x0000000001181000-0x0000000001182000-memory.dmp

Filesize
4KB

Download
memory/2436-172-0x0000000000000000-mapping.dmp

Download
memory/2736-115-0x0000000000AA1000-0x0000000000AB2000-memory.dmp

Filesize
68KB

Download
memory/2736-116-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2880-128-0x0000000000000000-mapping.dmp

Download
memory/2880-131-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3000-141-0x0000000000000000-mapping.dmp

Download
memory/3000-157-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3000-156-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3000-161-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/3000-163-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/3000-155-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3000-147-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3000-165-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/3008-119-0x0000000001490000-0x00000000014A6000-memory.dmp

Filesize
88KB

Download
memory/3008-127-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

Filesize
88KB

Download
memory/3348-120-0x0000000000000000-mapping.dmp

Download
memory/3544-199-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3544-203-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3544-192-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/3544-297-0x0000000006A03000-0x0000000006A04000-memory.dmp

Filesize
4KB

Download
memory/3544-227-0x000000007E760000-0x000000007E761000-memory.dmp

Filesize
4KB

Download
memory/3544-181-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3544-180-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3544-221-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/3544-214-0x0000000008F60000-0x0000000008F93000-memory.dmp

Filesize
204KB

Download
memory/3544-179-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3544-189-0x0000000006A02000-0x0000000006A03000-memory.dmp

Filesize
4KB

Download
memory/3544-207-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3544-187-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/3544-178-0x0000000000000000-mapping.dmp

Download
memory/3544-201-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3544-202-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3544-184-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/3552-125-0x0000000000402E0C-mapping.dmp

Download
memory/3760-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3760-118-0x0000000000402E0C-mapping.dmp

Download
memory/4012-204-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4012-205-0x0000000000A41000-0x0000000000A42000-memory.dmp

Filesize
4KB

Download
memory/4012-188-0x0000000000000000-mapping.dmp

Download
memory/4012-193-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download