redline | 326c2c9f4f724fb74c0d826aaa93c3c86140a26bd2c0f27a37407ac1dbdc7c59

Analysis

max time kernel
131s
max time network
153s
platform
windows7_x64
resource
win7v20210408
submitted
08-07-2021 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7BC7179DE05E8CF9D280ADDF85E172E7.exe
Size

3.7MB
MD5

7bc7179de05e8cf9d280addf85e172e7
SHA1

e733fa5ce12fa0f13432106d95fa1f7ed4e6c70d
SHA256

326c2c9f4f724fb74c0d826aaa93c3c86140a26bd2c0f27a37407ac1dbdc7c59
SHA512

5f1f3dddd398579710f8617e2175679790e62d51abef419c4fc03fe14377e6d4587e9d90f681773c331323ab5cfeeca8bba7565ab269503b535e860b34c10ca1

Score

10^/10

redline smokeloader ani cana aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

redline

Botnet

Ani

detuyaluro.xyz:80

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1632-189-0x0000000003150000-0x000000000316B000-memory.dmp	family_redline
behavioral1/memory/1632-195-0x0000000004610000-0x0000000004629000-memory.dmp	family_redline
behavioral1/memory/1564-214-0x00000000005F0000-0x0000000000627000-memory.dmp	family_redline
behavioral1/memory/2052-232-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2052-233-0x0000000000417E22-mapping.dmp	family_redline
behavioral1/memory/2052-235-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130dc-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-71.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-70.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-73.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d8-76.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d8-77.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d7-78.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d7-79.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-82.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-83.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-86.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-88.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-87.dat	aspack_v212_v242
behavioral1/files/0x00030000000130dc-85.dat	aspack_v212_v242

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	JFHGSFGSIUGFSUIG.exe

Executes dropped EXE 27 IoCs

pid	Process
2040	setup_installer.exe
1496	setup_install.exe
1828	sahiba_1.exe
1896	sahiba_2.exe
1776	sahiba_5.exe
1768	sahiba_7.exe
1064	sahiba_4.exe
1468	sahiba_6.exe
864	sahiba_9.exe
1632	sahiba_8.exe
1428	sahiba_5.tmp
1324	5981483.exe
1288	5064815.exe
1564	4985568.exe
1576	WinHoster.exe
984	JFHGSFGSIUGFSUIG.exe
2052	sahiba_9.exe
2332	ultramediaburner.exe
2348	ultramediaburner.tmp
2372	Raetaelaemiwa.exe
2412	UltraMediaBurner.exe
2448	Jaeweshaeqyshi.exe
2264	Setup3310.exe
1828	Setup3310.tmp
2208	QfYFtoplsxFDylFd0zYOXSCY.exe
800	h0QbI33TwXyhIUmkOY4FhNns.exe
1848	ZiBO6Z2VR_p_s12zVqfBdTqZ.exe

Loads dropped DLL 64 IoCs

pid	Process
1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe
2040	setup_installer.exe
2040	setup_installer.exe
2040	setup_installer.exe
2040	setup_installer.exe
2040	setup_installer.exe
2040	setup_installer.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1496	setup_install.exe
1044	cmd.exe
1396	cmd.exe
1396	cmd.exe
820	cmd.exe
1380	cmd.exe
1460	cmd.exe
1896	sahiba_2.exe
1896	sahiba_2.exe
1888	cmd.exe
1776	sahiba_5.exe
1776	sahiba_5.exe
1588	cmd.exe
2036	cmd.exe
2036	cmd.exe
864	sahiba_9.exe
864	sahiba_9.exe
1632	sahiba_8.exe
1632	sahiba_8.exe
1776	sahiba_5.exe
1428	sahiba_5.tmp
1428	sahiba_5.tmp
1428	sahiba_5.tmp
1896	sahiba_2.exe
1324	5981483.exe
1324	5981483.exe
1288	5064815.exe
1288	5064815.exe
1564	4985568.exe
1564	4985568.exe
1288	5064815.exe
1576	WinHoster.exe
1576	WinHoster.exe
1428	sahiba_5.tmp
864	sahiba_9.exe
2052	sahiba_9.exe
2052	sahiba_9.exe
2332	ultramediaburner.exe
2332	ultramediaburner.exe
2332	ultramediaburner.exe
2348	ultramediaburner.tmp
2348	ultramediaburner.tmp
2348	ultramediaburner.tmp
2348	ultramediaburner.tmp
2348	ultramediaburner.tmp
2348	ultramediaburner.tmp
1768	sahiba_7.exe
1768	sahiba_7.exe
2264	Setup3310.exe
2264	Setup3310.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5064815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Pashyxetynae.exe\""	JFHGSFGSIUGFSUIG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ipinfo.io
49	ipinfo.io
139	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 2052	864	sahiba_9.exe	58

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\GUJFIMRALB\ultramediaburner.exe	JFHGSFGSIUGFSUIG.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-CE8IO.tmp	ultramediaburner.tmp
File created	C:\Program Files\Windows Media Player\GUJFIMRALB\ultramediaburner.exe.config	JFHGSFGSIUGFSUIG.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-399T6.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Pashyxetynae.exe	JFHGSFGSIUGFSUIG.exe
File created	C:\Program Files (x86)\Reference Assemblies\Pashyxetynae.exe.config	JFHGSFGSIUGFSUIG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE0B69B1-E006-11EB-AC20-62C8A5B8B9AA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Jaeweshaeqyshi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Jaeweshaeqyshi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Jaeweshaeqyshi.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	138	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2264	Setup3310.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	sahiba_2.exe
1896	sahiba_2.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1896	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	sahiba_6.exe
Token: SeDebugPrivilege	1324	5981483.exe
Token: SeDebugPrivilege	1564	4985568.exe
Token: SeDebugPrivilege	1632	sahiba_8.exe
Token: SeDebugPrivilege	864	sahiba_9.exe
Token: SeDebugPrivilege	2052	sahiba_9.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	2448	Jaeweshaeqyshi.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2348	ultramediaburner.tmp

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	iexplore.exe
2736	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 1992 wrote to memory of 2040	1992	7BC7179DE05E8CF9D280ADDF85E172E7.exe	26
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 2040 wrote to memory of 1496	2040	setup_installer.exe	29
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1044	1496	setup_install.exe	33
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1396	1496	setup_install.exe	32
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1652	1496	setup_install.exe	35
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 1460	1496	setup_install.exe	34
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 820	1496	setup_install.exe	37
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1888	1496	setup_install.exe	36
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 1380	1496	setup_install.exe	38
PID 1496 wrote to memory of 2036	1496	setup_install.exe	42

C:\Users\Admin\AppData\Local\Temp\7BC7179DE05E8CF9D280ADDF85E172E7.exe
"C:\Users\Admin\AppData\Local\Temp\7BC7179DE05E8CF9D280ADDF85E172E7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8F713244\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_2.exe
      4⤵
      Loads dropped DLL
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_2.exe
        
        sahiba_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_1.exe
      4⤵
      Loads dropped DLL
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_1.exe
        
        sahiba_1.exe
        5⤵
        Executes dropped EXE
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_4.exe
      4⤵
      Loads dropped DLL
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_4.exe
        
        sahiba_4.exe
        5⤵
        Executes dropped EXE
        
        PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_3.exe
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_6.exe
      4⤵
      Loads dropped DLL
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_6.exe
        
        sahiba_6.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
      - C:\Users\Admin\AppData\Roaming\5981483.exe
        
        "C:\Users\Admin\AppData\Roaming\5981483.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\Users\Admin\AppData\Roaming\5064815.exe
        
        "C:\Users\Admin\AppData\Roaming\5064815.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1576
      - C:\Users\Admin\AppData\Roaming\4985568.exe
        
        "C:\Users\Admin\AppData\Roaming\4985568.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_5.exe
      4⤵
      Loads dropped DLL
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_5.exe
        
        sahiba_5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\is-OTF1R.tmp\sahiba_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OTF1R.tmp\sahiba_5.tmp" /SL5="$5001C,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\is-U6IRL.tmp\JFHGSFGSIUGFSUIG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U6IRL.tmp\JFHGSFGSIUGFSUIG.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:984
        
        C:\Program Files\Windows Media Player\GUJFIMRALB\ultramediaburner.exe
        
        "C:\Program Files\Windows Media Player\GUJFIMRALB\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\is-VMUR4.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VMUR4.tmp\ultramediaburner.tmp" /SL5="$1018A,281924,62464,C:\Program Files\Windows Media Player\GUJFIMRALB\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2348
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\8f-79e31-f01-6ff82-01b6aa89c0a8d\Raetaelaemiwa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8f-79e31-f01-6ff82-01b6aa89c0a8d\Raetaelaemiwa.exe"
        8⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\62-3d100-70c-308b4-62d39e535590c\Jaeweshaeqyshi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\62-3d100-70c-308b4-62d39e535590c\Jaeweshaeqyshi.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pex1lx43.53b\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lijjd0rw.n2m\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\inw3ri2l.g2j\Setup3310.exe /Verysilent /subid=623 & exit
        9⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\inw3ri2l.g2j\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\inw3ri2l.g2j\Setup3310.exe /Verysilent /subid=623
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\is-657GB.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-657GB.tmp\Setup3310.tmp" /SL5="$202BE,138429,56832,C:\Users\Admin\AppData\Local\Temp\inw3ri2l.g2j\Setup3310.exe" /Verysilent /subid=623
        11⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dahjkkwy.hox\google-game.exe & exit
        9⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_7.exe
      4⤵
      Loads dropped DLL
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_7.exe
        
        sahiba_7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1768
      - C:\Users\Admin\Documents\h0QbI33TwXyhIUmkOY4FhNns.exe
        
        "C:\Users\Admin\Documents\h0QbI33TwXyhIUmkOY4FhNns.exe"
        6⤵
        Executes dropped EXE
        
        PID:800
      - C:\Users\Admin\Documents\ZiBO6Z2VR_p_s12zVqfBdTqZ.exe
        
        "C:\Users\Admin\Documents\ZiBO6Z2VR_p_s12zVqfBdTqZ.exe"
        6⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\Documents\ZiBO6Z2VR_p_s12zVqfBdTqZ.exe
        
        C:\Users\Admin\Documents\ZiBO6Z2VR_p_s12zVqfBdTqZ.exe
        7⤵
        
        PID:3064
      - C:\Users\Admin\Documents\QfYFtoplsxFDylFd0zYOXSCY.exe
        
        "C:\Users\Admin\Documents\QfYFtoplsxFDylFd0zYOXSCY.exe"
        6⤵
        Executes dropped EXE
        
        PID:2208
      - C:\Users\Admin\Documents\q65z0zVRkPOvNmV5DyD7gdXo.exe
        
        "C:\Users\Admin\Documents\q65z0zVRkPOvNmV5DyD7gdXo.exe"
        6⤵
        
        PID:2688
      - C:\Users\Admin\Documents\6HIT1qR4g6HKWFJ42FidV3t7.exe
        
        "C:\Users\Admin\Documents\6HIT1qR4g6HKWFJ42FidV3t7.exe"
        6⤵
        
        PID:2744
        
        C:\Users\Admin\Documents\6HIT1qR4g6HKWFJ42FidV3t7.exe
        
        C:\Users\Admin\Documents\6HIT1qR4g6HKWFJ42FidV3t7.exe
        7⤵
        
        PID:2296
      - C:\Users\Admin\Documents\0v5jD1NPxRWoviGDTiw2y7Od.exe
        
        "C:\Users\Admin\Documents\0v5jD1NPxRWoviGDTiw2y7Od.exe"
        6⤵
        
        PID:2792
      - C:\Users\Admin\Documents\T_3FH5s6ATj9evMChFzsasAC.exe
        
        "C:\Users\Admin\Documents\T_3FH5s6ATj9evMChFzsasAC.exe"
        6⤵
        
        PID:2844
      - C:\Users\Admin\Documents\42I7E2WuuI1GGZHPYIUhyNQ2.exe
        
        "C:\Users\Admin\Documents\42I7E2WuuI1GGZHPYIUhyNQ2.exe"
        6⤵
        
        PID:2836
      - C:\Users\Admin\Documents\aiYrhEtI9JXtTyk1CyTB4ogi.exe
        
        "C:\Users\Admin\Documents\aiYrhEtI9JXtTyk1CyTB4ogi.exe"
        6⤵
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_9.exe
      4⤵
      Loads dropped DLL
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_9.exe
        
        sahiba_9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
      - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_9.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_8.exe
      4⤵
      Loads dropped DLL
      PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F713244\sahiba_8.exe
        
        sahiba_8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-210-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/864-188-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/864-231-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/984-228-0x0000000002060000-0x0000000002062000-memory.dmp

Filesize
8KB

Download
memory/984-238-0x000000001C810000-0x000000001CB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1196-193-0x00000000029F0000-0x0000000002A05000-memory.dmp

Filesize
84KB

Download
memory/1288-213-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1288-204-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1288-209-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1288-217-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1324-212-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1324-215-0x00000000005C0000-0x00000000005F1000-memory.dmp

Filesize
196KB

Download
memory/1324-198-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1324-216-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1324-207-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1428-182-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1468-183-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1468-164-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1468-176-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1468-185-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/1468-178-0x0000000000260000-0x000000000027D000-memory.dmp

Filesize
116KB

Download
memory/1496-103-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1496-92-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1496-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1496-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1496-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1496-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1496-121-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1496-102-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1496-130-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1496-107-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1496-110-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1496-115-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1564-230-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1564-211-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1564-205-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1564-218-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1564-214-0x00000000005F0000-0x0000000000627000-memory.dmp

Filesize
220KB

Download
memory/1576-229-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1576-223-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1632-186-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1632-191-0x00000000073A1000-0x00000000073A2000-memory.dmp

Filesize
4KB

Download
memory/1632-195-0x0000000004610000-0x0000000004629000-memory.dmp

Filesize
100KB

Download
memory/1632-194-0x00000000073A3000-0x00000000073A4000-memory.dmp

Filesize
4KB

Download
memory/1632-192-0x00000000073A2000-0x00000000073A3000-memory.dmp

Filesize
4KB

Download
memory/1632-187-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/1632-219-0x00000000073A4000-0x00000000073A6000-memory.dmp

Filesize
8KB

Download
memory/1632-189-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/1776-154-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1896-184-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1896-181-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1992-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/2052-237-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2052-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2052-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-263-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2332-242-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2348-243-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2372-246-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/2412-248-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/2412-254-0x0000000000AA5000-0x0000000000AA6000-memory.dmp

Filesize
4KB

Download
memory/2412-253-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/2448-251-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download
memory/2448-249-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download