nullmixer | 280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	lo14B3dKupFtT4qzQ435jrOe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sahiba_6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sahiba_6.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/288-191-0x0000000000400000-0x0000000000513000-memory.dmp	family_vidar
behavioral1/memory/288-200-0x0000000000400000-0x0000000000513000-memory.dmp	family_vidar
behavioral1/memory/2124-233-0x0000000000310000-0x0000000000378000-memory.dmp	family_vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000600000001411b-55.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-57.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-56.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-59.dat	aspack_v212_v242
behavioral1/files/0x00070000000139e4-62.dat	aspack_v212_v242
behavioral1/files/0x00070000000139e4-63.dat	aspack_v212_v242
behavioral1/files/0x00070000000139dc-64.dat	aspack_v212_v242
behavioral1/files/0x00070000000139dc-65.dat	aspack_v212_v242
behavioral1/files/0x00060000000140fd-71.dat	aspack_v212_v242
behavioral1/files/0x00060000000140fd-73.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-75.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-76.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-77.dat	aspack_v212_v242
behavioral1/files/0x000600000001411b-78.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

pid	Process
1944	setup_install.exe
860	sahiba_2.exe
1524	sahiba_1.exe
288	sahiba_3.exe
1932	sahiba_4.exe
1744	sahiba_6.exe
972	sahiba_8.exe
1504	sahiba_7.exe
2016	sahiba_5.exe
1604	sahiba_1.exe
1676	Triste.exe.com
2140	R13wHhKXqKxGcBAVXuPa723i.exe
2124	YezM6S6M7Fx3QasoIhbk_jtu.exe
2116	OvsW07HpZ_5nnlMvfTcTv49c.exe
2176	eFo9jVImIrXwphQlSxFHzfcN.exe
2256	cf2BjLLuVJItye7vb89rKkUv.exe
2312	Install.exe
2460	lo14B3dKupFtT4qzQ435jrOe.exe
2632	D3LTZ.exe
2688	Install.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	sahiba_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	lo14B3dKupFtT4qzQ435jrOe.exe

Loads dropped DLL 64 IoCs

pid	Process
1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe
1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe
1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1944	setup_install.exe
1176	cmd.exe
380	cmd.exe
380	cmd.exe
1176	cmd.exe
1076	cmd.exe
1044	cmd.exe
1044	cmd.exe
1556	cmd.exe
860	sahiba_2.exe
860	sahiba_2.exe
288	sahiba_3.exe
288	sahiba_3.exe
1524	sahiba_1.exe
1524	sahiba_1.exe
564	cmd.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1624	cmd.exe
1072	cmd.exe
1504	sahiba_7.exe
1504	sahiba_7.exe
1524	sahiba_1.exe
1604	sahiba_1.exe
1604	sahiba_1.exe
1796	cmd.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
2140	R13wHhKXqKxGcBAVXuPa723i.exe
2140	R13wHhKXqKxGcBAVXuPa723i.exe
1744	sahiba_6.exe
2124	YezM6S6M7Fx3QasoIhbk_jtu.exe
2124	YezM6S6M7Fx3QasoIhbk_jtu.exe
1744	sahiba_6.exe
2256	cf2BjLLuVJItye7vb89rKkUv.exe
2256	cf2BjLLuVJItye7vb89rKkUv.exe
2256	cf2BjLLuVJItye7vb89rKkUv.exe
2312	Install.exe
2312	Install.exe
2140	R13wHhKXqKxGcBAVXuPa723i.exe
2460	lo14B3dKupFtT4qzQ435jrOe.exe
2460	lo14B3dKupFtT4qzQ435jrOe.exe
2124	YezM6S6M7Fx3QasoIhbk_jtu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	eFo9jVImIrXwphQlSxFHzfcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eFo9jVImIrXwphQlSxFHzfcN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
8	ipinfo.io
102	ipinfo.io
103	ipinfo.io
133	ipinfo.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	R13wHhKXqKxGcBAVXuPa723i.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	R13wHhKXqKxGcBAVXuPa723i.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
784	1944	WerFault.exe	26
880	288	WerFault.exe	38

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2492	schtasks.exe
2508	schtasks.exe
2216	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_6.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
860	sahiba_2.exe
860	sahiba_2.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe
1744	sahiba_6.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
860	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	sahiba_5.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1348 wrote to memory of 1944	1348	280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe	26
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 1176	1944	setup_install.exe	28
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 380	1944	setup_install.exe	29
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1044	1944	setup_install.exe	30
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1076	1944	setup_install.exe	31
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 1072	1944	setup_install.exe	32
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 564	1944	setup_install.exe	33
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1624	1944	setup_install.exe	34
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 1944 wrote to memory of 1556	1944	setup_install.exe	35
PID 380 wrote to memory of 860	380	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe
"C:\Users\Admin\AppData\Local\Temp\280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Loads dropped DLL
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_1.exe
      sahiba_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_1.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_2.exe
      sahiba_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Loads dropped DLL
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_3.exe
      sahiba_3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 960
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Loads dropped DLL
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_4.exe
      sahiba_4.exe
      4⤵
      Executes dropped EXE
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Loads dropped DLL
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_5.exe
      sahiba_5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Loads dropped DLL
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_6.exe
      sahiba_6.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1744
    - - C:\Users\Admin\Documents\R13wHhKXqKxGcBAVXuPa723i.exe
        
        "C:\Users\Admin\Documents\R13wHhKXqKxGcBAVXuPa723i.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2140
      - C:\Users\Admin\Documents\lo14B3dKupFtT4qzQ435jrOe.exe
        
        "C:\Users\Admin\Documents\lo14B3dKupFtT4qzQ435jrOe.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\Pictures\Adobe Films\oJmGYCzUohRAogY2_zi2vLgG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\oJmGYCzUohRAogY2_zi2vLgG.exe"
        7⤵
        
        PID:2328
        
        C:\Users\Admin\Pictures\Adobe Films\GHmlVJoFR6NbUV6Tz2E83hGZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GHmlVJoFR6NbUV6Tz2E83hGZ.exe"
        7⤵
        
        PID:1056
        
        C:\Users\Admin\Pictures\Adobe Films\pa7Yqg3MjYXiCgEIF2nJpVPk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\pa7Yqg3MjYXiCgEIF2nJpVPk.exe"
        7⤵
        
        PID:1804
        
        C:\Users\Admin\Pictures\Adobe Films\N0AumazR3pbEMrBogeRLYu3B.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\N0AumazR3pbEMrBogeRLYu3B.exe"
        7⤵
        
        PID:1696
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2492
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2508
    - - C:\Users\Admin\Documents\YezM6S6M7Fx3QasoIhbk_jtu.exe
        
        "C:\Users\Admin\Documents\YezM6S6M7Fx3QasoIhbk_jtu.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2124
      - C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\D3LTZ.exe
        
        6⤵
        Executes dropped EXE
        
        PID:2632
    - - C:\Users\Admin\Documents\OvsW07HpZ_5nnlMvfTcTv49c.exe
        
        "C:\Users\Admin\Documents\OvsW07HpZ_5nnlMvfTcTv49c.exe"
        5⤵
        Executes dropped EXE
        
        PID:2116
    - - C:\Users\Admin\Documents\eFo9jVImIrXwphQlSxFHzfcN.exe
        
        "C:\Users\Admin\Documents\eFo9jVImIrXwphQlSxFHzfcN.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2176
    - - C:\Users\Admin\Documents\cf2BjLLuVJItye7vb89rKkUv.exe
        
        "C:\Users\Admin\Documents\cf2BjLLuVJItye7vb89rKkUv.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\7zSB349.tmp\Install.exe
        
        .\Install.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\7zSCC84.tmp\Install.exe
        
        .\Install.exe /S /site_id "525403"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2688
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:3048
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:2084
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:2136
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gxIDJNlfO" /SC once /ST 19:41:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:2216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gxIDJNlfO"
        8⤵
        
        PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_7.exe
      sahiba_7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
        5⤵
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
        7⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
        
        Triste.exe.com n
        7⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Loads dropped DLL
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\7zS445E0A7C\sahiba_8.exe
      sahiba_8.exe
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 420
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:784

C:\Windows\system32\taskeng.exe
taskeng.exe {BE8EF55C-44AA-4AD4-8FCB-C150B1932160} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery