fabookie | 261b33850dd1404b22acfd5fe7e46806dce68f710f9b21b7ec00a264804e2137

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a15432e92d18c9f770b06b7fbecf68e5.exe
Size

3.6MB
MD5

a15432e92d18c9f770b06b7fbecf68e5
SHA1

ea6b2bcfa914ad069a5a4537a2a62ad3c8ac8c07
SHA256

261b33850dd1404b22acfd5fe7e46806dce68f710f9b21b7ec00a264804e2137
SHA512

89c9d0e9a89ce2ba4e395d051b0b569922df871388347815eed2ae1570b32423d4fbfe627d84c3fd0d5ef6b319284a291fc975f05df8a0e3cbb899715fce2227
SSDEEP

98304:J9QcAe8V4gdr3UrxlzQYR7xRKxMuukWUfHmSjXsUud56DO8L:J9bAHDLU0YnRGXfHDcUa56DtL

Score

10^/10

fabookie nullmixer redline sectoprat smokeloader socelars aninewone pub5 aspackv2 backdoor discovery dropper infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ANINEWONE

zisiarenal.xyz:80

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018b50-100.dat	family_fabookie
behavioral1/files/0x0006000000018b50-124.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2840-437-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2840-438-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2840-444-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2840-446-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2840-448-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2840-437-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2840-438-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2840-444-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2840-446-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2840-448-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b4b-99.dat	family_socelars

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/2992-153-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2200-154-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2076-202-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2976-199-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/268-311-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2812-310-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2180-330-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2344-340-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2976-498-0x0000000000240000-0x000000000029B000-memory.dmp	Nirsoft

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000018baf-42.dat	aspack_v212_v242
behavioral1/files/0x0006000000018baf-50.dat	aspack_v212_v242
behavioral1/files/0x0006000000018baf-47.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b5b-57.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b54-61.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b77-66.dat	aspack_v212_v242

Executes dropped EXE 22 IoCs

pid	Process
2872	setup_installer.exe
2536	setup_install.exe
2428	sahiba_1.exe
1748	sahiba_2.exe
2664	sahiba_5.exe
784	sahiba_9.exe
2660	sahiba_3.exe
1152	sahiba_6.exe
2316	sahiba_4.exe
2140	sahiba_7.exe
2100	sahiba_8.exe
368	sahiba_1.exe
1080	sahiba_5.tmp
2992	jfiag3g_gg.exe
2200	jfiag3g_gg.exe
2976	jfiag3g_gg.exe
2076	jfiag3g_gg.exe
2812	jfiag3g_gg.exe
268	jfiag3g_gg.exe
2180	jfiag3g_gg.exe
2344	jfiag3g_gg.exe
2840	sahiba_4.exe

Loads dropped DLL 64 IoCs

pid	Process
1324	a15432e92d18c9f770b06b7fbecf68e5.exe
2872	setup_installer.exe
2872	setup_installer.exe
2872	setup_installer.exe
2872	setup_installer.exe
2872	setup_installer.exe
2872	setup_installer.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
2536	setup_install.exe
1624	cmd.exe
1624	cmd.exe
2292	cmd.exe
2292	cmd.exe
1844	cmd.exe
1844	cmd.exe
1812	cmd.exe
1568	cmd.exe
2428	sahiba_1.exe
2428	sahiba_1.exe
1748	sahiba_2.exe
1748	sahiba_2.exe
2664	sahiba_5.exe
2664	sahiba_5.exe
1800	cmd.exe
784	sahiba_9.exe
784	sahiba_9.exe
2660	sahiba_3.exe
2660	sahiba_3.exe
2144	cmd.exe
1000	cmd.exe
1000	cmd.exe
2140	sahiba_7.exe
2140	sahiba_7.exe
988	cmd.exe
2428	sahiba_1.exe
2316	sahiba_4.exe
2316	sahiba_4.exe
2100	sahiba_8.exe
2100	sahiba_8.exe
368	sahiba_1.exe
368	sahiba_1.exe
2664	sahiba_5.exe
1080	sahiba_5.tmp
1080	sahiba_5.tmp
1080	sahiba_5.tmp
784	sahiba_9.exe
784	sahiba_9.exe
2992	jfiag3g_gg.exe
2992	jfiag3g_gg.exe
784	sahiba_9.exe
784	sahiba_9.exe
2200	jfiag3g_gg.exe
2200	jfiag3g_gg.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
784	sahiba_9.exe
784	sahiba_9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019474-151.dat	upx
behavioral1/memory/2992-153-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2200-154-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/784-183-0x00000000002F0000-0x000000000034B000-memory.dmp	upx
behavioral1/memory/2076-202-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2976-199-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/268-311-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2812-310-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2180-330-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2344-340-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
114	iplogger.org
118	iplogger.org
72	iplogger.org
73	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
5	ip-api.com
6	ipinfo.io
52	api.db-ip.com
54	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2840	2316	sahiba_4.exe	67

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1336	2536	WerFault.exe	29

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
548	taskkill.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	sahiba_2.exe
1748	sahiba_2.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1748	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2100	sahiba_8.exe
Token: SeAssignPrimaryTokenPrivilege	2100	sahiba_8.exe
Token: SeLockMemoryPrivilege	2100	sahiba_8.exe
Token: SeIncreaseQuotaPrivilege	2100	sahiba_8.exe
Token: SeMachineAccountPrivilege	2100	sahiba_8.exe
Token: SeTcbPrivilege	2100	sahiba_8.exe
Token: SeSecurityPrivilege	2100	sahiba_8.exe
Token: SeTakeOwnershipPrivilege	2100	sahiba_8.exe
Token: SeLoadDriverPrivilege	2100	sahiba_8.exe
Token: SeSystemProfilePrivilege	2100	sahiba_8.exe
Token: SeSystemtimePrivilege	2100	sahiba_8.exe
Token: SeProfSingleProcessPrivilege	2100	sahiba_8.exe
Token: SeIncBasePriorityPrivilege	2100	sahiba_8.exe
Token: SeCreatePagefilePrivilege	2100	sahiba_8.exe
Token: SeCreatePermanentPrivilege	2100	sahiba_8.exe
Token: SeBackupPrivilege	2100	sahiba_8.exe
Token: SeRestorePrivilege	2100	sahiba_8.exe
Token: SeShutdownPrivilege	2100	sahiba_8.exe
Token: SeDebugPrivilege	2100	sahiba_8.exe
Token: SeAuditPrivilege	2100	sahiba_8.exe
Token: SeSystemEnvironmentPrivilege	2100	sahiba_8.exe
Token: SeChangeNotifyPrivilege	2100	sahiba_8.exe
Token: SeRemoteShutdownPrivilege	2100	sahiba_8.exe
Token: SeUndockPrivilege	2100	sahiba_8.exe
Token: SeSyncAgentPrivilege	2100	sahiba_8.exe
Token: SeEnableDelegationPrivilege	2100	sahiba_8.exe
Token: SeManageVolumePrivilege	2100	sahiba_8.exe
Token: SeImpersonatePrivilege	2100	sahiba_8.exe
Token: SeCreateGlobalPrivilege	2100	sahiba_8.exe
Token: 31	2100	sahiba_8.exe
Token: 32	2100	sahiba_8.exe
Token: 33	2100	sahiba_8.exe
Token: 34	2100	sahiba_8.exe
Token: 35	2100	sahiba_8.exe
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeDebugPrivilege	1152	sahiba_6.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	2840	sahiba_4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 1324 wrote to memory of 2872	1324	a15432e92d18c9f770b06b7fbecf68e5.exe	28
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2872 wrote to memory of 2536	2872	setup_installer.exe	29
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 2292	2536	setup_install.exe	31
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1624	2536	setup_install.exe	35
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1844	2536	setup_install.exe	34
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1000	2536	setup_install.exe	33
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1812	2536	setup_install.exe	32
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 1568	2536	setup_install.exe	36
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 2144	2536	setup_install.exe	37
PID 2536 wrote to memory of 988	2536	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\a15432e92d18c9f770b06b7fbecf68e5.exe
"C:\Users\Admin\AppData\Local\Temp\a15432e92d18c9f770b06b7fbecf68e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_1.exe
      4⤵
      Loads dropped DLL
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_1.exe
        
        sahiba_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_1.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_5.exe
      4⤵
      Loads dropped DLL
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_5.exe
        
        sahiba_5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\is-QQKBN.tmp\sahiba_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QQKBN.tmp\sahiba_5.tmp" /SL5="$50170,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_4.exe
      4⤵
      Loads dropped DLL
      PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_4.exe
        
        sahiba_4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_3.exe
      4⤵
      Loads dropped DLL
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_3.exe
        
        sahiba_3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_2.exe
      4⤵
      Loads dropped DLL
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_2.exe
        
        sahiba_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_6.exe
      4⤵
      Loads dropped DLL
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_6.exe
        
        sahiba_6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_7.exe
      4⤵
      Loads dropped DLL
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_7.exe
        
        sahiba_7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_8.exe
      4⤵
      Loads dropped DLL
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_8.exe
        
        sahiba_8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sahiba_9.exe
      4⤵
      Loads dropped DLL
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_9.exe
        
        sahiba_9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:784
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:2812
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        
        PID:268
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        
        PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 428
      4⤵
      Loads dropped DLL
      Program crash
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_1.txt

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_2.txt

Filesize
173KB

MD5
6f7b424313d15e08395e1664f3c2402f

SHA1
a76445807230f860a6c2d05b5ae784177cd7322c

SHA256
2a809a37cf2284be58d6dd03b2df2a9bd129ce0d4c035fbbe8b15b329cfefd19

SHA512
15a4265743091f9208ba6546792893e3be7ab3cfa5cb65a39b6a54014c5848f61c934572f5173856e8f565827173bb8636874a3244fb6e2b710cb03dbd947448

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_3.txt

Filesize
540KB

MD5
843b024c6e300916d24c8b26d185a38e

SHA1
945db22a89c8bc328c2504b6a32fa5c4fabe514c

SHA256
3820f614a5bc93944f9ab3c53ecb0a5608e0b60994a4cdeab1ec1b04626ab97e

SHA512
9fc2e374a6c6fcdbdb9ccb3ec8f6f76a65512ca4329554f1d37bb139a84b857e6eee4b7902250c878ca42a0ac9c5a5c6c6112ddc6f30873c940f0af6823d443c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_4.txt

Filesize
397KB

MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_5.txt

Filesize
759KB

MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_6.txt

Filesize
181KB

MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_7.txt

Filesize
1.2MB

MD5
aca9e3d2f97237a4c3dd38a63bf092bc

SHA1
eec122a60c2433ee912c7f15d45be983170de81a

SHA256
fb927a1a69165c7e0dcb5365830d43a8dcb2210036ee121d801d02ee6b7a5458

SHA512
9c9b2387390e57ea68e4f9981070319c94bd2808ba0450eb373ae341d42398837d23a8982811779cb9ff854c92901d10fb37158560231554c07a49e7e3646a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_8.txt

Filesize
960KB

MD5
f79fcf8817db53aaa4bfe9e6408aa77b

SHA1
cbccb86adc4d1b9a5e0376f7e0fabe34ef22c330

SHA256
27d2fe85bfb68cdfe615d13fea476486e80bc6be6f061106a2e6d5a635cf1a54

SHA512
e2cf23806527a6d666d144e6b037a252607d8e632b394b7b778a1e21beba2581a515f502106ac4f5154be898afe174d875603332a9d5e976d04352c2e99b1a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_9.txt

Filesize
983KB

MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB201.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3B8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\sahiba_9.exe

Filesize
960KB

MD5
b03d3a1dfb2ce5e6b75f31347c2127ec

SHA1
ff234256bb5a16278462d4f23748dee715ac830b

SHA256
3f12aa93016f9053ba294077686fb3e43a08f8ffb9d35285ceac5bfcf158efe7

SHA512
e71afc342d1f883972921548445a9f82f0cb712b9db02841e767c609380b377d41ec7ac4757d0c5be28dde63f7603e519dc9115fd7b5b02c5667814c42102784

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\setup_install.exe

Filesize
287KB

MD5
61c61c48cf7df7831fb43bc1b56e96f6

SHA1
53e54898a17b4b82653c6f6278a92619b4036c3b

SHA256
f487754a7efcb9c9acf0cad09b655bbc3ee712959a39f9f9ecd62ecdbd6b875a

SHA512
99a22c80a9d572bab2a37da329b87b9e1292fba80440151ab0370a513a6e318277967e2e9220901bb32a19659e050cfda5a6b5cdea56bf9f23ea6c796644ba03

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\setup_install.exe

Filesize
283KB

MD5
8a60bfa2bf77a425c001aca0d53297b7

SHA1
f77bf2e1a15cf3ee494196a301463fb51f39fdee

SHA256
f3145c12f8dcce13a69d1e6a47b34599eb9b710532fe525ab16ba60d2225d00a

SHA512
9019a8dbb0a5067fcdfe5790665052dda749f6a7c5222fb2b121caa45b5da19c8402712450ae82ee31acfd5b624def5671ac38cc0e8a219ef38d1dca94638716

Download Submit
\Users\Admin\AppData\Local\Temp\7zS83BA8FB6\setup_install.exe

Filesize
256KB

MD5
a2eeeba94af250de0804066837eb49de

SHA1
bf3f464da0c8fe06420ee8049b981b47c89ec3e3

SHA256
985d4d648ee287d25884a792c60d140b5d1d25541eb8ae07eeeebd7ebc1b619c

SHA512
24c7dc89d5b3a6558c0bfda620ecf02514542a17d6fbf2d4da967b7744b47aa19f9c43cf9753ebd0d863d73cc1a7bd680c6c5b1e3afd3f6f8036afcd06f87a9e

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.5MB

MD5
d9bf5a4a57360e80dd0674d8d127c906

SHA1
ada3ace75758cf3430d1a61575afda752cd12d89

SHA256
99ab43493604011b133c4a11a4e737359aac4a74ad33b6eb88ba5e2171ffe1d7

SHA512
e72b6b111b8ff17d2077f6a9f7a64033ce6f80e24d37811f4c246e3717454dda85b566bfda8899fb8da371a9bf3424d209816ad5d4e6f89ecbf2dbb2c794c665

Download Submit
memory/268-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/784-342-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-452-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-515-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-514-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-513-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-506-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-505-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-504-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-503-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-502-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-500-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-501-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-499-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-497-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-314-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-174-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-451-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-450-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-315-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-175-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-352-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-316-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-327-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-317-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-205-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-203-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-204-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-197-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-329-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-166-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/784-183-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/1080-365-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1152-164-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1152-449-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-169-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/1152-490-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-165-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-313-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download
memory/1152-156-0x0000000001300000-0x0000000001336000-memory.dmp

Filesize
216KB

Download
memory/1152-209-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1192-318-0x0000000002A70000-0x0000000002A86000-memory.dmp

Filesize
88KB

Download
memory/1748-168-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/1748-167-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/1748-170-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/1748-319-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/2076-202-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2180-330-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2316-230-0x0000000000E60000-0x0000000000ECA000-memory.dmp

Filesize
424KB

Download
memory/2344-340-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2536-300-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2536-89-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-308-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2536-312-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-302-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-301-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-299-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-54-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-85-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-87-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2536-88-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-90-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2536-72-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-91-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-75-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2536-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2536-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-366-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2664-121-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2664-341-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2812-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-438-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-435-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-446-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-433-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-444-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-442-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-437-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-448-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-45-0x0000000002B60000-0x0000000002C7E000-memory.dmp

Filesize
1.1MB

Download
memory/2872-52-0x0000000002B60000-0x0000000002C7E000-memory.dmp

Filesize
1.1MB

Download
memory/2976-498-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/2976-201-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/2976-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-155-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download