fabookie | 261b33850dd1404b22acfd5fe7e46806dce68f710f9b21b7ec00a264804e2137

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.5MB
MD5

d9bf5a4a57360e80dd0674d8d127c906
SHA1

ada3ace75758cf3430d1a61575afda752cd12d89
SHA256

99ab43493604011b133c4a11a4e737359aac4a74ad33b6eb88ba5e2171ffe1d7
SHA512

e72b6b111b8ff17d2077f6a9f7a64033ce6f80e24d37811f4c246e3717454dda85b566bfda8899fb8da371a9bf3424d209816ad5d4e6f89ecbf2dbb2c794c665
SSDEEP

98304:x+YWYM+AQt8ONp5oeL8hK3oVOpMoZFCvLUBsKpM:x4Yt8opyeiK3oVOtZ2LUCKS

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ANINEWONE

zisiarenal.xyz:80

Signatures

Detect Fabookie payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x0006000000015f19-91.dat	family_fabookie
behavioral3/files/0x0006000000015f19-118.dat	family_fabookie
behavioral3/files/0x0006000000015f19-116.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1044-454-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/1044-455-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/1044-458-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/1044-460-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral3/memory/1044-463-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1044-454-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/1044-455-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/1044-458-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/1044-460-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral3/memory/1044-463-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x0006000000015eb2-90.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3048-166-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/1160-167-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/2924-322-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/2432-308-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/768-355-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/1536-356-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/2024-433-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral3/memory/2776-426-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1668-242-0x0000000002F00000-0x0000000002F9D000-memory.dmp	family_vidar
behavioral3/memory/1668-280-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral3/memory/1668-452-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral3/memory/1668-462-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral3/files/0x00060000000165b8-31.dat	aspack_v212_v242
behavioral3/files/0x000600000001616e-46.dat	aspack_v212_v242
behavioral3/files/0x000600000001604a-48.dat	aspack_v212_v242
behavioral3/files/0x0006000000016350-54.dat	aspack_v212_v242

Executes dropped EXE 22 IoCs

Processes:

setup_install.exesahiba_1.exesahiba_5.exesahiba_2.exesahiba_3.exesahiba_9.exesahiba_6.exesahiba_7.exesahiba_1.exesahiba_4.exesahiba_8.exesahiba_5.tmpjfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exesahiba_4.exejfiag3g_gg.exejfiag3g_gg.exesahiba_4.exe

pid	Process
2616	setup_install.exe
1476	sahiba_1.exe
2532	sahiba_5.exe
1824	sahiba_2.exe
1668	sahiba_3.exe
1496	sahiba_9.exe
1840	sahiba_6.exe
592	sahiba_7.exe
820	sahiba_1.exe
2536	sahiba_4.exe
1648	sahiba_8.exe
1444	sahiba_5.tmp
3048	jfiag3g_gg.exe
1160	jfiag3g_gg.exe
2432	jfiag3g_gg.exe
2924	jfiag3g_gg.exe
768	jfiag3g_gg.exe
1536	jfiag3g_gg.exe
528	sahiba_4.exe
2776	jfiag3g_gg.exe
2024	jfiag3g_gg.exe
1044	sahiba_4.exe

Loads dropped DLL 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.execmd.exesahiba_5.execmd.exesahiba_1.exesahiba_2.execmd.exesahiba_3.exesahiba_9.execmd.execmd.exesahiba_7.exesahiba_1.execmd.exesahiba_4.exesahiba_8.exesahiba_5.tmpjfiag3g_gg.exejfiag3g_gg.exeWerFault.exejfiag3g_gg.exe

pid	Process
2516	setup_installer.exe
2516	setup_installer.exe
2516	setup_installer.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2616	setup_install.exe
2788	cmd.exe
2788	cmd.exe
2800	cmd.exe
2524	cmd.exe
2524	cmd.exe
2720	cmd.exe
2532	sahiba_5.exe
2532	sahiba_5.exe
2908	cmd.exe
2720	cmd.exe
1476	sahiba_1.exe
1476	sahiba_1.exe
1824	sahiba_2.exe
1824	sahiba_2.exe
2164	cmd.exe
1668	sahiba_3.exe
1668	sahiba_3.exe
1496	sahiba_9.exe
1496	sahiba_9.exe
2928	cmd.exe
1476	sahiba_1.exe
2820	cmd.exe
2820	cmd.exe
592	sahiba_7.exe
592	sahiba_7.exe
820	sahiba_1.exe
820	sahiba_1.exe
2476	cmd.exe
2536	sahiba_4.exe
2536	sahiba_4.exe
2532	sahiba_5.exe
1648	sahiba_8.exe
1648	sahiba_8.exe
1444	sahiba_5.tmp
1444	sahiba_5.tmp
1444	sahiba_5.tmp
1496	sahiba_9.exe
1496	sahiba_9.exe
3048	jfiag3g_gg.exe
3048	jfiag3g_gg.exe
1496	sahiba_9.exe
1496	sahiba_9.exe
1160	jfiag3g_gg.exe
1160	jfiag3g_gg.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
1496	sahiba_9.exe
1496	sahiba_9.exe
2432	jfiag3g_gg.exe
2432	jfiag3g_gg.exe
1496	sahiba_9.exe
1496	sahiba_9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/files/0x0006000000016cc1-157.dat	upx
behavioral3/memory/3048-166-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/1160-167-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/2924-322-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/2432-308-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/768-355-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/1536-356-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/2024-433-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral3/memory/2776-426-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
50	iplogger.org
51	iplogger.org
92	iplogger.org
99	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	api.db-ip.com
5	ipinfo.io
9	ipinfo.io
15	ip-api.com
27	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

Processes:

sahiba_4.exe

description	pid	Process	procid_target
PID 2536 set thread context of 1044	2536	sahiba_4.exe	61

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2956	2616	WerFault.exe	28

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1600	taskkill.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

sahiba_8.exesahiba_7.exesahiba_3.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sahiba_2.exe

pid	Process
1824	sahiba_2.exe
1824	sahiba_2.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sahiba_2.exe

pid	Process
1824	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

sahiba_8.exesahiba_6.exetaskkill.exesahiba_4.exe

description	pid	Process
Token: SeCreateTokenPrivilege	1648	sahiba_8.exe
Token: SeAssignPrimaryTokenPrivilege	1648	sahiba_8.exe
Token: SeLockMemoryPrivilege	1648	sahiba_8.exe
Token: SeIncreaseQuotaPrivilege	1648	sahiba_8.exe
Token: SeMachineAccountPrivilege	1648	sahiba_8.exe
Token: SeTcbPrivilege	1648	sahiba_8.exe
Token: SeSecurityPrivilege	1648	sahiba_8.exe
Token: SeTakeOwnershipPrivilege	1648	sahiba_8.exe
Token: SeLoadDriverPrivilege	1648	sahiba_8.exe
Token: SeSystemProfilePrivilege	1648	sahiba_8.exe
Token: SeSystemtimePrivilege	1648	sahiba_8.exe
Token: SeProfSingleProcessPrivilege	1648	sahiba_8.exe
Token: SeIncBasePriorityPrivilege	1648	sahiba_8.exe
Token: SeCreatePagefilePrivilege	1648	sahiba_8.exe
Token: SeCreatePermanentPrivilege	1648	sahiba_8.exe
Token: SeBackupPrivilege	1648	sahiba_8.exe
Token: SeRestorePrivilege	1648	sahiba_8.exe
Token: SeShutdownPrivilege	1648	sahiba_8.exe
Token: SeDebugPrivilege	1648	sahiba_8.exe
Token: SeAuditPrivilege	1648	sahiba_8.exe
Token: SeSystemEnvironmentPrivilege	1648	sahiba_8.exe
Token: SeChangeNotifyPrivilege	1648	sahiba_8.exe
Token: SeRemoteShutdownPrivilege	1648	sahiba_8.exe
Token: SeUndockPrivilege	1648	sahiba_8.exe
Token: SeSyncAgentPrivilege	1648	sahiba_8.exe
Token: SeEnableDelegationPrivilege	1648	sahiba_8.exe
Token: SeManageVolumePrivilege	1648	sahiba_8.exe
Token: SeImpersonatePrivilege	1648	sahiba_8.exe
Token: SeCreateGlobalPrivilege	1648	sahiba_8.exe
Token: 31	1648	sahiba_8.exe
Token: 32	1648	sahiba_8.exe
Token: 33	1648	sahiba_8.exe
Token: 34	1648	sahiba_8.exe
Token: 35	1648	sahiba_8.exe
Token: SeDebugPrivilege	1840	sahiba_6.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1044	sahiba_4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.exe

description	pid	Process	procid_target
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2516 wrote to memory of 2616	2516	setup_installer.exe	28
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2788	2616	setup_install.exe	38
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2720	2616	setup_install.exe	30
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2524	2616	setup_install.exe	34
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2820	2616	setup_install.exe	33
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2800	2616	setup_install.exe	32
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2908	2616	setup_install.exe	31
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2928	2616	setup_install.exe	37
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2476	2616	setup_install.exe	36
PID 2616 wrote to memory of 2164	2616	setup_install.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Loads dropped DLL
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_2.exe
      sahiba_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Loads dropped DLL
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_6.exe
      sahiba_6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Loads dropped DLL
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_5.exe
      sahiba_5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Loads dropped DLL
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.exe
      sahiba_4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.exe
        5⤵
        Executes dropped EXE
        
        PID:528
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Loads dropped DLL
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_3.exe
      sahiba_3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_9.exe
    3⤵
    - Loads dropped DLL
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_9.exe
      sahiba_9.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:768
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Loads dropped DLL
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_8.exe
      sahiba_8.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Loads dropped DLL
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_7.exe
      sahiba_7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Loads dropped DLL
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_1.exe
      sahiba_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_1.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 424
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2956

C:\Users\Admin\AppData\Local\Temp\is-BDENG.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BDENG.tmp\sahiba_5.tmp" /SL5="$40174,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a76455e04e3eaa68f25b31f98c9884f

SHA1
263906c3c367781f4748ed6ab282584f2c9b1139

SHA256
ac85710186ecb0796085989b1dbde1a53b31aa03857d0e1f96393c20c07beb88

SHA512
aa2fc723d827ff054cf259725cc87d19b7b2cf6383fd72cd01bf6cd4f02cbb6cde7845f805df9ebb0c5bd264fe647d2c2a26df2ce375034e3416633fc4a356bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_1.txt

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_2.txt

Filesize
173KB

MD5
6f7b424313d15e08395e1664f3c2402f

SHA1
a76445807230f860a6c2d05b5ae784177cd7322c

SHA256
2a809a37cf2284be58d6dd03b2df2a9bd129ce0d4c035fbbe8b15b329cfefd19

SHA512
15a4265743091f9208ba6546792893e3be7ab3cfa5cb65a39b6a54014c5848f61c934572f5173856e8f565827173bb8636874a3244fb6e2b710cb03dbd947448

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_3.txt

Filesize
540KB

MD5
843b024c6e300916d24c8b26d185a38e

SHA1
945db22a89c8bc328c2504b6a32fa5c4fabe514c

SHA256
3820f614a5bc93944f9ab3c53ecb0a5608e0b60994a4cdeab1ec1b04626ab97e

SHA512
9fc2e374a6c6fcdbdb9ccb3ec8f6f76a65512ca4329554f1d37bb139a84b857e6eee4b7902250c878ca42a0ac9c5a5c6c6112ddc6f30873c940f0af6823d443c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_4.txt

Filesize
397KB

MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_5.txt

Filesize
759KB

MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_6.txt

Filesize
181KB

MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_7.txt

Filesize
1.2MB

MD5
aca9e3d2f97237a4c3dd38a63bf092bc

SHA1
eec122a60c2433ee912c7f15d45be983170de81a

SHA256
fb927a1a69165c7e0dcb5365830d43a8dcb2210036ee121d801d02ee6b7a5458

SHA512
9c9b2387390e57ea68e4f9981070319c94bd2808ba0450eb373ae341d42398837d23a8982811779cb9ff854c92901d10fb37158560231554c07a49e7e3646a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_8.txt

Filesize
1.4MB

MD5
3f299a733908c56974074ca13f93d664

SHA1
f450fe5e211b5328c86e8b778bcb9d3cdc6abd01

SHA256
9a71d17c1442de60ac7983848c42114fa21298105b2924db66b2103c584612f9

SHA512
0dc4dfed574e3c3b34725552a5c10d8460536e1dce4ec996f825dd7679776ef61d34ac0b498b6597189d11aad43a943ed035ed1a4897b2d4325ccde5e46828a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_9.exe

Filesize
192KB

MD5
a0ba3205320c866bcdf51fcf429ee6ca

SHA1
380af2bb1b1567ee65b644c9c07c3864ec70530d

SHA256
5d188ae82fd1e31462699dd7360ee9bfd9943286c2508b655888c3c57c8d4b0e

SHA512
c76ce1582bb86878c5bacc425c85ca081ab416d0de970ea9bfdfc14d78af242d9fda3131e40aecf9d2b92cfb042533d1cddb0d238f81ecb67c5ee25ef7665975

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_9.txt

Filesize
983KB

MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5514.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56A9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_5.exe

Filesize
320KB

MD5
dc3519504a8b5d29e2e605ecb1ea3cbd

SHA1
8de4b5c84c85ebd6bdb0895f2b29e701a8a90103

SHA256
ca76a00fab7c62f8bbea9f00851e00f7f39067d0bd905d5eae3e7b874a0f842f

SHA512
287787290d4f576258105d3cd3a8cb11e95f30fe7e96334470fee07d74b7f56f8e19f41088c506bb39556d3ab84146866b146ad05f44cd0668e09c25e5efa760

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_5.exe

Filesize
448KB

MD5
73b083a9edb43fccb5c58f3d2d4b7972

SHA1
a1c5bc0ea0b44827d1972efd580225eef92175e1

SHA256
7d0493d8dfd07064f6c0e7ba202184220ac751709cf932127e6f5600cabd56bb

SHA512
c9811e18aa46ce6a8e238cc8c398ea7edb74416018aff1d64993a818c583e69803ce709d4d9d2b57c503085ecfe23875dc7fe1d59104a93b2077f2e253820281

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\sahiba_9.exe

Filesize
128KB

MD5
314a9146f0652c44e27836172b5b043f

SHA1
329ae856e707a65be16fc7e869ede99b14cd9e9d

SHA256
9799150a0fedaf6841e07ded6396a8924b74ac7cda8a7992dfa0ef28045e8cff

SHA512
db2b9d0fe8a574a5364007d5bc707c1ae8aa270ce962e30f0f81629c5ecbd2113516162a980e305233554b02d609fc773083350ffe6ca03a8fab8f7792043756

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4D9CFF26\setup_install.exe

Filesize
287KB

MD5
61c61c48cf7df7831fb43bc1b56e96f6

SHA1
53e54898a17b4b82653c6f6278a92619b4036c3b

SHA256
f487754a7efcb9c9acf0cad09b655bbc3ee712959a39f9f9ecd62ecdbd6b875a

SHA512
99a22c80a9d572bab2a37da329b87b9e1292fba80440151ab0370a513a6e318277967e2e9220901bb32a19659e050cfda5a6b5cdea56bf9f23ea6c796644ba03

Download Submit
memory/768-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1044-463-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-460-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-458-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-456-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1044-455-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-454-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-453-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1044-450-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1160-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1160-168-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1224-372-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/1444-291-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1496-323-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-321-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-469-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-324-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-478-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-479-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-480-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-481-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-527-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-529-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-428-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-427-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-528-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-368-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-526-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-531-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-467-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-429-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-476-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-532-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-370-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-371-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-239-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-240-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-328-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-534-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-369-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-533-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-282-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1496-281-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1536-356-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1668-280-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/1668-242-0x0000000002F00000-0x0000000002F9D000-memory.dmp

Filesize
628KB

Download
memory/1668-452-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/1668-241-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1668-468-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1668-462-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/1824-383-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1824-373-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/1824-285-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/1824-144-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download
memory/1824-145-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1840-251-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1840-419-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/1840-451-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1840-284-0x0000000000290000-0x00000000002B6000-memory.dmp

Filesize
152KB

Download
memory/1840-519-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1840-327-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1840-229-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1840-169-0x00000000000C0000-0x00000000000F6000-memory.dmp

Filesize
216KB

Download
memory/2024-433-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-308-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2516-42-0x0000000002C80000-0x0000000002D9E000-memory.dmp

Filesize
1.1MB

Download
memory/2516-41-0x0000000002C80000-0x0000000002D9E000-memory.dmp

Filesize
1.1MB

Download
memory/2516-34-0x0000000002C70000-0x0000000002D8E000-memory.dmp

Filesize
1.1MB

Download
memory/2532-309-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2532-112-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2536-136-0x0000000000BE0000-0x0000000000C4A000-memory.dmp

Filesize
424KB

Download
memory/2616-81-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2616-349-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-82-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-365-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-353-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2616-364-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2616-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-80-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2616-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-64-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-366-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2616-74-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-73-0x0000000000520000-0x000000000063E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2616-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2616-367-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2616-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2616-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2776-426-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3048-166-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download