fabookie | 64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c

Resubmissions

25-02-2024 06:49

240225-hlmnraeh8s 10

25-02-2024 06:48

240225-hk5g6seb99 10

25-02-2024 06:05

240225-gs7rtsdd79 10

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a311311c248170e59b39810a31a0cd1e.exe
Size

3.3MB
MD5

a311311c248170e59b39810a31a0cd1e
SHA1

2f135d322b06f124e49c951e26a2cbec9b70d771
SHA256

64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c
SHA512

887cdcfddb99b18f8ea6b93fd8e4f5eed5475fd09714ef741b3e70f755a780b961b299bbfd6f7a44921aaab5cfbd844ca9a712cd86f1b2aa153f239cf7ffdb9b
SSDEEP

98304:xp4vGqznLtwu7sMB0FQ8da/438P+Z2SCvLUBsKdKCiZ:xp8znxDYFdW4ZZ2jLUCKziZ

Score

10^/10

fabookie nullmixer privateloader redline risepro sectoprat vidar 706 aniold aspackv2 dropper infostealer loader rat spyware stealer trojan upx

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

vidar

Version

39.8

Botnet

706

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Signatures

Detect Fabookie payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d01-117.dat	family_fabookie
behavioral1/files/0x0006000000016d01-129.dat	family_fabookie
behavioral1/files/0x0006000000016d01-128.dat	family_fabookie
behavioral1/files/0x0006000000016d01-127.dat	family_fabookie
behavioral1/files/0x0006000000016d01-89.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2764-261-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2764-260-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2764-275-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2764-273-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2764-284-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2764-261-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2764-260-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2764-275-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2764-273-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2764-284-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 8 IoCs

resource	yara_rule
behavioral1/memory/2100-209-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1756-208-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2308-224-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2184-223-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/3008-293-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2496-309-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2540-335-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1936-336-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1068-196-0x0000000000240000-0x00000000002DD000-memory.dmp	family_vidar
behavioral1/memory/1068-198-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar
behavioral1/memory/1068-290-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000016d4f-33.dat	aspack_v212_v242
behavioral1/files/0x0006000000016d24-48.dat	aspack_v212_v242
behavioral1/files/0x0006000000016d11-49.dat	aspack_v212_v242
behavioral1/files/0x0006000000016d41-55.dat	aspack_v212_v242
behavioral1/files/0x0006000000016d41-56.dat	aspack_v212_v242

Executes dropped EXE 23 IoCs

pid	Process
1680	setup_install.exe
2388	sahiba_1.exe
1732	sahiba_2.exe
1068	sahiba_3.exe
2356	sahiba_5.exe
1240	sahiba_6.exe
1112	sahiba_10.exe
1940	sahiba_7.exe
2012	sahiba_9.exe
1520	sahiba_4.exe
1536	sahiba_1.exe
1628	sahiba_8.exe
632	sahiba_8.tmp
1836	sahiba_5.tmp
1756	jfiag3g_gg.exe
2100	jfiag3g_gg.exe
2184	jfiag3g_gg.exe
2308	jfiag3g_gg.exe
2764	sahiba_4.exe
3008	jfiag3g_gg.exe
2496	jfiag3g_gg.exe
2540	jfiag3g_gg.exe
1936	jfiag3g_gg.exe

Loads dropped DLL 64 IoCs

pid	Process
1968	a311311c248170e59b39810a31a0cd1e.exe
1968	a311311c248170e59b39810a31a0cd1e.exe
1968	a311311c248170e59b39810a31a0cd1e.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
1680	setup_install.exe
2548	cmd.exe
2548	cmd.exe
2552	cmd.exe
2552	cmd.exe
1732	sahiba_2.exe
1732	sahiba_2.exe
2404	cmd.exe
2404	cmd.exe
2388	sahiba_1.exe
2388	sahiba_1.exe
1068	sahiba_3.exe
1068	sahiba_3.exe
2868	cmd.exe
2676	cmd.exe
2356	sahiba_5.exe
2356	sahiba_5.exe
2600	cmd.exe
2408	cmd.exe
2736	cmd.exe
2736	cmd.exe
2516	cmd.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
2012	sahiba_9.exe
2012	sahiba_9.exe
1520	sahiba_4.exe
1520	sahiba_4.exe
2388	sahiba_1.exe
2424	cmd.exe
1628	sahiba_8.exe
1628	sahiba_8.exe
1536	sahiba_1.exe
1536	sahiba_1.exe
1628	sahiba_8.exe
2356	sahiba_5.exe
1836	sahiba_5.tmp
1836	sahiba_5.tmp
1836	sahiba_5.tmp
632	sahiba_8.tmp
632	sahiba_8.tmp
632	sahiba_8.tmp
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
2012	sahiba_9.exe
2012	sahiba_9.exe
1756	jfiag3g_gg.exe
1756	jfiag3g_gg.exe
2012	sahiba_9.exe
2012	sahiba_9.exe
2100	jfiag3g_gg.exe
2100	jfiag3g_gg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-209-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1756-208-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000a000000018b6a-206.dat	upx
behavioral1/memory/2308-224-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2184-223-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3008-293-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2496-309-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2540-335-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1936-336-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
77	iplogger.org
78	iplogger.org
128	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
21	api.db-ip.com
22	api.db-ip.com
33	ip-api.com
2	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2764	1520	sahiba_4.exe	58

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
900	1680	WerFault.exe	28
932	1068	WerFault.exe	33

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_6.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe
1940	sahiba_7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	sahiba_10.exe
Token: SeDebugPrivilege	1240	sahiba_6.exe
Token: SeDebugPrivilege	2764	sahiba_4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1968 wrote to memory of 1680	1968	a311311c248170e59b39810a31a0cd1e.exe	28
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2552	1680	setup_install.exe	53
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2548	1680	setup_install.exe	30
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2404	1680	setup_install.exe	52
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2736	1680	setup_install.exe	51
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2676	1680	setup_install.exe	50
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2868	1680	setup_install.exe	49
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2516	1680	setup_install.exe	48
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 1680 wrote to memory of 2424	1680	setup_install.exe	47
PID 2548 wrote to memory of 1732	2548	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe
"C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_2.exe
      sahiba_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_10.exe
    3⤵
    - Loads dropped DLL
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_10.exe
      sahiba_10.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_9.exe
    3⤵
    - Loads dropped DLL
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Loads dropped DLL
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Loads dropped DLL
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Loads dropped DLL
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Loads dropped DLL
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Loads dropped DLL
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Loads dropped DLL
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Loads dropped DLL
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 436
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:900

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_3.exe
sahiba_3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 996
  2⤵
  - Program crash
  PID:932

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.exe
sahiba_9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:2540

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.exe
sahiba_7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe
sahiba_4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1520
- C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_1.exe" -a
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_8.exe
sahiba_8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628
- C:\Users\Admin\AppData\Local\Temp\is-K7A8V.tmp\sahiba_8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K7A8V.tmp\sahiba_8.tmp" /SL5="$2019E,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:632

C:\Users\Admin\AppData\Local\Temp\is-RIBIF.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RIBIF.tmp\sahiba_5.tmp" /SL5="$301BC,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe
sahiba_5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_6.exe
sahiba_6.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_1.exe
sahiba_1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libstdc++-6.dll

Filesize
193KB

MD5
9abc46803911e60558cbaf3008f1816e

SHA1
c9fb4ddf288c126ff65d301847f8743cf379b3fa

SHA256
be96d1020f406b7a01d1b6fac3fdda3a754cd5d18523f2341e52a90e7981e2c4

SHA512
7bbe3a88f800c5645b60f0f9b819bed9cf668da716030a526fca5175d87b9be3e8d9d308cde3558f39791b142544feae67335e993ce34fa50954b16aa6711adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_10.exe

Filesize
5KB

MD5
a245593fb8b7972fa09085cb76b6fa5c

SHA1
7e228843f4aeb2e377cf97631914c0f40bbde4ad

SHA256
c892c6c4019e818d2c2eee0d817a500f4a61d77cbb76ad36bc2c24a93e649cf8

SHA512
b0ffb36ab7bf1a19a9c219560d42ef47c16a910f46d281b0c147e562c557fefabe137b6571474fe3f9860f41ab36161e22de2ae4a4c5e32703e571869c130ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_10.txt

Filesize
8KB

MD5
32f26aa4b7563812f3a1a68caad270b1

SHA1
91a45d1d4246a4c574e1238751ffacc68acc5fa7

SHA256
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a

SHA512
96ac29b91dc1a350b704c0159ec5dd77813068440a67f34b3780fceca6515867afe3d16b900d64c148f7b232989e82a48e9ae8ecdb8177b004d63c02dedbc34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_2.exe

Filesize
250KB

MD5
05d94f48ead769c05b5f60c9b7c24b5a

SHA1
3d1d37f68a4e12bfe61355dcf559d22c260e0c24

SHA256
2eec779599053d280e90137e6dbff50b3849af03da7d76673586f6022f572769

SHA512
8e98f3be04c6bef101f534f4e0a5cafbc1b1514c89fa9b7d41b29f30a184baf0a2db8623f8db4635d0d9cde2b5a97c0eb9d8f13b0f166abf5af6ffca06ea21c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_3.exe

Filesize
617KB

MD5
020cc93b4f38fe2ad849ef7be56b5178

SHA1
ddf5194235eb22fb0ca6b5fcf3730f532de765b0

SHA256
8d183c1ce0b2240386e0bc2d9da1f27de356a9d2e56122f36b3c96b9a0113ce2

SHA512
826a18f383cff70ee4232c1765eb907c38376c4994cae3b57e57e95db90c745eeecd4fd2a2608103223dc8590a6f07da0f0ab7557c4bbe4b2285773b255d3ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe

Filesize
374KB

MD5
40e04fab390eb4ea5d1ea5f526297b36

SHA1
d21a10d949bf78a8557d3ce10bc591b5c1d80664

SHA256
e342aaf558c907408dc5171cd760c552c9721200d409bc17283a8c2ea4019dfd

SHA512
9ac68bcd1bfd08a1cb64b7cd98e3c9d2fe0a310e4297519d9695c55e0a69242a17ce9ca733450ddbd7a04e13259b56fcd39936261a5dcc7a2114ef97b849c6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe

Filesize
504KB

MD5
91374541d34b90a3adc4cb101b09cca9

SHA1
8c6e29c2eeabc2f2156e5ecf70e7855da7ce9bf6

SHA256
be7239405bbed96d9e8079210496550daf5cc7965f5f3d36752a1a0df00d2e2d

SHA512
b00036d5fadce24fb0a157284c2c269221b0a8d51ef29ecb63a07e7cd23f94aff776d669ff9d0f169b2d40d92a6e2a926fdea11013007e61d9f93fd49aa5ee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.txt

Filesize
749KB

MD5
1069c64eebfa52869ac2706f3fac88e3

SHA1
d11eff94fa1b68f1b8365dbc4ca107aebeee24c4

SHA256
c6b6d0aa7a9a46c81db2d12733268741ef78a667381b11eeafaa7e2a29c48c10

SHA512
9283e288394c8024c5ccef04f69a03d5bb69c48f5de04e2a9cb4536e180d51b820fc6a71c1fae62d0d246321fa24a17f5df78a842ae4781ea26f5bc18678b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_6.exe

Filesize
160KB

MD5
b610ae767a60612fdda02532aff66a8b

SHA1
6a0b1df42298ff59b449d10f5fece91f8474616c

SHA256
523829a473fcf8ab56b46b37af634ec5140920a4f1c4fd1fb6bfecdec100bf18

SHA512
0f45d7d0a7a97dfe4ea33c0067ea98bacd6870e7f0b05964b19a2e7ad723c90950bfdea6d8dd48b84337ded1e7bc1acacee19cb80719c5299f60ec5821c2dd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_6.txt

Filesize
186KB

MD5
19c2278bad4ce05a5efa4b458efdfa8b

SHA1
521d668d24f05c1a393887da1348255909037ce2

SHA256
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85

SHA512
8d39a3ff6746259cf9418f6a546c228fc8eedfe072749963221212ff0272a7eb9e1d63763f0da08aebf0c9258c665b0724d461c49392cead248572c85c1d2982

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.exe

Filesize
10KB

MD5
addb09b66eec419ae1957cf89b51356a

SHA1
071224f9c4e12f792c9ffee3eb6e26f4851c230d

SHA256
b7e1454f7694c2b77845a793d4639b4abef0042146c292b3cce38735390bab0a

SHA512
22aa813fdbfcf612df5d53d5f47074e3f6fd9b7963c57e90f5058645acd9acd26bf182a9f6388f8327e6464619c3c0d04a7e8cb9dfb74d23a047d00d6f264278

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.txt

Filesize
706KB

MD5
3473575d75b1e431f6a1f6e027c3aaba

SHA1
28f42900f9264fec45e1fe92d06bb04f78041c80

SHA256
57a33d73eb28007ae9b370519c9864e08acabc9500adb2d70ce3f725241d8939

SHA512
e9f407ca799fbfb8d221db90baf3df480f9c4db70210d163d921d18050233d1ff79df349f0bacd96baa116220206a3307c90b625dd76f7929bbd05520925420e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_8.txt

Filesize
480KB

MD5
4c8d5f7a56744bf4a99506dbb7692266

SHA1
25bd5483572e412e37e239b7447c2dd36c107813

SHA256
e61540e7e8279a43f3e61db16c500108a0cfe1736597452a00c787368e996471

SHA512
bade2453ce9809d1eba5cd785eb2a0ed6e944d10bb5c45fc2deca69a7113fdc498d58578108cf61e1fa9e6c4ed3a97b6ef25168b19a8a4baa1ad127585925564

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.exe

Filesize
151KB

MD5
be4807de37cd93ff3659b50ec6b28da3

SHA1
fd296956bf7768fc21f02473d7239748552f49c4

SHA256
2da5af0be9bfd82cc82572c0d3436dc6ebb9d03d5ced8524ae8af1bfb4803c6a

SHA512
53aea11f426bbfe0c90f48d2e68b8e46235de29471769154775805f7cd5dfc3c903c0f98d60edc4da38b958cb4626199d38970e8006496055fde6f12fc705f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.txt

Filesize
983KB

MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA5F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BTAUV.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BTAUV.tmp\idp.dll

Filesize
21KB

MD5
fc9ed8b43c5aa6d9ba72ef64cb7f5e82

SHA1
a01a4a0c05a11cb7e4f536ac8c238f58d37b5d0a

SHA256
32a72d9ca696a6cbe540c51c7e895be23d4671b48635f6cf96c8d5748a4df7c8

SHA512
41d0878c8ca6da31430682b59e33a8c029a31037a4e0588f81d4cc2e97ddcbf6a9df9ea9ddfc99fd1b81033d8a803c51ee5983dfe59dc7b440faf0d0f55537fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
152KB

MD5
6926d2738290ecc777921499a4be2d93

SHA1
f3055b99f4686ee790dac3325249b02321220953

SHA256
00106b9b9c2c656d18af5c5186661de9fa9e9bb67b42f6cec977b21de03fd1c3

SHA512
d157135a4ea36aa6beb345145d06ec1c2062ad45e978ae057ba5bb00cb75ebb9291f4b016f2f2777742b5b06673c1acec3fa65405ebb9677bd2168e3cc013aa3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_1.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_2.exe

Filesize
201KB

MD5
0d3b04862fbbb866fb77c5eac031ba1c

SHA1
6b16dfabd6ba23ec9fcdccb242006a6f26a6c341

SHA256
58b89e2bcb391c3bac2213331aaa142b1835bb0b995382bdc4e6b879a9045cc3

SHA512
c35ea7b44ae81aa87e7a48b2acea21ce72cf29fedae65ebb4ee9ff219ed3cb1e3e0644bc3718b52c12cac90ab3457c151a8f085cf24ebd5358343053e7908cde

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_2.exe

Filesize
198KB

MD5
caa7c40f7e4d8aebefe67a8c6d798413

SHA1
d18672be8d0b1b279060643340ddfac0431de1ac

SHA256
5fac5677bc023d5897f4bac608943a2eb021add8a8e8677a4c3369ac2db00b0a

SHA512
82ce7d46d38d34a007255d8d43f1edc02c24916182c8bc33aec78116b6334ddfbfb057bcf06887dd861d15742146c0fc6934298e053d48fb1ba2e0c8425fe25d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_3.exe

Filesize
214KB

MD5
da846908a5ba125cb19b9fa2e1c4fdc3

SHA1
5faef1459523fcb225665c018b74162c55f4cb1b

SHA256
27d1ec5ffc9de9198ab4ff4285680d9d5b7d6980b8f5f1583454dcba63d316f1

SHA512
fe63f8310762caa742f3b16f1924db8735184af323b9a0b8c188d612f12e723e82870c0a1c02af41a816955e7fe90dfa47fdc778988befa40e089ac2bf6ec0ae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_3.exe

Filesize
504KB

MD5
688c477a44914106a43799b2273444e4

SHA1
4b332b578cea62976469d6a1fe4e24d417d9835c

SHA256
e1f53cb87af8258aa7031904cfee7a6ae65e929b769d1a2169f62b60bfb4e216

SHA512
ddc52298fd85f76a0681f0e65f36826b12c8634c66505755d1d3ad86f9c5e3d6f9e14f05fd1d08e1c740fee778f6fa056beef1ef07b61c81234c1a08fe3d8af4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_3.exe

Filesize
113KB

MD5
de8ebe282b567dda1b8e5aab68b1e2a5

SHA1
633db7616af94db89f5e2fe00d795717a1dd00f2

SHA256
8cf5c27eb059513753cc453b5c7e38f54763cad3dc811855b4f18a46c4b1f08c

SHA512
4a7cc3ad11698903dc7de50b57c29671faec6279185461c5503e585a83ef58008eb8869bd1a3f7adec1fe60e82ec26261ea6273861b9a0c0365154796a31b4ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe

Filesize
250KB

MD5
018c76ff285c4acdbcc57f69926b015d

SHA1
36707671da8aeb436e35638e79e5ed421d6fdd07

SHA256
ce12a3b909718358f5f3aae083a4d883e6ccba5e004a43c0540525b1c4e92425

SHA512
50b544c3cea200a371f89e6b7d1aaab5368dfded7fec25a8040728af29882755297aaa942b75fe5a9f6a03910712c1024985b33b8ba006962a1b789bc7bf61fc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe

Filesize
211KB

MD5
dc4f1aaef1d45d984ac11298a684da40

SHA1
e2dfa1460e24657027b704e5f74a9d1e2fd8e9de

SHA256
6a83a1e0541a8a97bf819bd75a8859035a4e1d070e4e6aa5753cf6e132cb8f72

SHA512
34fc5cf2a2869fac859be978f3915f7081fd88dddab374d0e551a7b9c0349fb7cd7eb88dfebfeca7370db8e745b48fcd5cc8733cd248876a859302954d9a4ac1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe

Filesize
251KB

MD5
afd948252f2ae0f524ddb1a4212c7f9f

SHA1
a725e53e63a3c7572fc72861c2a8068ed5610b8e

SHA256
b9c702a4cba6be55a41c240a0d7bbe101ab6ffb38111857b29f8f1d95c96d4bb

SHA512
82476c6d062d2dbd33ec35d8a54c9bcbb0b59198bf0a8d0efa2f868694979de3ecd7b3dd4898344c019926d42882a2dddc09bd945e692f4d62ee150bc97d5e5f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_4.exe

Filesize
390KB

MD5
eb73f48eaf544bf7e035a58f95f73394

SHA1
251f0d09f14452538ecfa0924a4618c3c16887e3

SHA256
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce

SHA512
a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe

Filesize
417KB

MD5
44f94e75117e0612a11713fd3e76846e

SHA1
77de0abafedadf664f4dfc7894f0e3d02a85b2f7

SHA256
051c0767fc0576a9947336563144ba63402941ed4d0136db5dc0dfaa37dd7ac3

SHA512
0c699e8d3e1c965330df95a7b8f13773856d062bca1582dcd7b57c6ad22fbd757d359355fedd5ca520bbd229563ac7093a1b8a81ed6de90f70084b212475d974

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe

Filesize
76KB

MD5
d03587dca777ebff300180b81519ab6d

SHA1
c1596abfb46227b6df4147b1fd0414549a27e8b6

SHA256
1b06ddca147f49d8d1875cc8ce0c004701c347c0013083c085c0e778e8db0deb

SHA512
9a57de092c4dc7c6b8a8d7ab5fad7f1e698cdc0509bc90c653da19f889d05fe69619e9f96a23897188754410fca947894a8d4de22a9bbf222192d783c09791e4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_5.exe

Filesize
411KB

MD5
1eb6fd732100c414210a11eecb5bcd6b

SHA1
d0729a76ec1dd0ad91702f61e91b4b17824f4fa3

SHA256
33ee45bb654884dae1ad6b6b7bf03042f37ade903d8ea0d01d14c5605cda1ef6

SHA512
fc6678e5c9b984fd7eeb8de50b1896350bdb23b50d5eddc13cebf5bfd9664645a1fcc78586fcf5dfe06a4d99f8e7269b20e0b5f3a376e5c87ed8bd18415bc4ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_6.exe

Filesize
1KB

MD5
c1d6c68c536e600e6c017bff2ede5018

SHA1
0f486d1dd38a964c4d16ce74a586ac86b43426ea

SHA256
5bc04e95a5fc8183cbd7c05f14a89d7c2ed1b68eb34a221399e06f7ec5090fb5

SHA512
243aea1ecd99188a4e87fa84ba556846d7fb2cee3028f6ff4d1be2aff46edbbfc9a566ceaeee764d93ddb3a8eacce85dd266c2ce8de4d14e448423af85a6556e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.exe

Filesize
417KB

MD5
6629c908b8150ac77e964a4b88de18ce

SHA1
535ea9967af3f2e97924f7c701f60b3d2a8a1219

SHA256
f16fde98a2a58eb7b35ac22c5190a9ba05dc00cd4362ad0a75a499cfad0507fe

SHA512
09333020ac14ce4a18682139771389b0692b94aa5bc990be5ad6c1deccb3bd5e936775d5755368527f9609a286ad39f593ace18bd97e7b1b030859a4fee9a3b4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.exe

Filesize
54KB

MD5
74469fa28cf923d9e085c9b799da2636

SHA1
da63ac94980f0481c8880857577e2eb4b4a02198

SHA256
ca9b7acdcf481943b50e338891c8683ee1ebabc988aa6c3f0c17e9df6580ec9d

SHA512
4c22b69bf3b4b7f5cf8043dc532bc1b6a917a053eb2c175304f5d98e108abdfad542563a06346cdcdb216e5f26bf3b92cb772e5f8b0d8c4289210ed403cd04bf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_7.exe

Filesize
42KB

MD5
d3d8e1d072a9939013f83718727f1e57

SHA1
396028c9cd5350cfee6fb525720783159a9fb7f2

SHA256
a9acccfc3757197375d97032d13f6b17fd3797afda78ba31fff518b23c5808fd

SHA512
06e68fe1ce749a12b9ec19afb2494ab796fad91b6e5cb3d6f631e6f6185a1226a32f3f5dfb651917489b2b520986f1f4efb21cb908a0dbb1d38dfd21e8bb5809

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.exe

Filesize
64KB

MD5
e7945c58a007570c97069d0e2f1dc476

SHA1
df69d9c9b3a727cc4a92683bd0f56b7d2ae5f641

SHA256
c30dc4aaba4b4c3afa34f42eb535075519673dbefe3689d3b9f0ca0f20205da0

SHA512
54e6cd48ab097daadd0b801b7d9b305f1765c14132940d24bfce4c93b7e421ad3b759fce52fcac8964f26fccc68b4a47e02600f139416d8461b83cd08d6f81ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.exe

Filesize
20KB

MD5
2521df101010754a8493656cceb2f12f

SHA1
ada4794f9e382798fdfffe76996672c10d3fe530

SHA256
13b642246e8b93847172d23d4123c933f2996dcfefd67494b14336218e6d0203

SHA512
ea37333c7b7a799110b84a2f225d6aa896d61d69c0d6f6dbe9f26a5eb09bd9d9b278c2392975385c104be24c72056cb1e40b3e5c0b1201cc8142834ac185ade8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\sahiba_9.exe

Filesize
37KB

MD5
ff6587cfddd0fe419f1065e33f3da1fb

SHA1
82fc8a59b2fb318a8b1562a6a2db0dd458a96124

SHA256
57470b787257b1a885d3e05a26bc8f5c7ddca2bdb7cc72c0f6cfb0a86dac8d74

SHA512
16e42bbad74888f249d0a35fbeee77587f2969ada90127a1f0e3469778386b887d56a05dad48fabc296aa59a23c6e07ffe4ddf8e1fb68dda4cbe11fc4b0faafc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B7920B6\setup_install.exe

Filesize
287KB

MD5
74c46f2e07124fb1302e64c20572633f

SHA1
6eecf381d85affd94a0da24e4040087285e76ec3

SHA256
fd9c8149b552801a775629759bdfa61058471ba4ce7867986faa7c2fd191ae9d

SHA512
e0ccaf980151759d129ce2a9987eba06396316b0dba81881a1eee646bb8dc9489d0a9e3984048509dd35aeee492d57c74339449f882fd37124b1617408d7a68d

Download Submit
memory/632-283-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1068-290-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/1068-201-0x0000000001620000-0x0000000001720000-memory.dmp

Filesize
1024KB

Download
memory/1068-198-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/1068-432-0x0000000001620000-0x0000000001720000-memory.dmp

Filesize
1024KB

Download
memory/1068-196-0x0000000000240000-0x00000000002DD000-memory.dmp

Filesize
628KB

Download
memory/1112-424-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/1112-199-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/1112-154-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/1112-194-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-341-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-195-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-184-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1240-342-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-182-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/1240-200-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/1240-425-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/1240-164-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1240-455-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-155-0x0000000001310000-0x0000000001346000-memory.dmp

Filesize
216KB

Download
memory/1520-156-0x00000000011D0000-0x0000000001238000-memory.dmp

Filesize
416KB

Download
memory/1628-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1628-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1628-291-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1680-75-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1680-80-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1680-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1680-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1680-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-77-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-228-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1680-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1680-239-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1680-238-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1680-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1680-236-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1680-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-222-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1680-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1680-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1680-226-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1756-212-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/1756-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1756-211-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1756-435-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/1836-245-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1936-336-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1968-43-0x0000000002B40000-0x0000000002C5E000-memory.dmp

Filesize
1.1MB

Download
memory/1968-35-0x0000000002B30000-0x0000000002C4E000-memory.dmp

Filesize
1.1MB

Download
memory/2012-338-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-339-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-480-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-472-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-471-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-469-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-470-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-468-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-459-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-460-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-248-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-458-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-303-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-457-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-312-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-311-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-456-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-210-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-304-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-246-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-436-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-225-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-337-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-213-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-434-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-340-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-214-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2012-215-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/2100-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2184-223-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2308-224-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-114-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2356-247-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2496-310-0x0000000000850000-0x00000000008AB000-memory.dmp

Filesize
364KB

Download
memory/2496-309-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-335-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-262-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-249-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2764-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3008-308-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/3008-293-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download