fabookie | 64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c

Resubmissions

25-02-2024 06:49

240225-hlmnraeh8s 10

25-02-2024 06:48

240225-hk5g6seb99 10

25-02-2024 06:05

240225-gs7rtsdd79 10

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a311311c248170e59b39810a31a0cd1e.exe
Size

3.3MB
MD5

a311311c248170e59b39810a31a0cd1e
SHA1

2f135d322b06f124e49c951e26a2cbec9b70d771
SHA256

64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c
SHA512

887cdcfddb99b18f8ea6b93fd8e4f5eed5475fd09714ef741b3e70f755a780b961b299bbfd6f7a44921aaab5cfbd844ca9a712cd86f1b2aa153f239cf7ffdb9b
SSDEEP

98304:xp4vGqznLtwu7sMB0FQ8da/438P+Z2SCvLUBsKdKCiZ:xp8znxDYFdW4ZZ2jLUCKziZ

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.8

Botnet

706

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023128-78.dat	family_fabookie
behavioral2/files/0x0006000000023128-88.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-247-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-247-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/1360-124-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4692-126-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2852-156-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4780-159-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2396-186-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1472-189-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/940-224-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1356-227-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/4276-164-0x0000000003100000-0x000000000319D000-memory.dmp	family_vidar
behavioral2/memory/4276-179-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar
behavioral2/memory/4276-216-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar
behavioral2/memory/4276-246-0x0000000003100000-0x000000000319D000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002312e-34.dat	aspack_v212_v242
behavioral2/files/0x0006000000023129-42.dat	aspack_v212_v242
behavioral2/files/0x0006000000023129-44.dat	aspack_v212_v242
behavioral2/files/0x000600000002312a-43.dat	aspack_v212_v242
behavioral2/files/0x000600000002312c-51.dat	aspack_v212_v242
behavioral2/files/0x000600000002312c-48.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	a311311c248170e59b39810a31a0cd1e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	sahiba_1.exe

Executes dropped EXE 23 IoCs

pid	Process
3140	setup_install.exe
1920	sahiba_2.exe
2996	sahiba_10.exe
2440	sahiba_5.exe
3424	sahiba_8.exe
4612	sahiba_4.exe
4276	sahiba_3.exe
2948	sahiba_1.exe
5108	sahiba_9.exe
1684	sahiba_6.exe
1784	sahiba_7.exe
1048	sahiba_1.exe
1704	sahiba_8.tmp
1016	sahiba_5.tmp
1360	jfiag3g_gg.exe
4692	jfiag3g_gg.exe
2852	jfiag3g_gg.exe
4780	jfiag3g_gg.exe
2396	jfiag3g_gg.exe
1472	jfiag3g_gg.exe
940	jfiag3g_gg.exe
1356	jfiag3g_gg.exe
4996	sahiba_4.exe

Loads dropped DLL 8 IoCs

pid	Process
3140	setup_install.exe
3140	setup_install.exe
3140	setup_install.exe
3140	setup_install.exe
3140	setup_install.exe
3140	setup_install.exe
1704	sahiba_8.tmp
1016	sahiba_5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023137-117.dat	upx
behavioral2/files/0x0007000000023137-116.dat	upx
behavioral2/memory/1360-118-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023137-122.dat	upx
behavioral2/memory/1360-124-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4692-126-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4692-123-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023137-154.dat	upx
behavioral2/files/0x0007000000023137-153.dat	upx
behavioral2/memory/2852-156-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023137-158.dat	upx
behavioral2/memory/4780-159-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0008000000023137-178.dat	upx
behavioral2/files/0x0008000000023137-182.dat	upx
behavioral2/files/0x0008000000023137-181.dat	upx
behavioral2/memory/2396-186-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1472-189-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/940-224-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1356-227-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	iplogger.org
28	iplogger.org
32	iplogger.org

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
14	ipinfo.io
15	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 4996	4612	sahiba_4.exe	126

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2944	3140	WerFault.exe	86
3132	4276	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	sahiba_2.exe
1920	sahiba_2.exe
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1920	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	sahiba_10.exe
Token: SeDebugPrivilege	1684	sahiba_6.exe
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeDebugPrivilege	4996	sahiba_4.exe
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3428	Process not Found
3428	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3140	4372	a311311c248170e59b39810a31a0cd1e.exe	86
PID 4372 wrote to memory of 3140	4372	a311311c248170e59b39810a31a0cd1e.exe	86
PID 4372 wrote to memory of 3140	4372	a311311c248170e59b39810a31a0cd1e.exe	86
PID 3140 wrote to memory of 4436	3140	setup_install.exe	89
PID 3140 wrote to memory of 4436	3140	setup_install.exe	89
PID 3140 wrote to memory of 4436	3140	setup_install.exe	89
PID 3140 wrote to memory of 3620	3140	setup_install.exe	98
PID 3140 wrote to memory of 3620	3140	setup_install.exe	98
PID 3140 wrote to memory of 3620	3140	setup_install.exe	98
PID 3140 wrote to memory of 2592	3140	setup_install.exe	97
PID 3140 wrote to memory of 2592	3140	setup_install.exe	97
PID 3140 wrote to memory of 2592	3140	setup_install.exe	97
PID 3140 wrote to memory of 220	3140	setup_install.exe	96
PID 3140 wrote to memory of 220	3140	setup_install.exe	96
PID 3140 wrote to memory of 220	3140	setup_install.exe	96
PID 3140 wrote to memory of 208	3140	setup_install.exe	95
PID 3140 wrote to memory of 208	3140	setup_install.exe	95
PID 3140 wrote to memory of 208	3140	setup_install.exe	95
PID 3140 wrote to memory of 4068	3140	setup_install.exe	94
PID 3140 wrote to memory of 4068	3140	setup_install.exe	94
PID 3140 wrote to memory of 4068	3140	setup_install.exe	94
PID 3140 wrote to memory of 3708	3140	setup_install.exe	93
PID 3140 wrote to memory of 3708	3140	setup_install.exe	93
PID 3140 wrote to memory of 3708	3140	setup_install.exe	93
PID 3140 wrote to memory of 5052	3140	setup_install.exe	92
PID 3140 wrote to memory of 5052	3140	setup_install.exe	92
PID 3140 wrote to memory of 5052	3140	setup_install.exe	92
PID 3140 wrote to memory of 1380	3140	setup_install.exe	91
PID 3140 wrote to memory of 1380	3140	setup_install.exe	91
PID 3140 wrote to memory of 1380	3140	setup_install.exe	91
PID 3140 wrote to memory of 3276	3140	setup_install.exe	90
PID 3140 wrote to memory of 3276	3140	setup_install.exe	90
PID 3140 wrote to memory of 3276	3140	setup_install.exe	90
PID 3620 wrote to memory of 1920	3620	cmd.exe	110
PID 3620 wrote to memory of 1920	3620	cmd.exe	110
PID 3620 wrote to memory of 1920	3620	cmd.exe	110
PID 3276 wrote to memory of 2996	3276	cmd.exe	99
PID 3276 wrote to memory of 2996	3276	cmd.exe	99
PID 1380 wrote to memory of 5108	1380	cmd.exe	106
PID 1380 wrote to memory of 5108	1380	cmd.exe	106
PID 1380 wrote to memory of 5108	1380	cmd.exe	106
PID 208 wrote to memory of 2440	208	cmd.exe	105
PID 208 wrote to memory of 2440	208	cmd.exe	105
PID 208 wrote to memory of 2440	208	cmd.exe	105
PID 5052 wrote to memory of 3424	5052	cmd.exe	104
PID 5052 wrote to memory of 3424	5052	cmd.exe	104
PID 5052 wrote to memory of 3424	5052	cmd.exe	104
PID 220 wrote to memory of 4612	220	cmd.exe	108
PID 220 wrote to memory of 4612	220	cmd.exe	108
PID 220 wrote to memory of 4612	220	cmd.exe	108
PID 2592 wrote to memory of 4276	2592	cmd.exe	109
PID 2592 wrote to memory of 4276	2592	cmd.exe	109
PID 2592 wrote to memory of 4276	2592	cmd.exe	109
PID 4436 wrote to memory of 2948	4436	cmd.exe	100
PID 4436 wrote to memory of 2948	4436	cmd.exe	100
PID 4436 wrote to memory of 2948	4436	cmd.exe	100
PID 4068 wrote to memory of 1684	4068	cmd.exe	101
PID 4068 wrote to memory of 1684	4068	cmd.exe	101
PID 3708 wrote to memory of 1784	3708	cmd.exe	103
PID 3708 wrote to memory of 1784	3708	cmd.exe	103
PID 3708 wrote to memory of 1784	3708	cmd.exe	103
PID 2948 wrote to memory of 1048	2948	sahiba_1.exe	111
PID 2948 wrote to memory of 1048	2948	sahiba_1.exe	111
PID 2948 wrote to memory of 1048	2948	sahiba_1.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe
"C:\Users\Admin\AppData\Local\Temp\a311311c248170e59b39810a31a0cd1e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\7zS41194F18\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS41194F18\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_1.exe
      sahiba_1.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_1.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_10.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_10.exe
      sahiba_10.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_9.exe
      sahiba_9.exe
      4⤵
      Executes dropped EXE
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:940
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_8.exe
      sahiba_8.exe
      4⤵
      Executes dropped EXE
      PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\is-E1NOF.tmp\sahiba_8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E1NOF.tmp\sahiba_8.tmp" /SL5="$401E4,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_7.exe
      sahiba_7.exe
      4⤵
      Executes dropped EXE
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_6.exe
      sahiba_6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_5.exe
      sahiba_5.exe
      4⤵
      Executes dropped EXE
      PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\is-RG7RR.tmp\sahiba_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RG7RR.tmp\sahiba_5.tmp" /SL5="$60118,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.exe
      sahiba_4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_3.exe
      sahiba_3.exe
      4⤵
      Executes dropped EXE
      PID:4276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1660
        5⤵
        Program crash
        
        PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_2.exe
      sahiba_2.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 564
    3⤵
    - Program crash
    PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3140 -ip 3140
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4276 -ip 4276
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libcurl.dll

Filesize
107KB

MD5
1f07e665d0c9ee6bde384d321615f56a

SHA1
bfba1890378ab8202baae0c3300d85920d837fd2

SHA256
c396e0e8b91b8e4434f3c2c6cfeb78eaaea0cb5aa54722ad2daf43e4432d4987

SHA512
9d0ed1bde90541b92116f3ea584134e8b149c81e6b0d7f3722e15ff36c82cabaa159c9abfb433cdf6d833dc1dc22601f5eb78338bb2e82f3ba558a077a031cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libgcc_s_dw2-1.dll

Filesize
86KB

MD5
bf40b443fbe4d7b282e5df19570a6fbc

SHA1
15f1f33dc43479e0e3fe66238a0d846a7a75f881

SHA256
8d208c54da5bf4e8c1ec5d8b4bf7330d9f165c6299ca10dd805723eb41a9bcd5

SHA512
96823f62635751b12ff4f7ad6ee42e3529f8cbb2d6ad6810733f29e96c5b47da2e82fa692a2a5ed3753776c92e1ba907ff4552c8b099098efa713721bafc6712

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libgcc_s_dw2-1.dll

Filesize
57KB

MD5
c231bb7a829d0388cf51ca395efc57b3

SHA1
5a252a51767fec8863f1fac165a30b54264a118a

SHA256
1914735d94c2469f74b14e9f1cd007a014bd531edec967b9397df01d6ab8ad28

SHA512
83a17cfbe31cbf6a2b3504afcd75203f771f4c73d3c9ae55b40b1d6bb39aed4ec0121475dc794d4cab78de6e85fddfa307a963624d47766fc9d9503d66ce722a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libstdc++-6.dll

Filesize
64KB

MD5
ad1c548ca77cecc49364855223401511

SHA1
523a06384633aadeae0b25ad1a44aab62342c69a

SHA256
7d9113e74a2adf1c93adbe5c7936f2426d1bdacd21d8b724e83c23f6219d0064

SHA512
f8570fb383b7e045af093163feb6682ece6ecc8b5bc4c0441c25bd9d91ee9e34b99a685464d698d9e536293ec4525a5e1e6e729380e8364a300ad0cc2e9ddc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libstdc++-6.dll

Filesize
42KB

MD5
139564448d9ea1bc672a08d2dffa5787

SHA1
440e9d846e4b1d86dc52888b75c8e9d7eb57eafc

SHA256
96ba77794137b017d7b316af0ceb6fcc699d9b451bc19421bc85810a3f0a69ad

SHA512
cf06f47a14e7289605a98ef2b868c04f8c7c6036d1f9fa210da99a4ff1e7de55dd56e82a5bbd89acd6d211c41e922a7946c2e4ca5610360b4553da4a9f9b312e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_1.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_10.txt

Filesize
8KB

MD5
32f26aa4b7563812f3a1a68caad270b1

SHA1
91a45d1d4246a4c574e1238751ffacc68acc5fa7

SHA256
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a

SHA512
96ac29b91dc1a350b704c0159ec5dd77813068440a67f34b3780fceca6515867afe3d16b900d64c148f7b232989e82a48e9ae8ecdb8177b004d63c02dedbc34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_2.exe

Filesize
33KB

MD5
903f8bf02e2d7c3084095bd07cd70d6e

SHA1
b1dd3677461477899b334045bd3830ab614fafa3

SHA256
8d6b60654872564d61ef3a60d5889807f4991030dacffa18ed5a2b37e5068e57

SHA512
9d9979c495369b2e510d4172cf6e1f15f4db856b27fcd012263ca8f8f84711df6c4e323c6f5ebf84fe75c02655f8f600e6de5acac95c3a60a3e028468439d62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_2.txt

Filesize
250KB

MD5
05d94f48ead769c05b5f60c9b7c24b5a

SHA1
3d1d37f68a4e12bfe61355dcf559d22c260e0c24

SHA256
2eec779599053d280e90137e6dbff50b3849af03da7d76673586f6022f572769

SHA512
8e98f3be04c6bef101f534f4e0a5cafbc1b1514c89fa9b7d41b29f30a184baf0a2db8623f8db4635d0d9cde2b5a97c0eb9d8f13b0f166abf5af6ffca06ea21c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_3.exe

Filesize
60KB

MD5
2e2c2e751ae3ef606c35ffcaed9b4d27

SHA1
1de273dc693d00ee12960a2d8411f5606385b126

SHA256
843432473b50c259a55762769b76fd9e90a616805abd752700a3ba235ab21fb5

SHA512
de655d1183cc393b2b8f3fb46482925e715558531d1888b1069479f09aad98ba14b437418380c1006976b51059d85cff55a22e43f14cf8f460adbed363d187c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_3.txt

Filesize
472KB

MD5
aa07f7a0a1f9d5185563c3ae3602f208

SHA1
89c123b134832e9142ef13352e4ae1fb8fe723f1

SHA256
d7933f70d959b2f0394fcd89f8524df40cba6412a1f09066a375c3e93efda0ff

SHA512
d0d980e8b89029a282308d9469ebad2622882d09beec9c1e8625a8108e8fa23314a4fd18346f31b5bfa7c14ee9e0c60532292bb6e09f3cddcfe5ed94adc58470

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.exe

Filesize
61KB

MD5
5667032d617e649049ec92bf1fde7fa0

SHA1
9ab16b62b04ad4c48aedcff68e185cd084c098c5

SHA256
2e87aecb2b45731fe1232406ed238021e7a996cba76ececfc243f3cb26f44274

SHA512
7649672e23245d01396ad71d298ae6c4002ff9a3fd1124d14cabd650d71612bf5f5c0651d2954e718eb0083b45fce0a3602e8412dd1e76095d50768cae0a7b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.exe

Filesize
100KB

MD5
ecfbd24e79a179b232447a39690ea38d

SHA1
a233217cadc97454c8094ea4e4706f0a9e807462

SHA256
c5c051dc4b73fd60fb83c52c7033ca31075f23895793ef7f225b7cbfb49c9adf

SHA512
7071ba8932c87a3e04540fdfd29bf55cef3471d241fa2bfb0e5e69762a2f560c27715ce38d1e749415c439a370d02ccbe52d98656e3922f4967c576d8b286b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_4.txt

Filesize
132KB

MD5
60822fb4c9ee71a88f2ad2308598fa6f

SHA1
978d6eb48b916cef3157d94263162e2d58d7b304

SHA256
5d73ce4747e949ea38d804a4467868c4023ee861508e89785bd6ecf0bb2b5343

SHA512
8b31866131012f1adb22a2d5baa1eb970b59f24167b49c212a9b1884fc0a484cdcfa6ce09a7a74a147464ece42c3c956f904e5357f178c8e91d76ffa0dcead39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_5.exe

Filesize
423KB

MD5
d2eca1a5eb1a5abdb73818f409ed8234

SHA1
d7d270737342dcacd3e61dd0ba4cbc3a5e530406

SHA256
1cdfcf92ca91b09a0893ad422fbd7ec40f1aed85bfce4aae2c6b471b13c4d378

SHA512
380612de79919e630ffb8f74b0991265ec24c11b734b61be7410628eacbe9ccd7bdd329c54f733922b07fce7c4382ae8b01b8f3814c244b8a1785dab57b11de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_5.txt

Filesize
476KB

MD5
270a333e01f665478e336f3e175aac48

SHA1
d2bf49990129451d881f9b7224dbb679ea7b5e92

SHA256
d5ba98532390d31a1ff20f4d5fdab3410f99d346f2b8e2be4a06b35410081b98

SHA512
1a218a3f0d2c00a0206c7d86701721ce4a9a528e73703ccd3b12ce76aed442e151b555f9058f67eb20ce578ffe1912434980a4a6c6f4a72ab305c1044dbee35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_6.exe

Filesize
36KB

MD5
1cdccd7d2142ce0cdc4965ebad001c65

SHA1
88fbd28763b4bc2aad134eaa15f9ce63201471bf

SHA256
1a520c083c1e7a148ac2a9b235501c035a291dafc869bc457eb0c2b4f5617843

SHA512
6423721fe760111e79fba688a3d67439ce5319f8bd1bfa709ab9f9fc62fc1afdc5b74dc19e735e5cbf8d0db3924c6a5a3cf0dd537dfa99513e12cbfe753c963d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_6.txt

Filesize
186KB

MD5
19c2278bad4ce05a5efa4b458efdfa8b

SHA1
521d668d24f05c1a393887da1348255909037ce2

SHA256
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85

SHA512
8d39a3ff6746259cf9418f6a546c228fc8eedfe072749963221212ff0272a7eb9e1d63763f0da08aebf0c9258c665b0724d461c49392cead248572c85c1d2982

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_7.exe

Filesize
36KB

MD5
78cf4b8ebb2694a856ebd53d84131a3a

SHA1
04bcc9711372dc47c20da3c4f7a4afcb56d6ec0a

SHA256
19560988147f12badf33bb4eadcf3662cd8b8c8a2553e87d230faa234506e914

SHA512
145d2045cdd7571a0c4b701f4018d2ceb06c866882ab147eb321ab4f19f6f0304642913bf448344f28cf410a1e425ce203ace26fb0517cc8e9f9a3b44f54a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_7.txt

Filesize
422KB

MD5
70c8bee7e9a7e29ad1d0c288bfbfe622

SHA1
91cf2848cb0e85f43c871e9bcf330730f059ca18

SHA256
093906623b6a23e10752cc83ca4028d1f6784a3f5ea8803951ffe503db64c23d

SHA512
5219410573f9f2000eede0c2cd68f8f43126587c36407f35f1282480c9ef75fd40442b6a45567990823ed4bcdaf89a08ddd03b7072a90281a736d14572ba841f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_8.exe

Filesize
361KB

MD5
843eeaa98ac516c7a2305cead2d61b99

SHA1
a43f8499775b04610bf9543bb9bd8d6af1e0f7a4

SHA256
5838c6a484bb0628174978a218c7231b43af90d5f69e5de872d8fe8b9d576ec9

SHA512
6be8a0a62fd180496d2dbf58891618cbb5b716cbfa41ba51c7797b22233a0c41416cf6830bd1cf18d4b69a1c57d47d9638864f35311e3c7093430f40b8f95a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_8.txt

Filesize
480KB

MD5
4c8d5f7a56744bf4a99506dbb7692266

SHA1
25bd5483572e412e37e239b7447c2dd36c107813

SHA256
e61540e7e8279a43f3e61db16c500108a0cfe1736597452a00c787368e996471

SHA512
bade2453ce9809d1eba5cd785eb2a0ed6e944d10bb5c45fc2deca69a7113fdc498d58578108cf61e1fa9e6c4ed3a97b6ef25168b19a8a4baa1ad127585925564

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_9.exe

Filesize
64KB

MD5
e7945c58a007570c97069d0e2f1dc476

SHA1
df69d9c9b3a727cc4a92683bd0f56b7d2ae5f641

SHA256
c30dc4aaba4b4c3afa34f42eb535075519673dbefe3689d3b9f0ca0f20205da0

SHA512
54e6cd48ab097daadd0b801b7d9b305f1765c14132940d24bfce4c93b7e421ad3b759fce52fcac8964f26fccc68b4a47e02600f139416d8461b83cd08d6f81ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\sahiba_9.txt

Filesize
108KB

MD5
68d8b08ff702674dc66f3d9a4fae31b7

SHA1
20c6c4991b74e18f63bae3dbc2e633690b30562f

SHA256
3183df9ac7c2e21f7392e216b4f17d6a31987a70f1fcf7a0356f540aa9f2b199

SHA512
42dd40b918ac33394e4a8903cab437e16f7e591929433105195c221f4f27114347e169219def4de5faf64301186087788f0e9af77175b9b4401538ac5634a391

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41194F18\setup_install.exe

Filesize
287KB

MD5
74c46f2e07124fb1302e64c20572633f

SHA1
6eecf381d85affd94a0da24e4040087285e76ec3

SHA256
fd9c8149b552801a775629759bdfa61058471ba4ce7867986faa7c2fd191ae9d

SHA512
e0ccaf980151759d129ce2a9987eba06396316b0dba81881a1eee646bb8dc9489d0a9e3984048509dd35aeee492d57c74339449f882fd37124b1617408d7a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E1NOF.tmp\sahiba_8.tmp

Filesize
393KB

MD5
d391278fee8dc5d73aee5c15fa649398

SHA1
b45e46f5a32b8569dc707b5682b1f75fafbc4339

SHA256
e02d63a083f3a971e82de000073febe1c35d949ea082a2f6922245af10e8f625

SHA512
464f7c95ba4d0ca3f5a6a88aa851c343cd717fb622acdb0da6674b97984c22f3d626d273e869f7d6cc431923b185a1662a90d5d63146d9b42f82898b33aca36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E1NOF.tmp\sahiba_8.tmp

Filesize
64KB

MD5
3115a5827858707937f49b61d4154018

SHA1
ce17d17e9dc34bf2f59b54d674cfacd2669ac1d5

SHA256
336c8c5dc3be04a888e0b602358cb22781de07867d649fb24f17bac387c5e86e

SHA512
7afa40f4e03c7aab6ff2992e42e642077f9fff6b4cbdd3e196ad6e90dc10819f3041b6f4f0c8311beb773e270d293758248d12952c430951ae5da02b6e9771b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJR1B.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJR1B.tmp\idp.dll

Filesize
88KB

MD5
73e4f72363108cda054ec04f4efa28af

SHA1
0fbae2b58c48262dc1d2e1a9129c3acf930f15b3

SHA256
69f778c3a1e0c6cb522737216fe5bc539155042accc9d56b3f0d697cbb650626

SHA512
0a1d01e2169459721311488f6a2d743bbc821ca6e3b885df1c114e5e99916579bd2b775113045df5810422f888e82cbeca51d0e7630b0238ea6a36903a9703d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RG7RR.tmp\sahiba_5.tmp

Filesize
430KB

MD5
c644a6adab92ac7aadeb5e2c95264115

SHA1
b854dd3954650f45370b039b6e16cf3713a84839

SHA256
cae50a20609b47f130650639d7623a8dcceb5570be1fbf89af1e38ac4c86836c

SHA512
bd5ae9cdb86d53fd73044d4ea57a7e335e2418eaca57f23930cef2da5bcfebc8ac718987f9e27a79e71492727e1caf43e09033e47bdf6c241fbcad64625e65f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RG7RR.tmp\sahiba_5.tmp

Filesize
56KB

MD5
c1ad98b3bcd6d6b0a6812de9b4ac9874

SHA1
17c1907a574aa4137c8b50b78e23176a86df32e1

SHA256
35d9dae41f2e593cf90ae383af8e9fca4bb97ac7ad6e29ee155ff46b1701cfe9

SHA512
b6863077bf252176d73268bd90e3f6137c185901d425b2fd3b85a43083857848b43cfd7ab2fde1ba6d02d35b9efb84904716e8fb21ee9df6cb789b6d84fd7878

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHR5I.tmp\idp.dll

Filesize
185KB

MD5
525291c25f6be5f83fc68d61de4cab8f

SHA1
7ef19ceaabf47b7a0e8a71c15713a83c635f9254

SHA256
1b2ed639cbe8a06d00e5d9051c30afc6de5eb0189709d95f3abcb9274fb46889

SHA512
6d9a2c7d332d4313cf78ccaab93f4a40a750c43b5982b163093e6900a35503b8bf0c292745d30d67fb1ab2bcd53f5983cc6cae26b92a4c0028be5ba195bb64a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHR5I.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
40KB

MD5
46ea88f4a02d2f3f82621cea3148676e

SHA1
4a7371094df6301584b0aafaf208809022a57862

SHA256
7f5f820599cc2e2e19f369d25ef0d3cdf5a8965f2e3277d7e236a0ded5889f16

SHA512
d163a1fe13d82168f2f4738d1cd8c6ebc28e326b1e18a20b140559f6f96236fd4390e3fc01a78f41bdbcebb22789cfcddfcbc78f84ea0482cfeeb7a601406315

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
14KB

MD5
a7b3b792859204ea0c0bf1e61c4ff4b7

SHA1
1152d8a698a9fff489317d7522811eb439922da7

SHA256
510a2ad0837813edf4d134d0f007cd968e208edd8e68e019c558d2db3ab5e149

SHA512
9a0688226eb836fd7ec88cf2474ad76fc5ef08d0ea13a0aa12a17d8ab242f62792da760bcb81f26096224b1e801c81d8248699e23c01259e3a7091a586970a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
94KB

MD5
b6fc3ff8b35dea1e56fcc4b3327a2f48

SHA1
0bcb2de3439b99573c1acb98eba1a6de2eef87a2

SHA256
e1ed98b1fa033b21e3a6e9174b25e39d51f79aa71483208aa80f84016c8e2e93

SHA512
06a100effd4f97cf29cd38aa202d75e39bb0aefd3ac881d737ef1e2ef4a4b2f36659085a3ebfd1e2b90e5deb132089f79c8bfc2a58ddb72bacf774b5e136529b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
176KB

MD5
ea96d2db3621d70fa0f8ddd4bfb1e622

SHA1
affda48f1d46f6c9320fd9f1274a266f7dad9f78

SHA256
06421a7d13141174ac72502708b139871aad455423c1f4400f43136bd8f7608e

SHA512
3b16242bf129571f0cad005adbdcf1d6cd3a85f3272c030f5e09dee046947b621271200c7bdf59989cbdf87e3d3771e5f166cdb03e3634edc5c94cfc35b02491

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
1KB

MD5
f10da139e7b902813f03022aeac73fb4

SHA1
4d8af9b292d95f79d873a886e9fb53cc7722a531

SHA256
1e7e01c1d994788b6df468fb2b35c62ad1c6e3aec2e442a57f391aa4263e81a3

SHA512
3354f39db9dc90fcc466d6f7cdf2d1d2490b0ff2f0f607dbb4acdaa59aed943b98bc0c8f1bd8bb7d44e77cd82a668a35e82c51295068045d7d41e9f7fd4b5f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
167KB

MD5
e21142b44e282e40958c63b2cd2937ac

SHA1
c9db6b120da1834bdd3b9e762335691e47257eb1

SHA256
8c72703d662482e269c1f8b0e6eb8605bfffcf7ef2c853e55717a03df7f4fb5e

SHA512
42a593eaa1dc8e8fe464331ebfad082f0c7897ec15aae6e36df3278689c4d2d5b9bed98dd60177b82b4bc55614ffffe421535767da116ded4e45fc58a80ec6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
97KB

MD5
4b7716d95a7f7eb0cc43b603c87f73b1

SHA1
217a497aecd4db5e69605308ad5825cb622c4539

SHA256
af326e4756808af6dbed46255c789faf5174714bb0c218e727d41ab9bc95761d

SHA512
314b50b45591f9b50fc64ee8192e8eacb3d3de63bfca95ac09ddcfe3bf5dee34caa8ca98535da728c66b4547191af163d40a6393737a159d66794b94db5bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
54KB

MD5
5777adfae33605789b21b0980b27d53f

SHA1
2899f5d351ab37c53b971fe66bfd789b02fa9a88

SHA256
97d738fe5d92199251ca84d625ece6f50b847798f411d38eeb8a67c188228b74

SHA512
b381acbd5c26bdae3d6d0b6f659d1b2beee87b0b7a43cb50645e37da77ad1c8da1063b9801cbe0289afda43f34f891fd3eb4b2d55487df9633d8177b1c67d3df

Download Submit
memory/940-224-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1016-129-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1016-207-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1356-227-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1360-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1360-118-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1472-189-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1684-125-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/1684-99-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1684-149-0x00007FF8EAA50000-0x00007FF8EB511000-memory.dmp

Filesize
10.8MB

Download
memory/1684-104-0x00007FF8EAA50000-0x00007FF8EB511000-memory.dmp

Filesize
10.8MB

Download
memory/1684-112-0x0000000000CC0000-0x0000000000CE8000-memory.dmp

Filesize
160KB

Download
memory/1684-119-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

Filesize
24KB

Download
memory/1684-101-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/1704-128-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1704-208-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1920-162-0x0000000001790000-0x0000000001890000-memory.dmp

Filesize
1024KB

Download
memory/1920-242-0x0000000001770000-0x0000000001779000-memory.dmp

Filesize
36KB

Download
memory/1920-239-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/1920-169-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/1920-163-0x0000000001770000-0x0000000001779000-memory.dmp

Filesize
36KB

Download
memory/2396-186-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2440-109-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2440-212-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2440-93-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2440-176-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2852-156-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2996-168-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/2996-95-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/2996-166-0x00007FF8EAA50000-0x00007FF8EB511000-memory.dmp

Filesize
10.8MB

Download
memory/2996-100-0x00007FF8EAA50000-0x00007FF8EB511000-memory.dmp

Filesize
10.8MB

Download
memory/2996-107-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/3140-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-64-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-205-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3140-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3140-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-161-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3140-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3140-38-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-69-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-211-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-210-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3140-170-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3140-175-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3140-174-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3140-66-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-172-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-54-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3140-209-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3140-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-65-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3140-206-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3140-68-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3140-67-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-102-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-167-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-213-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3428-238-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

Filesize
88KB

Download
memory/4276-216-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/4276-246-0x0000000003100000-0x000000000319D000-memory.dmp

Filesize
628KB

Download
memory/4276-179-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/4276-164-0x0000000003100000-0x000000000319D000-memory.dmp

Filesize
628KB

Download
memory/4276-165-0x0000000001600000-0x0000000001700000-memory.dmp

Filesize
1024KB

Download
memory/4612-121-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-217-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4612-214-0x0000000005780000-0x000000000579E000-memory.dmp

Filesize
120KB

Download
memory/4612-185-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-244-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/4612-183-0x00000000057B0000-0x0000000005826000-memory.dmp

Filesize
472KB

Download
memory/4612-251-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-127-0x0000000000E00000-0x0000000000E68000-memory.dmp

Filesize
416KB

Download
memory/4692-123-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4692-126-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4780-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4996-249-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4996-252-0x0000000005800000-0x0000000005E18000-memory.dmp

Filesize
6.1MB

Download
memory/4996-253-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/4996-254-0x00000000052A0000-0x00000000052DC000-memory.dmp

Filesize
240KB

Download
memory/4996-255-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4996-256-0x00000000052E0000-0x000000000532C000-memory.dmp

Filesize
304KB

Download
memory/4996-257-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4996-261-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-262-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download