fabookie | 9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a831e658b5144fce65d5792fec93c5bb.exe
Size

3.6MB
MD5

a831e658b5144fce65d5792fec93c5bb
SHA1

65552151087cd73c37ddff91da1fba390073aafe
SHA256

9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9
SHA512

09f706c62a04cd0b11f4bf5243331e0dc158c04e2c66b1c6bf98fb08977fb368f19efc3be370f356768ac72d20a9bde9c299ceb9b461c3c680f01bf52c306ea7
SSDEEP

98304:JtV+ZkLdDjG4yi9/8c++DukiL112YjU9gu2qZ2qg:Jb+kLdXyi9kcICYQ9gL

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Signatures

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_9.txt	family_fabookie
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_9.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4804-207-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4804-207-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_8.txt	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_8.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4368-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2124-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4368-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2524-175-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4616-178-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2384-204-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4504-200-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2392-242-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3640-1221-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2736-172-0x00000000048F0000-0x000000000498D000-memory.dmp	family_vidar
behavioral2/memory/2736-183-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral2/memory/2736-230-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libstdc++-6.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a831e658b5144fce65d5792fec93c5bb.exesetup_installer.exejfiag3g_gg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	a831e658b5144fce65d5792fec93c5bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	jfiag3g_gg.exe

Executes dropped EXE 24 IoCs

Processes:

setup_installer.exesetup_install.exejfiag3g_gg.exesahiba_9.exesahiba_5.exesahiba_7.exesahiba_2.exesahiba_6.exesahiba_3.exesahiba_4.exesahiba_8.exesahiba_10.exesahiba_5.tmpsahiba_1.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exesahiba_4.exejfiag3g_gg.exejfiag3g_gg.exesahiba_4.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
2312	setup_installer.exe
4828	setup_install.exe
2124	jfiag3g_gg.exe
2660	sahiba_9.exe
4852	sahiba_5.exe
4076	sahiba_7.exe
3780	sahiba_2.exe
2244	sahiba_6.exe
2736	sahiba_3.exe
3012	sahiba_4.exe
3132	sahiba_8.exe
2304	sahiba_10.exe
5036	sahiba_5.tmp
3932	sahiba_1.exe
4368	jfiag3g_gg.exe
2124	jfiag3g_gg.exe
2524	jfiag3g_gg.exe
4616	jfiag3g_gg.exe
4528	sahiba_4.exe
4504	jfiag3g_gg.exe
2384	jfiag3g_gg.exe
4804	sahiba_4.exe
2392	jfiag3g_gg.exe
3640	jfiag3g_gg.exe

Loads dropped DLL 7 IoCs

Processes:

setup_install.exesahiba_5.tmp

pid	process
4828	setup_install.exe
4828	setup_install.exe
4828	setup_install.exe
4828	setup_install.exe
4828	setup_install.exe
4828	setup_install.exe
5036	sahiba_5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4368-139-0x0000000000400000-0x000000000045B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/2124-142-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4368-140-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2524-175-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4616-178-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2384-204-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4504-200-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3640-245-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2392-242-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3640-1221-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops Chrome extension 1 IoCs

Processes:

sahiba_8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json	sahiba_8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

46 iplogger.org
47 iplogger.org
48 iplogger.org
61 iplogger.org
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com
24 ipinfo.io
25 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

sahiba_4.exe

description pid process target process

PID 3012 set thread context of 4804 3012 sahiba_4.exe sahiba_4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2940 4828 WerFault.exe setup_install.exe

flow	ioc
46	iplogger.org
47	iplogger.org
48	iplogger.org
61	iplogger.org

flow	ioc
31	ip-api.com
24	ipinfo.io
25	ipinfo.io

description	pid	process	target process
PID 3012 set thread context of 4804	3012	sahiba_4.exe	sahiba_4.exe

pid	pid_target	process	target process
2940	4828	WerFault.exe	setup_install.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4940 taskkill.exe

pid	process
4940	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sahiba_2.exe

pid	process
3780	sahiba_2.exe
3780	sahiba_2.exe
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sahiba_2.exe

pid process

3780 sahiba_2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe

pid	process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sahiba_8.exesahiba_10.exesahiba_6.exetaskkill.exesahiba_4.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	3132	sahiba_8.exe
Token: SeAssignPrimaryTokenPrivilege	3132	sahiba_8.exe
Token: SeLockMemoryPrivilege	3132	sahiba_8.exe
Token: SeIncreaseQuotaPrivilege	3132	sahiba_8.exe
Token: SeMachineAccountPrivilege	3132	sahiba_8.exe
Token: SeTcbPrivilege	3132	sahiba_8.exe
Token: SeSecurityPrivilege	3132	sahiba_8.exe
Token: SeTakeOwnershipPrivilege	3132	sahiba_8.exe
Token: SeLoadDriverPrivilege	3132	sahiba_8.exe
Token: SeSystemProfilePrivilege	3132	sahiba_8.exe
Token: SeSystemtimePrivilege	3132	sahiba_8.exe
Token: SeProfSingleProcessPrivilege	3132	sahiba_8.exe
Token: SeIncBasePriorityPrivilege	3132	sahiba_8.exe
Token: SeCreatePagefilePrivilege	3132	sahiba_8.exe
Token: SeCreatePermanentPrivilege	3132	sahiba_8.exe
Token: SeBackupPrivilege	3132	sahiba_8.exe
Token: SeRestorePrivilege	3132	sahiba_8.exe
Token: SeShutdownPrivilege	3132	sahiba_8.exe
Token: SeDebugPrivilege	3132	sahiba_8.exe
Token: SeAuditPrivilege	3132	sahiba_8.exe
Token: SeSystemEnvironmentPrivilege	3132	sahiba_8.exe
Token: SeChangeNotifyPrivilege	3132	sahiba_8.exe
Token: SeRemoteShutdownPrivilege	3132	sahiba_8.exe
Token: SeUndockPrivilege	3132	sahiba_8.exe
Token: SeSyncAgentPrivilege	3132	sahiba_8.exe
Token: SeEnableDelegationPrivilege	3132	sahiba_8.exe
Token: SeManageVolumePrivilege	3132	sahiba_8.exe
Token: SeImpersonatePrivilege	3132	sahiba_8.exe
Token: SeCreateGlobalPrivilege	3132	sahiba_8.exe
Token: 31	3132	sahiba_8.exe
Token: 32	3132	sahiba_8.exe
Token: 33	3132	sahiba_8.exe
Token: 34	3132	sahiba_8.exe
Token: 35	3132	sahiba_8.exe
Token: SeDebugPrivilege	2304	sahiba_10.exe
Token: SeDebugPrivilege	2244	sahiba_6.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4804	sahiba_4.exe
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

chrome.exe

pid process

5004 chrome.exe
5004 chrome.exe

pid	process
5004	chrome.exe
5004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a831e658b5144fce65d5792fec93c5bb.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 2312	4864	a831e658b5144fce65d5792fec93c5bb.exe	setup_installer.exe
PID 4864 wrote to memory of 2312	4864	a831e658b5144fce65d5792fec93c5bb.exe	setup_installer.exe
PID 4864 wrote to memory of 2312	4864	a831e658b5144fce65d5792fec93c5bb.exe	setup_installer.exe
PID 2312 wrote to memory of 4828	2312	setup_installer.exe	setup_install.exe
PID 2312 wrote to memory of 4828	2312	setup_installer.exe	setup_install.exe
PID 2312 wrote to memory of 4828	2312	setup_installer.exe	setup_install.exe
PID 4828 wrote to memory of 5028	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 5028	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 5028	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4552	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4552	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4552	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1992	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1992	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1992	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4444	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4444	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 4444	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2868	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2868	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2868	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 3828	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 3828	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 3828	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 672	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 672	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 672	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2980	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2980	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2980	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2468	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2468	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 2468	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1496	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1496	4828	setup_install.exe	cmd.exe
PID 4828 wrote to memory of 1496	4828	setup_install.exe	cmd.exe
PID 5028 wrote to memory of 2124	5028	cmd.exe	jfiag3g_gg.exe
PID 5028 wrote to memory of 2124	5028	cmd.exe	jfiag3g_gg.exe
PID 5028 wrote to memory of 2124	5028	cmd.exe	jfiag3g_gg.exe
PID 2468 wrote to memory of 2660	2468	cmd.exe	sahiba_9.exe
PID 2468 wrote to memory of 2660	2468	cmd.exe	sahiba_9.exe
PID 2468 wrote to memory of 2660	2468	cmd.exe	sahiba_9.exe
PID 2868 wrote to memory of 4852	2868	cmd.exe	sahiba_5.exe
PID 2868 wrote to memory of 4852	2868	cmd.exe	sahiba_5.exe
PID 2868 wrote to memory of 4852	2868	cmd.exe	sahiba_5.exe
PID 672 wrote to memory of 4076	672	cmd.exe	sahiba_7.exe
PID 672 wrote to memory of 4076	672	cmd.exe	sahiba_7.exe
PID 672 wrote to memory of 4076	672	cmd.exe	sahiba_7.exe
PID 4552 wrote to memory of 3780	4552	cmd.exe	sahiba_2.exe
PID 4552 wrote to memory of 3780	4552	cmd.exe	sahiba_2.exe
PID 4552 wrote to memory of 3780	4552	cmd.exe	sahiba_2.exe
PID 3828 wrote to memory of 2244	3828	cmd.exe	sahiba_6.exe
PID 3828 wrote to memory of 2244	3828	cmd.exe	sahiba_6.exe
PID 1992 wrote to memory of 2736	1992	cmd.exe	sahiba_3.exe
PID 1992 wrote to memory of 2736	1992	cmd.exe	sahiba_3.exe
PID 1992 wrote to memory of 2736	1992	cmd.exe	sahiba_3.exe
PID 4444 wrote to memory of 3012	4444	cmd.exe	sahiba_4.exe
PID 4444 wrote to memory of 3012	4444	cmd.exe	sahiba_4.exe
PID 4444 wrote to memory of 3012	4444	cmd.exe	sahiba_4.exe
PID 2980 wrote to memory of 3132	2980	cmd.exe	sahiba_8.exe
PID 2980 wrote to memory of 3132	2980	cmd.exe	sahiba_8.exe
PID 2980 wrote to memory of 3132	2980	cmd.exe	sahiba_8.exe
PID 1496 wrote to memory of 2304	1496	cmd.exe	sahiba_10.exe
PID 1496 wrote to memory of 2304	1496	cmd.exe	sahiba_10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a831e658b5144fce65d5792fec93c5bb.exe
"C:\Users\Admin\AppData\Local\Temp\a831e658b5144fce65d5792fec93c5bb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS80913E77\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_1.exe
sahiba_1.exe
5⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_1.exe" -a
6⤵
- Executes dropped EXE
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_2.exe
sahiba_2.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_3.exe
sahiba_3.exe
5⤵
- Executes dropped EXE
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
sahiba_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3012

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
6⤵
- Executes dropped EXE
PID:4528

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_5.exe
sahiba_5.exe
5⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\is-ISR6C.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ISR6C.tmp\sahiba_5.tmp" /SL5="$6017A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_5.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_6.exe
sahiba_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_7.exe
sahiba_7.exe
5⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_8.exe
sahiba_8.exe
5⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
6⤵
- Enumerates system info in registry
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:2
7⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2148 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:8
7⤵
PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2260 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:8
7⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:1
7⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:1
7⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3632 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:1
7⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3076 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:1
7⤵
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4336 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:1
7⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 --field-trial-handle=1900,i,9597384161892088276,5638519195890989096,131072 /prefetch:2
7⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_9.exe
sahiba_9.exe
5⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_10.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_10.exe
sahiba_10.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 548
4⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4828 -ip 4828
1⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff7c819758,0x7fff7c819768,0x7fff7c819778
1⤵
PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js
Filesize
14KB

MD5
dd274022b4205b0da19d427b9ac176bf

SHA1
91ee7c40b55a1525438c2b1abe166d3cb862e5cb

SHA256
41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6

SHA512
8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json
Filesize
1KB

MD5
f0b8f439874eade31b42dad090126c3e

SHA1
9011bca518eeeba3ef292c257ff4b65cba20f8ce

SHA256
20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e

SHA512
833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
7f0f7d7a1984a9df216404667f1c3061

SHA1
937c11e5bf6f506f3fff155d1c064ee2298bfed5

SHA256
071deffab237d4b6b67226d8b8fe92c136626f063f42cad9d19c691fb3a265c9

SHA512
a7fa3e2ed6328bff31b7bd9207eb96ed2cad3e7cd8e20532cdce3143c4108bcdf404055309ea2bc80dbee59032ce2052d9b023064fa280772255c8ac5dee6bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_4.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libstdc++-6.dll
Filesize
256KB

MD5
a193ffdca5964b12c791db8c3a33f5f6

SHA1
3003e03561588215f677cfe88862ae0a3c6c3300

SHA256
4d47641be71c5f4a3abc7781e9d1c591fde5f8475fc0ca0f5e1c0ceb884a097c

SHA512
d2ca365c1ea37df490a54dc4f3ce3a624f6164cfa150fc541e39f6eada13ba52de4a23a7760b7417ec8fb4afd248094157c0641e6b4226a6c86b8a4461210590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_1.txt
Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_10.txt
Filesize
8KB

MD5
beb4009e19724f8d9a3d7c85a8ac39fe

SHA1
9f54a525fcefd0fbeb9c1da6a29ad1b165d2b15a

SHA256
d63dc91ba0dfae41a1ede646ec00179ab4bff585d6265af09e8fbc0e5f105eff

SHA512
33152b2bc27a21366b90786c3a5166073d6fdcf24a17931a4cafd8c81902cc960441bfc677c10e1522d072f3d062eabaca2b33c4e1a2d174ecddbe4615a3a463

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_2.exe
Filesize
176KB

MD5
960db7b6449e7aa04dce472d7c34ce02

SHA1
021a149fa29492713cd27913d5f34a2808bce3fb

SHA256
de829982c02fc418e24b6cd38c67ad2bf6a5d63e8042635989be216383b36e7c

SHA512
82572531fb5795385ba77b0e1d0c6fe10be1179ba9bb3e89f74aa2b87e3150bc62d7b1c00b19814fb3308d16c53620068d0ebde80109368b2176ae008c15ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_2.txt
Filesize
64KB

MD5
539300c59385946bebd65d4d951bfa55

SHA1
ac1b699de6a1d9eb8bd6b9a611e4b40655a3655c

SHA256
1406f6c1c9eb6e50909b075b453991ed498211c7b3c3fdc109b153ab4de0f194

SHA512
963091f1aaecac94ca793132e9f0ad427af47454f89731a9640a82f8eabc6eb487a7c833dd0e14b789ea90382696fc73a60442880c1f24a9e6cde4577a2de706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_3.txt
Filesize
543KB

MD5
f3fa539b0b570ff2871331656771cb06

SHA1
2d8eed595c38c9765008f02e1d5cb5e020ad8ccb

SHA256
ed3f7046fcb7404a8a6f55bee1007ca87850a670db0280c7aff243f2e9b966dc

SHA512
a1669e2a1e8d4b2bc455a9d8c869709788501f0f8155539e7a46384f6779e2ef2fd82007c5dff495959f8d18cd7386aba0199849c40bef5ab06f32b6d38cfdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
Filesize
397KB

MD5
029f733d742815f2b2cea439e83b30bf

SHA1
7d5362da52f59116ba4311ecd21bc3761d3cb49e

SHA256
2de39e9f3bfd136cc29081be63528f89711cf820fae735f23412fe75c679d891

SHA512
a4fbc43ca1260a42db360c8e2956ccdecc8160cf94c792f1486edc2e87e17eb6574874aaa9862332a9fa011ba23a8c96080368d33c19b5f2a9a4663bcc0cb727

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.exe
Filesize
192KB

MD5
de4a54fdd28986c2690649d01859f363

SHA1
35a0d690554298b33cf040890175fa3dfc68e0b7

SHA256
163e3043cf514d53dff34253e4bf14168354c20ab8e777344a13b964232ad421

SHA512
0e91d9cf9481d8a981d5c33416182b58889a8ec7ae7dac7c1dc301f76b969b892911c634329535ea99a7330dc6cdecb48009c5e24cea57e8377d3af372e7e004

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_4.txt
Filesize
128KB

MD5
c6aee72321230c64e22156b5efba0cc1

SHA1
1e18a9eda7f822c95f90e61716062e4c2a2bcf7e

SHA256
e7db25afce1886fd3c360a5d3a9078c6d1d3f88e0795a4a10f0c8ad32e79a400

SHA512
724d0fe979a7506ceee352ce12c9a1d06400e91a7ef39085b018dccf37587329027951ef674a000ab8c28a0108ef263d5d0734800188fdc09b8b4e2ee267457e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_5.txt
Filesize
749KB

MD5
1069c64eebfa52869ac2706f3fac88e3

SHA1
d11eff94fa1b68f1b8365dbc4ca107aebeee24c4

SHA256
c6b6d0aa7a9a46c81db2d12733268741ef78a667381b11eeafaa7e2a29c48c10

SHA512
9283e288394c8024c5ccef04f69a03d5bb69c48f5de04e2a9cb4536e180d51b820fc6a71c1fae62d0d246321fa24a17f5df78a842ae4781ea26f5bc18678b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_6.txt
Filesize
181KB

MD5
3da1b1c0d5fc9cec058e7c74013b4fcc

SHA1
95d8a325652bb336389297e26767d45e92e5f73e

SHA256
eeac0ab9230e5f2527a890141d63f32611233c1c38223c37b0a17a9be705f7ad

SHA512
64ce53bfaec1f75f267abd1c42d77f23550611886e5edad1bffa95d703a3f162bf49dfedada3c8eeea7828da0f42203a61d0824a56efced146a06467cea9681a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_7.exe
Filesize
1.2MB

MD5
aca9e3d2f97237a4c3dd38a63bf092bc

SHA1
eec122a60c2433ee912c7f15d45be983170de81a

SHA256
fb927a1a69165c7e0dcb5365830d43a8dcb2210036ee121d801d02ee6b7a5458

SHA512
9c9b2387390e57ea68e4f9981070319c94bd2808ba0450eb373ae341d42398837d23a8982811779cb9ff854c92901d10fb37158560231554c07a49e7e3646a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_7.txt
Filesize
108KB

MD5
a7fe0fc2736fb9bdb53c4a31dcaa1d14

SHA1
ad63cdbeb754ae5ad60a160b83f061635469400a

SHA256
3f96af082cf04703fbe11c279215b644368f2099435e09cd41e760be214e441a

SHA512
b55cabf06da5474d8f11ba2efc6178a06c692f0bf77caa557677302bf24b89946c175cafa782ec89d86aa1d15c1e730daa68a7c67ae455a1b764ed1484c14b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_8.exe
Filesize
1.4MB

MD5
bc3f416df3ded32d46930db95917fd52

SHA1
0fce98b62fb734fddb457197b710d6966057e68e

SHA256
713cc95814f8cb1069d70187795a0177df12bc899889cbd80b8e2d75130b9570

SHA512
fbd41b8426635b78ec0288da80a28adca1b60600d8a03ac99886455e46da44172363f036a04fdbaaa07572d6053a03d506214f7b8f71ebf6e09655813871903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_8.txt
Filesize
64KB

MD5
dd85da526dda12cab5a06fb81d8c8446

SHA1
56b31b960bef09140f982388e9a6e04dab3b3f9b

SHA256
08f871e377ca4a440cc186ffef87ca84ee0298788d63fece5611db77e2abb95e

SHA512
d6fd7dc1d5a29c1a804f66cc3a4cb2651e64d6124d1f64f64024aa166028391a54e0de376d06f96d566a8c517553b5d3b6cb8d94bdaed58af0f927367221f91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_9.exe
Filesize
983KB

MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\sahiba_9.txt
Filesize
64KB

MD5
e7945c58a007570c97069d0e2f1dc476

SHA1
df69d9c9b3a727cc4a92683bd0f56b7d2ae5f641

SHA256
c30dc4aaba4b4c3afa34f42eb535075519673dbefe3689d3b9f0ca0f20205da0

SHA512
54e6cd48ab097daadd0b801b7d9b305f1765c14132940d24bfce4c93b7e421ad3b759fce52fcac8964f26fccc68b4a47e02600f139416d8461b83cd08d6f81ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80913E77\setup_install.exe
Filesize
287KB

MD5
6fff0370bb04c9019077b5de629a251c

SHA1
ac9da4819b84a75e5615c713492bbd27c38d4356

SHA256
02f308dffaa1e7900c7f097fb8488e31cc0c89c7cee2a708dee24355b3aa0e89

SHA512
af66cc22dc561b4677994b3e37cb7c2adf19f67ab684b427642eb68e5d11bbb220a021889547ddb6fc747a8ebdabdf442438b06246f2a45acb8061754124c373

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
Filesize
448KB

MD5
c8a9e7ef03cd07e0b26a4e1fbbb1f21f

SHA1
f2cd7334fd0e86e24f1f3a5eaf091d56c76b2461

SHA256
8f4ece6a9229ac28353a6dfbf2c47f770fd8964a6912d499124af38745428ae1

SHA512
936cf56b50df392534d35c9945a1cfdb075de1a2aa2c7f1e6ff8fc020566f16d96042b42667c7938787734f0d47efef454ff77c19b594eafa0ba1ae6899afe62

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
Filesize
40B

MD5
a6af806de53cade9b0e7a6f2446f1ba6

SHA1
d5078ec988045014437eef70437e1243d3c4fdac

SHA256
e1a9dc7f8e1fff71c8ebc2da931c3c254b5a62908a6d22efbe27085db8a9b36a

SHA512
2ff96045a3b5e1adbaba43ba3267c6d03f113bb545af563a3711a998dd5c4426ce4f56f6cb501d2fb670b8b8f5fa71a696797648b428c86ddda7de4c82d227f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\14f68074-5d51-42de-b58d-b12be481627b.tmp
Filesize
18KB

MD5
036fc6ec183f1e09f770a37cd0cd3fa4

SHA1
927ed11a3f9072a5333c39dd06c30cc27e87e7df

SHA256
c705e5f69aadb09d42ce91b9d6b9352ec72836cc7dc3a2ac0ee19df29ad58259

SHA512
e2364438b20d5721d9b1020febf892d060a678d9956d3c846606a3c31c2168553bf6f5604e7836ad0506da14bda07ef2a5efe760917c9e7090a81b689809b62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000004
Filesize
21KB

MD5
3669e98b2ae9734d101d572190d0c90d

SHA1
5e36898bebc6b11d8e985173fd8b401dc1820852

SHA256
7061caa61b21e5e5c1419ae0dc8299142ba89c8169a2bd968b6de34a564f888a

SHA512
0c5f0190b0df4939c2555ec7053a24f5dae388a0936140d68ed720a70542b40aaf65c882f43eb1878704bea3bd18934de4b1aac57a92f89bbb4c67a51b983ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000005
Filesize
20KB

MD5
c1164ab65ff7e42adb16975e59216b06

SHA1
ac7204effb50d0b350b1e362778460515f113ecc

SHA256
d7928d8f5536d503eb37c541b5ce813941694b71b0eb550250c7e4cbcb1babbb

SHA512
1f84a9d9d51ac92e8fb66b54d103986e5c8a1ca03f52a7d8cdf21b77eb9f466568b33821530e80366ce95900b20816e14a767b73043a0019de4a2f1a4ffd1509

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000006
Filesize
21KB

MD5
792e404cf7b41c44b363654a60a52c4b

SHA1
4cf5340f1ff39c648565ca43f464498cd728d2aa

SHA256
ee33195c6ea39964bbf88b9ea3fda88f2f5590191973fca11c108a1e7ec9adf3

SHA512
2a8efe7f73cdfb3e9f9a7a56986ebe754e91a3093056b1266826fd8dd43a8126775d9a6271eea63cd4b6f028a177403ef042ede22ba8cda1124c3f57dce6a7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000007
Filesize
16KB

MD5
9978db669e49523b7adb3af80d561b1b

SHA1
7eb15d01e2afd057188741fad9ea1719bccc01ea

SHA256
4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c

SHA512
04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000008
Filesize
34KB

MD5
b63bcace3731e74f6c45002db72b2683

SHA1
99898168473775a18170adad4d313082da090976

SHA256
ea3a8425dcf06dbc9c9be0ccd2eb6381507dd5ac45e2a685b3a9b1b5d289d085

SHA512
d62d4dddb7ec61ef82d84f93f6303001ba78d16fd727090c9d8326a86ab270f926b338c8164c2721569485663da88b850c3a6452ccb8b3650c6fa5ce1ce0f140

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000009
Filesize
57KB

MD5
875d83b162f99f5bf1bddb0e8244283f

SHA1
602718ff0802d61c6b0aae241666913e2a44fa62

SHA256
cc3a0bb4a4e0ee5852930fdc1e058be7f9a151cc33eced19d37ed0c0b70c1a18

SHA512
c8274a77790b3bcd0e96aa57ecfb40b16d5fe4dc302bed02223970a0bd64d0da9bd798855e0ce54bc4f59a34082b0cab1c663364961c2f389902a3f3ed8c835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_00000c
Filesize
46KB

MD5
621714e5257f6d356c5926b13b8c2018

SHA1
95fbe9dcf1ae01e969d3178e2efd6df377f5f455

SHA256
b6c5da3bf2ae9801a3c1c61328d54f9d3889dcea4049851b4ed4a2ff9ba16800

SHA512
b39ea7c8b6bb14a5a86d121c9afc4e2fc1b46a8f8c8a8ddacfa53996c0c94f39d436479d923bf3da45f04431d93d8b0908c50d586181326f68e7675c530218ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_00000d
Filesize
37KB

MD5
01ef159c14690afd71c42942a75d5b2d

SHA1
a38b58196f3e8c111065deb17420a06b8ff8e70f

SHA256
118d6f295fd05bc547835ba1c4360250e97677c0419c03928fd611f4f3e3104b

SHA512
12292194bb089f50bb73507d4324ea691cc853a6e7b8d637c231fadb4f465246b97fd3684162467989b1c3c46eabb3595adb0350c6cf41921213620d0cff455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
fbae29602dc80875573857e9fc1dcc5a

SHA1
5a1e49b8efe3fb35901aa0ae04bca45cd3a65992

SHA256
c16815f87ba45a96b1d1fa8892a6f8143f7ee866f3eb7b7d4ec0ad5ad665a6d2

SHA512
866d6050d765575672ebce537b41704afb3eb85d99eaf804e88c03870f41b3356a515702fdec0431602d4532e80b0098006ed95c5979ffa2a1257cb72ecc707c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
Filesize
888B

MD5
38260dbacef289f7f86770c4eb570ec1

SHA1
53754585d24f2c80a0ac754965cff53610fae562

SHA256
00911376c69d4ee72dd943608ce81cfa51b18fcf74682d409f23fc3bc406320d

SHA512
45d8afd6a1495fc602bfe430b74d6b0a2ff0b70230f362e156a15936439d356c9ea85ff39b076b8890b7881e8a3887a3901b47c9abed0a84f1f48eee7f7102af

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
488e9b9f269a2813dd75f5bc738a61b7

SHA1
a51442d5c18fb5a0c8e16d0754608a520587e48a

SHA256
84be6d02c5a0b5520ef43a2d30962079635a412290e136a1d440a4396fb75bbf

SHA512
6ac775b58997d1fcf048bdfc4bd502652ca5f9f9a915039bb909da59f22448ed3dff2555a7c23ddbe1585e5b9bdc5c663b135467cd1071edd491611c12e78663

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\DawnCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js
Filesize
15KB

MD5
bd7a14ecf646c84925eab4c118e4b4ca

SHA1
4f8bee6b2c2d9fccd38e7ae28dfb5ef49e7bad10

SHA256
34e2e278b62dd64fa86e00fac85409124ec4e4a32f1a611d784d9c1e892df571

SHA512
dc5e354efbf61bec4e526ca5f76cd7958d60b1167aedcf7bb8ffd92bed9d01975b4f881c831f25ac8bdb11ffffb157855b48aba5bd4faa1d084f58354f274ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State
Filesize
2KB

MD5
c927109a1777fe9e3336f53135802763

SHA1
5a935cadf5ea9b2aef2d32b2178360b8fb07ce83

SHA256
e13263944d81256f6b70cc046ccb78cda0fb5fcba5abf963cb1a444e8830325a

SHA512
85257b18ac373a23d6d2b7cfc9439d17f06dda3261b86372d2228ff097344174dc3c705c48c7c7efa2d1e95b140713675c7d4eede08348576fb8725c4884f6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
Filesize
870B

MD5
b9e4f97ce9af7efe4d3e2a12aa560db0

SHA1
143ad4c49e6577e02beacc1196e85e9d83294e9f

SHA256
e2096c332795cd4521322125a1a9d0e2f1d1cf095c64b452ee994505808de491

SHA512
1c26ffdb8d0d9cfa096ca45a4de0ee3721c9f2eb669b83ed5e595daf5086bbda1631dd466e76be33669e0dfcfc5f758a808e28ed3008cfcd8699279546d2af67

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
Filesize
870B

MD5
f9e84d7e85b59f5b5a080696cd2c3663

SHA1
813e1ee6150a0df861795418243cd1145df60d08

SHA256
d3d8d9c5773df19da29239f981ec2eeb453f6cd63470ddbb1476546b3a02e5f9

SHA512
bcc00086bb6f501cc289ba3c700e04cc763da0f7b878ae96ef28aa87308fd6f78186cd87eb7f4db6a0139a2c8a5191fde4fc6fa4ca54850614cbf7c6f6b8ea10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
Filesize
870B

MD5
bc0c735ebb22beb388a18b3c89ebed21

SHA1
a235f0d4292a69fab9bdb39f73c27dc7cd98c3f1

SHA256
12d5c70a91b0008cd51b1e05c305f1e59746822996f7f690206b629c443f4573

SHA512
27c894c0791888216f1b05f8a701c9b4db32c086b60f16be28ec61908edd167747286dfe21a4b0e43d3a8579a77c7c2ae9e4a9ab1807909c1147780dc78e03d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
Filesize
870B

MD5
ce2bc2996ad763dcb54746e4f0380c25

SHA1
2276504806173cf39a06312b13f48eee943d4780

SHA256
95ed222822550cb0c106362c6cfe04eb5a53e34b5f60fc55b06c12740a69d0a6

SHA512
82af66544a260faba7d75f901afb8fbe8b02231f4269a8ac74ab3ff1976cb3f7e12d6a91d584bb088c9b9aef81285f4f2461ed51b519586be306101bc8828877

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
Filesize
6KB

MD5
a9ebf4cfac944a001a58f300d81de619

SHA1
b1f4db40ebd49ba5661dcd36789f7d0fab8c7063

SHA256
d7d45959ca9db89a1dc676e8f61ae1077289a5035d0d754de3031604edb37619

SHA512
df716448ad911d4ee62e28e5f1a2e999ca1ea790772359054376b02995e275fc0db4504557fe4b8136178ee587ebb9b57e3d333358e7fa668582916bde5217d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Safe Browsing Network\Safe Browsing Cookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
5c4abd9132d2d38f6de363217ec9eaac

SHA1
e89c36a3f2e08149790e58cd076123f171dc056e

SHA256
d193187c3793d799b94a908a27840d0b139413bba4dce42123d991ab5c039edd

SHA512
aae94b94bf64457da3d15a8f323c20dcd6a5d7642595b7e53d0749679ccb79995f8338b165dc87a9b8fbdce3f17948cded4069783beea93014ab31b8665012b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index
Filesize
256KB

MD5
3d29ea138dcb6831a07c8ecfeededdff

SHA1
0197c067b9bf654a45b25312b65e0e26b187fbdf

SHA256
65556f87014a935a122a9f6479024be7d9d2373b52d83f70e0a1d388b82c1fd9

SHA512
6ea4ec021d14053a9f3d96c993d0d7dbe2fc529305d9e616bad08b81ce51ee212f967b6abfb5b7d707f038918a95fa4e196321509c45f90a57c84a21f2ab08d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
Filesize
253KB

MD5
fc902b76689ea9958b7a22757434e9c3

SHA1
db6b1c8b0f0dddd1c738285a902c07c61fdcf43f

SHA256
c92a194f5b7d626059c3c8b03277cb3bf589b12ee3abda7266b12132292fbc02

SHA512
1f560db874b28e604f2bece70a4991d0c489e4332b366ea618d1fa2b3460a29d82fa0c78a8fd08934af116b4acf36300c5266ec0ce790bbd72b671aee7a87730

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ISR6C.tmp\sahiba_5.tmp
Filesize
1.0MB

MD5
b6cee06d96499009bc0fddd23dc935aa

SHA1
ffaef1baa4456b6e10bb40c2612dba7b18743d01

SHA256
9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f

SHA512
b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L4DV6.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
3.5MB

MD5
84cd66bbcd8d3fb8bfb4d0b2467ffe54

SHA1
96fc45aefbc3147165c42cd620a89d595d1db681

SHA256
3e97d28315379d7c9488de8fbe86d305dfa0e119892dab194940636b92053a53

SHA512
c354bb8b9cedc29bfc8a95ea893926f5ef081ed7f0c636ac3a575bcfba9b3d56ab02252793611b37b64186846d3c1817be9281e7d03ee1d7f88c618cdf19cd76

Download Submit
memory/2124-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2244-166-0x00007FFF7FFF0000-0x00007FFF80AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-126-0x000000001AE50000-0x000000001AE60000-memory.dmp

Filesize
64KB

Download
memory/2244-119-0x000000001AC90000-0x000000001AC96000-memory.dmp

Filesize
24KB

Download
memory/2244-113-0x0000000002430000-0x0000000002456000-memory.dmp

Filesize
152KB

Download
memory/2244-103-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2244-106-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download
memory/2244-107-0x00007FFF7FFF0000-0x00007FFF80AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2304-116-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/2304-120-0x00007FFF7FFF0000-0x00007FFF80AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2304-112-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2304-202-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/2304-205-0x00007FFF7FFF0000-0x00007FFF80AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2384-204-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2392-242-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-175-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2736-172-0x00000000048F0000-0x000000000498D000-memory.dmp

Filesize
628KB

Download
memory/2736-230-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/2736-1427-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/2736-183-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/2736-171-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/3012-115-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/3012-219-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/3012-111-0x0000000000F80000-0x0000000000FEA000-memory.dmp

Filesize
424KB

Download
memory/3012-132-0x00000000057D0000-0x00000000057EE000-memory.dmp

Filesize
120KB

Download
memory/3012-135-0x0000000005FD0000-0x0000000006574000-memory.dmp

Filesize
5.6MB

Download
memory/3012-118-0x0000000005830000-0x00000000058A6000-memory.dmp

Filesize
472KB

Download
memory/3012-196-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-206-0x00000000028A0000-0x00000000028B6000-memory.dmp

Filesize
88KB

Download
memory/3640-1221-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3640-245-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-208-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/3780-167-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/3780-150-0x0000000002D90000-0x0000000002D99000-memory.dmp

Filesize
36KB

Download
memory/3780-148-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/4368-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4368-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4504-200-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4616-178-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-235-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-236-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/4804-1436-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-1438-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/4804-231-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/4804-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4804-237-0x0000000005E90000-0x0000000005F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4804-229-0x0000000005470000-0x00000000054AC000-memory.dmp

Filesize
240KB

Download
memory/4804-218-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4804-213-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/4828-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4828-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4828-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-80-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4828-50-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4828-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4828-69-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4828-147-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4828-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4828-77-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-144-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4828-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4828-81-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4828-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4828-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4828-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4852-99-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4852-164-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4852-117-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5036-161-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/5036-131-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download