fabookie | 3df4f87d41a548e7cd16ee0bd11ce89e6c74681ca2d5741eed38238a91d5f415

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c68dd6becf7ff5f43ae83924cd67613c.exe
Size

3.3MB
MD5

c68dd6becf7ff5f43ae83924cd67613c
SHA1

2f95861167f6fc5dc9b9ae46460b052fa789e73f
SHA256

3df4f87d41a548e7cd16ee0bd11ce89e6c74681ca2d5741eed38238a91d5f415
SHA512

832bc830f2728dd9b6509d39c092ff123ef85e58367eba9c0c55c0ec3d0e6194ee37c090dfc6638f5fb05151447ee3fee6c38f1818baaafc3be2e856cf55e846
SSDEEP

98304:xqj4BFusRGZRQCgaTf0tRy/SdDXsZ1iCvLUBsK5n:xsVZLERFdAZ1TLUCKp

Score

10^/10

fabookie nullmixer redline sectoprat smokeloader vidar 706 aniold pub5 aspackv2 backdoor dropper infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.8

Botnet

706

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014b4c-110.dat	family_fabookie
behavioral1/files/0x0006000000014b4c-117.dat	family_fabookie
behavioral1/files/0x0006000000014b4c-116.dat	family_fabookie
behavioral1/files/0x0006000000014b4c-114.dat	family_fabookie
behavioral1/files/0x0006000000014b4c-89.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/3012-219-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/3012-217-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/3012-215-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/3012-211-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/3012-209-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/3012-219-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/3012-217-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/3012-215-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/3012-211-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/3012-209-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/568-195-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1308-193-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2224-330-0x00000000003A0000-0x00000000003FB000-memory.dmp	Nirsoft
behavioral1/memory/2112-329-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2780-332-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1248-355-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1652-357-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/604-436-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2012-435-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1864-173-0x0000000004C30000-0x0000000004CCD000-memory.dmp	family_vidar
behavioral1/memory/1864-175-0x0000000000400000-0x00000000032A0000-memory.dmp	family_vidar
behavioral1/memory/1864-366-0x0000000000400000-0x00000000032A0000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000015653-31.dat	aspack_v212_v242
behavioral1/files/0x0006000000014e71-45.dat	aspack_v212_v242
behavioral1/files/0x0006000000014bbc-47.dat	aspack_v212_v242
behavioral1/files/0x000600000001535e-54.dat	aspack_v212_v242
behavioral1/files/0x000600000001535e-51.dat	aspack_v212_v242

Executes dropped EXE 22 IoCs

pid	Process
2648	setup_install.exe
2664	sahiba_1.exe
2632	sahiba_5.exe
2880	sahiba_4.exe
2908	sahiba_6.exe
1292	sahiba_1.exe
2224	sahiba_9.exe
2232	sahiba_8.exe
2356	sahiba_2.exe
1864	sahiba_3.exe
2280	sahiba_7.exe
2244	sahiba_8.tmp
2100	sahiba_5.tmp
1308	jfiag3g_gg.exe
568	jfiag3g_gg.exe
3012	sahiba_4.exe
2112	jfiag3g_gg.exe
2780	jfiag3g_gg.exe
1248	jfiag3g_gg.exe
1652	jfiag3g_gg.exe
2012	jfiag3g_gg.exe
604	jfiag3g_gg.exe

Loads dropped DLL 64 IoCs

pid	Process
1796	c68dd6becf7ff5f43ae83924cd67613c.exe
1796	c68dd6becf7ff5f43ae83924cd67613c.exe
1796	c68dd6becf7ff5f43ae83924cd67613c.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2648	setup_install.exe
2120	cmd.exe
2120	cmd.exe
2664	sahiba_1.exe
2664	sahiba_1.exe
1904	cmd.exe
328	cmd.exe
2000	cmd.exe
328	cmd.exe
2632	sahiba_5.exe
2632	sahiba_5.exe
2880	sahiba_4.exe
2880	sahiba_4.exe
2664	sahiba_1.exe
2696	cmd.exe
2688	cmd.exe
2900	cmd.exe
2296	cmd.exe
2296	cmd.exe
2224	sahiba_9.exe
2224	sahiba_9.exe
2232	sahiba_8.exe
2232	sahiba_8.exe
1292	sahiba_1.exe
1292	sahiba_1.exe
2900	cmd.exe
2356	sahiba_2.exe
2356	sahiba_2.exe
1864	sahiba_3.exe
1864	sahiba_3.exe
2508	cmd.exe
2232	sahiba_8.exe
2632	sahiba_5.exe
2280	sahiba_7.exe
2280	sahiba_7.exe
2244	sahiba_8.tmp
2244	sahiba_8.tmp
2100	sahiba_5.tmp
2100	sahiba_5.tmp
2100	sahiba_5.tmp
2244	sahiba_8.tmp
2880	sahiba_4.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
2224	sahiba_9.exe
2224	sahiba_9.exe
1308	jfiag3g_gg.exe
1308	jfiag3g_gg.exe
2224	sahiba_9.exe
2224	sahiba_9.exe
568	jfiag3g_gg.exe
568	jfiag3g_gg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/568-195-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1308-193-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2224-191-0x00000000003A0000-0x00000000003FB000-memory.dmp	upx
behavioral1/files/0x0038000000013a84-190.dat	upx
behavioral1/memory/2112-329-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2780-332-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1248-355-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1652-357-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/604-436-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2012-435-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
45	iplogger.org
46	iplogger.org
58	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
7	ipinfo.io
39	api.db-ip.com
41	api.db-ip.com
4	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 3012	2880	sahiba_4.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1628	2648	WerFault.exe	28
1520	1864	WerFault.exe	47

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sahiba_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sahiba_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sahiba_6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sahiba_6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	sahiba_2.exe
2356	sahiba_2.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2356	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	sahiba_6.exe
Token: SeDebugPrivilege	3012	sahiba_4.exe
Token: SeShutdownPrivilege	1204	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 1796 wrote to memory of 2648	1796	c68dd6becf7ff5f43ae83924cd67613c.exe	28
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2120	2648	setup_install.exe	30
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2296	2648	setup_install.exe	31
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 2900	2648	setup_install.exe	32
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 328	2648	setup_install.exe	33
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 1904	2648	setup_install.exe	34
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2000	2648	setup_install.exe	35
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2508	2648	setup_install.exe	36
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2688	2648	setup_install.exe	37
PID 2648 wrote to memory of 2696	2648	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\c68dd6becf7ff5f43ae83924cd67613c.exe
"C:\Users\Admin\AppData\Local\Temp\c68dd6becf7ff5f43ae83924cd67613c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\7zS40747A06\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS40747A06\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_1.exe
    3⤵
    - Loads dropped DLL
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_1.exe
      sahiba_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_1.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_2.exe
    3⤵
    - Loads dropped DLL
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe
      sahiba_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_3.exe
    3⤵
    - Loads dropped DLL
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.exe
      sahiba_3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:1864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 964
        5⤵
        Program crash
        
        PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_4.exe
    3⤵
    - Loads dropped DLL
    PID:328
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe
      sahiba_4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_5.exe
    3⤵
    - Loads dropped DLL
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe
      sahiba_5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\is-5M7CB.tmp\sahiba_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5M7CB.tmp\sahiba_5.tmp" /SL5="$7011E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_6.exe
    3⤵
    - Loads dropped DLL
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_6.exe
      sahiba_6.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_7.exe
    3⤵
    - Loads dropped DLL
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_7.exe
      sahiba_7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_8.exe
    3⤵
    - Loads dropped DLL
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe
      sahiba_8.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\is-1JBRB.tmp\sahiba_8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1JBRB.tmp\sahiba_8.tmp" /SL5="$201B4,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sahiba_9.exe
    3⤵
    - Loads dropped DLL
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.exe
      sahiba_9.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:568
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:1248
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 424
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
468b2501d7b36510905fe4905fdc4908

SHA1
fbbcd956a753cb348af73ee1234f94b9621f07c7

SHA256
0a4715f7650375b765630da96ba8d47ab2ca4ac3625791c90fbfad8a74092ef0

SHA512
d7a431b09f187be1023f59237e68208440a797eef53e0016c3ac4a476f85566cc3dbb10dbe2ea61bcf485a41961e672c447115ef36c97e3e89ec76405003c8ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29b22d035ba268bf7582b49191dbf274

SHA1
976be7bc380dca3f11a08f7cadf27892a2acd62e

SHA256
f951d6420bd4abb8de1cdd0d47ad9e91ed2b35675770daca465dce922e13199c

SHA512
ff9b2904242c34036a0b15ef4ad7eea6f43375ef96e89693734c50300bb78a53e6f048815e08a6d454b05b5fa3eda415f4db6170dc5366a3ed6877d2ab6e3d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\libstdc++-6.dll

Filesize
577KB

MD5
c3e1bcb253db73d159befe3bd76a3ac7

SHA1
115d8bb2a303b9f21944b3250026d565df2fe66b

SHA256
2e9788d41169e4a1e7bfe232a0f22e72ed27b00d6764fd0d6ee05beae95408b2

SHA512
96908a18fbb136212c861e373c8c395520691deb0c180184e5d312a8707d6deb7fc332283affaeb81daf53e72caf6b7eb9964fb7fafd8b2ad5ba310d9ae77be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_1.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe

Filesize
324KB

MD5
50194e2f001ba50fe8b1669fcd6bd78e

SHA1
c005cd3ad04e6b027944e3dc2fe3d97ae0b8a8f0

SHA256
8f989a6fbd931c005c6f5786cda07082fed12eb194f4b62005d65834fa40bcee

SHA512
3f6f056e5a252666b99d0627d82485ce497fe7dae166af102d83f7bc53eea495d9d36da89a6293eb805792f12a9a68add08fa9cf974cd9107eb82a79942989c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.exe

Filesize
248KB

MD5
aefb1bbe61d58808261297208c34f2ad

SHA1
0b9454d2426ca2e9891651afc4845de7b6ec3d0e

SHA256
23073507b1558fa515bc7935e856230eae205d2fe0204373f6037ce2a2170b25

SHA512
dc157c71f0d8e687c715772942fa14f86e29af7bce47c0b0b2bde07cda8b8872fbd9aeef97b92948c0944ae92c63bd282e3814e53d68127500fdedb509e7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.txt

Filesize
660KB

MD5
4ab91cb416cbfa0261285d1d28cb8119

SHA1
a8b0698e4b59dba68ee64693fc3d3298b8bf15ed

SHA256
7d20b3a8943388a471f9324fb20a3900bf29af10ac20ef840ca1a030e53c0cd3

SHA512
b9366de6f14a8fb5d4c3b6f33a63a1dce0f8c7d5c2c31a878c43d387b54c7ee3dff870aa682eabde459048458020c30cf704bb0e8fe403dbf62e87bbaa67b4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe

Filesize
130KB

MD5
9f017bb8ca75cfe97ead2eb4373082f9

SHA1
f4dbe7b2903899b6d56d22aeab3620b70095f217

SHA256
6b4f35ff9d178dc828f238d57bd8e068749226834d385fe4a303810281bc9b24

SHA512
7c304b0aa14e30c4444b445555a8cce3f1b19944421b74af724d2ca3b18e3194ada30794f3e48d4c4688e13694863c4f03fa909e1cc23cc9985b281dd9ce8288

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.txt

Filesize
724KB

MD5
ef344d4887e054f373f98f78ba6836c1

SHA1
c1301676d59d96f7d2e44671b6b0be17519dff66

SHA256
e171fe2b84efe65ff9b648911d7fe99f50ab979327bb6202a4379bfe25086b94

SHA512
7d444888011154d35e840de1ba246c3126975c04d754a361ff0ae274e201229d99195f6026323a94b9a108c79db7b8dafffd57f7767bfe383749b5249228f6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_6.exe

Filesize
169KB

MD5
b2cf0d7be6216f27e6179585dd022c49

SHA1
32de43c0ffc6ec384af80a0ac379f2669d8ca9fd

SHA256
27538888f9c80245fbe429172beeb936cc36aa2ed025bac9812f3f3800511c48

SHA512
c06816e727c07025dac5c3922c1af1ac3b9e8957b2802a1c8a81dd234da37149047a509fd45411d5e26781001d8203eaaa47838021b6f24694512425c67c1d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_7.txt

Filesize
999KB

MD5
40b8e4cc87e65081ee114be703bd977d

SHA1
3c17ad4da709b2ed9eae0a5c611fb48e1f7799f0

SHA256
39f69008eb19c4823ea49e3cb5ce41ef55eb111ed5270a819d40206cafc5b938

SHA512
3657aa0099f624a96e357c659e53e22e53bd77eb1cb81eb5ca13b326353d87c8908d2899a34ea7e27824b51ba5a6926108cedcef4548af66ce32e33db87ce157

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe

Filesize
271KB

MD5
c14e4ba05230fb0f8982694cb4cf72b3

SHA1
2a707f623483867decf04c0a184df68b900bc4d2

SHA256
0861ac0627ffd36b4c0fb999892175b3b9128e7487e6e7cb8769ff1e9a7cedc0

SHA512
4285e49dcebce2e2afda6d8bc75f07e38fb1ef3b08778c1d9322f03aae23e424c2a1794e7f7c660a8f4d52b8addb1085b870204c19975807058b68e1187d011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.txt

Filesize
480KB

MD5
c06e890154e59a75f67e2d37295c2bc9

SHA1
e6deea575d36331a0c2f8d42586442c43f5d58b8

SHA256
76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97

SHA512
3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.exe

Filesize
362KB

MD5
6f6b120f844c529c70bde738d50d5551

SHA1
53da532c279f5a516d31c4105599f89a7f26136a

SHA256
5f8acf9701be2379372362c4fa576f46952f900d1607dd3f305edaf0a89609de

SHA512
7957f669f450550cd2aeda611b2002f809b4f78c8dd611f3c8f89e230ee1750a4077ae84af04424b7d0cd810cc93cef1063cea692d8c19b745765a5249f0c2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.txt

Filesize
849KB

MD5
aa002e1054be7ae5c019952311fb4427

SHA1
73b98f36a64944673d3ec560d2bf2691e6d0e93a

SHA256
c22965c749b52bf06f8b3c465d352b17a0a97ba83a3a81fcbb1cebc8b6ae0597

SHA512
ecf357a62b0b15ff4282b39b328e5a187a50b83088e3fd7601094884897effd473598a1ee6a1bb76652066632db7be31b771443ba139ae742f5967b01848e0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25B9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26B6.tmp

Filesize
35KB

MD5
ea2e2a73c777bdcf9df2c7e4b28c42d4

SHA1
890a64e886f8a00f943a8970ac04a68140c9de38

SHA256
f3159be1b7c845ee8757dad12edb56067f1af1f39070323185583336f7ec904c

SHA512
3145295985bb891109595fd8a0cd62e78ddcb7c377622a6b402ee8740ffa903d6048ceb8b5702f44e4e208ef6fb2c899e756eab3192570337e8ea5760b950315

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ROO9U.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ROO9V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\libstdc++-6.dll

Filesize
590KB

MD5
ac6f001771076a07819787de77f4bd0c

SHA1
acfd4ff7fbf2a5e76ba408b9bcfd1c9a26371f7b

SHA256
0dae6d1a9c32706c170b1b7c4f6eed9028977c8afdd6b7cd77816c38c7d1ac45

SHA512
c04f961a9ee834a29e7d9bf6e2be48e3eec5996b7ed45c50e3e1d8d1597c7181ff27c79c8d7fa80de9b05cfcf44eb563f56a04b185fd93e26bae906008a0df73

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe

Filesize
272KB

MD5
cbde36f226b946a3c33d7d4ae9932fd7

SHA1
761042139e71d47d4a29ef52cc2046168a4b42ef

SHA256
4348096bc10dbe010ceccfaf52e6e89322251b367ffbe03439500eb46b378255

SHA512
3107083b57de03ac4e5700c1d5078a9971ed6879ce98e5d7d57f3ee7fff2ddaeaaac2233c20779f104d26c238f58e0f574355d7f222af4b84e665e3d391daca7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe

Filesize
318KB

MD5
06ece2aef81e93759db55b2b6940f7ed

SHA1
6544fd6c42fdba8eeafa9089d2cea622b6b41370

SHA256
1033797c27655da489c6538813797b1d858f3fda1dcbc28e28f44d324a5e860f

SHA512
fae502ef4820ab231eb4117d53ce26de16a7b7fcbb0ff1b41c1307b246007cb1161ee748a6f9ba3e5df586638efa9cde33a524dd3d37bef3d2b02a6738daa746

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe

Filesize
160KB

MD5
8aa8a5d5636d72dcde716468095c30b7

SHA1
02f68e94ecbbe64a83ab57c95423eb11c3caefb0

SHA256
0c1c25f042670ceeb2324bbbd4a090afaf40a3794e4ee33ffb156dac37961733

SHA512
3aa23e004efbffc4761655a664a7ed6065ab021c49a187a949b5bc6511e5a0c9f7fa0adb351b8a4572fae87ffec5abd95e8ce8ee088500f6a57cf8c07367cc80

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_2.exe

Filesize
242KB

MD5
05240305be87234c3d8f306d6f1096da

SHA1
cf41f0b8d7e99d2daa86d3008ae251f8249c7624

SHA256
61c05c94dbd571d10763740cb6a93befff68e731a044d888b351ad883813bff8

SHA512
2fc6f4d161902b846cf6a42969f578a3ec7cd20291ba8bbed5787a7b19d422fe7ea1880626b36c846ef3dbe245af31c4706d9b2111b0421cb3683fc443341ed8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.exe

Filesize
461KB

MD5
8e3bb57c5c7469c5f3865612ef1a5617

SHA1
c6195621fd1895520e3600a383b12acaadba1ed7

SHA256
a5248fc1981833a05dd93366c2cadd86f1051d144a68432a806a0db8a0f11866

SHA512
1250eb51387ad1496895c5488c7d4b321cc5f0321c506c3b4c720d979fb6afaa13dc0723f8fb5f2db6864fd9e19b2afe54f3ec9963ee51541aa78e85826d7902

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.exe

Filesize
253KB

MD5
c6e7a4057775e014ea9c07be013eb932

SHA1
1945a74ee47295583c3a304ac0d467b6c754f3ea

SHA256
4236353be22771a623cebf4ded1a2bc1bad773152b2257fe674b0de24f110505

SHA512
52b909a3a36badc19d6ec91b05343d02b61429c829e8cec10310396aebb8cf6e1136027b584a3ba084d186096c3860f36326462917f87608d51ad599d1c6a0ac

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_3.exe

Filesize
68KB

MD5
b6661d1ea242229d428aeb5b3ddab240

SHA1
1ea226f7d8f2f76263cd172683ee92772e41328b

SHA256
f647135e58b43284ace0b5ec7bed4002e8c57f482ce5df194787c65184413d47

SHA512
d659abc18530d71d555a4dda9dc65917744cafb6daa48f7efe0ce915f63a7b6b5e1c21db29a8b3781ab93b53e26811ab894e67027660314347a12c7339a7dc2e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe

Filesize
390KB

MD5
eb73f48eaf544bf7e035a58f95f73394

SHA1
251f0d09f14452538ecfa0924a4618c3c16887e3

SHA256
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce

SHA512
a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe

Filesize
144KB

MD5
355bbb201f9b540c49755ba9b90570eb

SHA1
47006904110aa1003c4878ec64542085d62443a3

SHA256
c7f7290433f0e2312b87c5836f3e0c16b831edf0a22f8fde6cf4d3eb594fa677

SHA512
b0680de8372eadb7edb5887fa0a75c9f9518c3f62b2e33767fea3fc94ca67abcc8b906d64e9922ff493e3fd7d7c8d3119ad1817ba430319542eacb447db46e2f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_4.exe

Filesize
96KB

MD5
1a2ec2bbc3313531e9ea2cd68f222d31

SHA1
659de2d9ec094ad75317fa356fedcd4a011e2d44

SHA256
2828ab7ec95d64ac350cb766930add47c88097e54454f3a1025878aab5404ec4

SHA512
1203eb7146f17b842d7d33585941dd68baee1ee80d80aaa6e0a4269c96eac8b908d862256a4a8568525e0c0658d113ded9cb884e83a6097727e48b3f1136b254

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe

Filesize
485KB

MD5
c6c979014d18913cb59b7ebdf8f20339

SHA1
6255d97c3d46f5096f6fbcb72967ff56299607c1

SHA256
8b30af2a0608f4a915a6d9b0462749008971ddc5f47d9666a88a83a9ed1e92f8

SHA512
f4f708bab42ec4a23d4b7a6fc362e859540beccbe015eed6ad6e7389c3f26b8a5fc468b5dd20f55908a3fb55e570e32285d5597e89f4a16c746073690769b2f9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe

Filesize
463KB

MD5
532861b687f8b20956e2b5b5cfff2524

SHA1
34be10c679ae8776418b61674895a499413bc0e4

SHA256
ed61aaf3beea3c78b20aa92eb0ea2609d3fc6c93a6e483bb2d2319ec2d0fd199

SHA512
894988dd8c6994ae920c18fc606375415298d614947d8ee2f49d58d3ecb39a496dadd94ea6910130c8f4ace3ac5df1645eb1c7142fa43b9569b9699ffef75d20

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_5.exe

Filesize
528KB

MD5
60bc4a4ff16d1eed2e6be1a8ffe74a28

SHA1
7cf2f1b61018edfe1dcf5f5c55a6285d7f5606ec

SHA256
1018ead84fcf211be94c185dbc27808e70242630a987260f16c6ac0430584e58

SHA512
0f21de517097162685aff72f2e3befaf3c910f23362821f78629032b05215f6194609bf4b00b2dd80cc40cb1e01dec54fa531fa3d9259912f0f11f136bd0627d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe

Filesize
402KB

MD5
07e0d948698b58a44bef9272d111a8b6

SHA1
d2003891091e272033edb140d7d9d2a369ca3e31

SHA256
5b132c5ed13c05d8c3998e87a1a379ee2e0832fb6b537d5ff500ae613a949cf9

SHA512
325968128b2c6ca853df07d9267b56ba44dcce222f5bcdf7ecaae4962e58a59db3601afcc78eaac3c235f91b9f0af234959b4c62a552846350083cfa72a2ed0b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe

Filesize
336KB

MD5
7da9e4c31f8334e6794aa61e000ad8a4

SHA1
c2b8f180a249d554411e2b2caa759e7114e26e4f

SHA256
f89c95033fd9dcf4741813354d8bbb6f7818d4d4e6d8342d2e8b387681765268

SHA512
4f3c5143d62d7a4876d5ffb0459f533943ada1c381732af9a18ee49305a66a7b49631a262b10f726233622cefe0f9ae7e75dfc7d6e4a826754fd97aabd78eb67

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_8.exe

Filesize
297KB

MD5
9303046911aa16e38d389854e3577a48

SHA1
dc3951395065a8aff0f945b34514fe43712f3164

SHA256
04534387a7ca85950f77bb624ecd9ab69d1c93fa76d4776fd2124351b74f0187

SHA512
306b74a3492038c27215180e2d176e015136c59e8c813ad229356873fdd8d068a2c894dfcb974fdf86b4b0af4356159e099bbe140962cfcf24e8215e2ae69e1c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.exe

Filesize
45KB

MD5
d5ea1cd7431054450927f47175a55cd9

SHA1
3f2580271e67b747c17366c1daafa33787d4eaa5

SHA256
9c12580ab93cc2fbe6cab3dfebe02a6962b41798c9b9616dbb1fbff9c9555582

SHA512
8405a29c77993e01df4c3d893aa92c148c6f713c8017d51fbbab54fd8524c1ef223504ee33fe3bf5cd913fa36326138da427930436f5b33182fb330bf687e350

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.exe

Filesize
372KB

MD5
c0332826347dea5cd74d31ca9069a607

SHA1
1b14211d5386c8e91d7d3072ac40ec57b7ad6fb3

SHA256
8c42a1d0f1eec39b98270c4db327fa3dcdf81cbc77ad9d5ae335d879b1a58090

SHA512
47995c43d8c931601082e6959313e9fc33990d7fabbe852f9191d23ffd468b6dc24816f3212d603846b6b655fcced8bd00ea02b717c8bcd5149526cfef7220a8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\sahiba_9.exe

Filesize
255KB

MD5
775a933711e897a6e65d0b0bb47f15cf

SHA1
3f1a08c2d66e118313c3c09f0075329301b2ab20

SHA256
bef093f172746f565dd7cc3b9c88185ddd0168456c7ccf0e9cdae82779d06788

SHA512
1513018d7defcef7caa81d1e85218eddb578a2f09e4c9a7ce3f4b5dffdce3ce47e8d9d9fbe65ef6254cacdb3487658bf2c9e994247bee0e631d5384ffe7b7df4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS40747A06\setup_install.exe

Filesize
287KB

MD5
14a9c430788de0c57878e0e6b9e5d468

SHA1
05805a5786bcecc1caf20f9162502c73a56f49d8

SHA256
d26e644ec95ee6e186d95096c5c89557f95b7ccb96b8e204b8a1708350ee2a14

SHA512
09b4097d00c573430c1d05b78e06ed88d81ccc3ec7ad674fa8234fc9885efe5fcbf960faa9ce286345b632e022e169599f4a3ddba5436d13d6980cf86c8b68a3

Download Submit
memory/568-195-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/604-436-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1204-316-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/1248-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1308-193-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1308-194-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/1652-357-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1796-33-0x0000000003320000-0x000000000343E000-memory.dmp

Filesize
1.1MB

Download
memory/1796-41-0x0000000003320000-0x000000000343E000-memory.dmp

Filesize
1.1MB

Download
memory/1864-175-0x0000000000400000-0x00000000032A0000-memory.dmp

Filesize
46.6MB

Download
memory/1864-446-0x0000000003410000-0x0000000003510000-memory.dmp

Filesize
1024KB

Download
memory/1864-173-0x0000000004C30000-0x0000000004CCD000-memory.dmp

Filesize
628KB

Download
memory/1864-172-0x0000000003410000-0x0000000003510000-memory.dmp

Filesize
1024KB

Download
memory/1864-366-0x0000000000400000-0x00000000032A0000-memory.dmp

Filesize
46.6MB

Download
memory/2012-435-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2100-184-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2112-329-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2224-464-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-443-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-494-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-463-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-479-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-330-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-336-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-191-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-481-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-495-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-442-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-197-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-480-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-483-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-482-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-484-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-486-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-358-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-359-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-360-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-356-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-485-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-331-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2224-196-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2232-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2232-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2232-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2244-169-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2356-159-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2356-176-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2356-170-0x0000000000400000-0x000000000324C000-memory.dmp

Filesize
46.3MB

Download
memory/2356-317-0x0000000000400000-0x000000000324C000-memory.dmp

Filesize
46.3MB

Download
memory/2632-185-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2632-108-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2648-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2648-73-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2648-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2648-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2648-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2648-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2648-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-69-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2648-71-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-70-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2648-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2648-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-364-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2648-363-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-365-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-362-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2648-361-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2648-75-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-80-0x0000000000750000-0x000000000086E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2648-440-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2648-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2780-332-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2880-134-0x0000000000DE0000-0x0000000000E48000-memory.dmp

Filesize
416KB

Download
memory/2908-177-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2908-155-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2908-135-0x0000000000F20000-0x0000000000F54000-memory.dmp

Filesize
208KB

Download
memory/2908-447-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2908-444-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-157-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-474-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-156-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/2908-160-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/3012-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-213-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download