Malware Analysis Report

2024-11-13 19:30

Sample ID 241106-lz4qzaxley
Target c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c
SHA256 c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c
Tags
fabookie nullmixer privateloader redline sectoprat vidar aniold aspackv2 discovery dropper infostealer loader rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c

Threat Level: Known bad

The file c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer privateloader redline sectoprat vidar aniold aspackv2 discovery dropper infostealer loader rat spyware stealer trojan upx

Privateloader family

Nullmixer family

NullMixer

RedLine

Detect Fabookie payload

SectopRAT payload

Redline family

RedLine payload

PrivateLoader

SectopRAT

Vidar family

Vidar

Sectoprat family

Fabookie family

Fabookie

Vidar Stealer

Detected Nirsoft tools

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 09:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 09:59

Reported

2024-11-06 10:01

Platform

win7-20240903-en

Max time kernel

95s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2696 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe

"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe

sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe

sahiba_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe

sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe

sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe

sahiba_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe

sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe

sahiba_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe

sahiba_8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 272

C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp" /SL5="$901A0,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe"

C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp" /SL5="$8019E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 968

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 requested404.com udp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
US 74.114.154.18:443 xeronxikxxx.tumblr.com tcp
GB 37.0.8.235:80 tcp
N/A 127.0.0.1:49269 tcp
N/A 127.0.0.1:49272 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 937768008be3b71478be77f512943a75
SHA1 be2c1470c46eb18c49500dd5bb07a7cabe588398
SHA256 dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SHA512 0cba8d244ea822578021fdac8a215bf5ed2e6c3ff2d712bb01b4e80b004b8df326ac568ab682bb3d59a15cab6ff80b137b9fa9a66fe5b05438b8b6141d4ea469

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe

MD5 3e6e91a0a2292b94b83916d430ad0db5
SHA1 ccbde14c585446acbfc7b981fdae3ec4f473b3b9
SHA256 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb
SHA512 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a

memory/2696-52-0x00000000033E0000-0x00000000034FE000-memory.dmp

memory/2696-46-0x00000000033E0000-0x00000000034FE000-memory.dmp

memory/2564-54-0x0000000000400000-0x000000000051E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2564-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2564-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-82-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2564-84-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe

MD5 255aac71617edb0cc31709ef30fbee0a
SHA1 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01
SHA256 d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b
SHA512 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe

MD5 bb7409da9c80af6ca5ef4fdb40b08ed7
SHA1 f415c4ab1ad47e2f14f5be85386d0f3537bebf78
SHA256 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e
SHA512 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611

C:\Users\Admin\AppData\Local\Temp\is-28O35.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-28O36.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2536-152-0x0000000000F70000-0x0000000000FD8000-memory.dmp

memory/1896-151-0x00000000012A0000-0x00000000012D4000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe

MD5 4b300abf0da6582cde1e9ec29c214abf
SHA1 73ff7d346dd476d34236cbeb67268dcf0af570ac
SHA256 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff
SHA512 d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587

memory/1748-133-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe

MD5 c06e890154e59a75f67e2d37295c2bc9
SHA1 e6deea575d36331a0c2f8d42586442c43f5d58b8
SHA256 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97
SHA512 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c

memory/2208-160-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2164-164-0x0000000000400000-0x00000000004D5000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe

MD5 eb73f48eaf544bf7e035a58f95f73394
SHA1 251f0d09f14452538ecfa0924a4618c3c16887e3
SHA256 da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce
SHA512 a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

memory/1896-165-0x00000000002C0000-0x00000000002C6000-memory.dmp

memory/2856-121-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-167-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1748-166-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe

MD5 3011f2257b899aa8196e02447383a46b
SHA1 cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940
SHA256 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
SHA512 db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

memory/2564-96-0x0000000000520000-0x000000000063E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.txt

MD5 4fa4a626bfe65bbb3ba048e66170556a
SHA1 05e0beeedc4a183056292c36cc87a9822f3a19af
SHA256 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4
SHA512 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd

memory/2564-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-85-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2564-83-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2564-81-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2564-80-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2564-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-97-0x0000000000520000-0x000000000063E000-memory.dmp

memory/1896-168-0x0000000000500000-0x0000000000526000-memory.dmp

memory/1896-169-0x00000000004E0000-0x00000000004E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab80.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1404-228-0x0000000000470000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2780-231-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2972-236-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-234-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-233-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-232-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2492-249-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-247-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-246-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-245-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2492-243-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-242-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-239-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2492-237-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1404-263-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2092-258-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-257-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-256-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-262-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2092-261-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2904-265-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1904-251-0x0000000000400000-0x00000000032A0000-memory.dmp

memory/1404-266-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-267-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-273-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-274-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/320-276-0x0000000000880000-0x00000000008DB000-memory.dmp

memory/2228-288-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-286-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2228-285-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2228-284-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2228-283-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-282-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-281-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/320-280-0x0000000000400000-0x000000000045B000-memory.dmp

memory/320-279-0x0000000000880000-0x00000000008DB000-memory.dmp

memory/320-275-0x0000000000880000-0x00000000008DB000-memory.dmp

memory/2908-308-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-300-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-311-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2908-306-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2908-304-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2908-303-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1404-302-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-301-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2564-299-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-298-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2564-297-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-296-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-294-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1892-310-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2564-295-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1404-313-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/2312-312-0x0000000000400000-0x000000000324C000-memory.dmp

memory/2564-319-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-318-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2564-317-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-316-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-315-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1404-321-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-322-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-323-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-325-0x0000000000470000-0x00000000004CB000-memory.dmp

memory/1404-324-0x0000000000470000-0x00000000004CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 09:59

Reported

2024-11-06 10:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4520 set thread context of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4048 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4048 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe
PID 3728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe
PID 3728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe
PID 2416 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
PID 4588 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
PID 4588 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
PID 4764 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
PID 4764 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
PID 4764 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
PID 2844 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe
PID 2844 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe
PID 2844 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe
PID 5068 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe
PID 5068 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe
PID 5068 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe
PID 2812 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe
PID 2812 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe
PID 2812 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe
PID 3020 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe
PID 3020 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe
PID 2512 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe
PID 2512 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe
PID 2512 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe
PID 2292 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe
PID 2292 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe
PID 2292 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe
PID 1548 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe
PID 1548 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe
PID 1548 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe
PID 1740 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp
PID 1740 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp
PID 1740 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp
PID 4572 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp
PID 4572 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe

"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe

sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe

sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe

sahiba_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe

sahiba_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe

sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe

sahiba_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe

sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe

sahiba_9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3784 -ip 3784

C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp" /SL5="$70090,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2416 -ip 2416

C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp" /SL5="$F0068,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 360

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1028

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 requested404.com udp
US 104.26.4.15:443 db-ip.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 api.db-ip.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 74.114.154.18:443 xeronxikxxx.tumblr.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
N/A 127.0.0.1:52455 tcp
N/A 127.0.0.1:52457 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 937768008be3b71478be77f512943a75
SHA1 be2c1470c46eb18c49500dd5bb07a7cabe588398
SHA256 dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SHA512 0cba8d244ea822578021fdac8a215bf5ed2e6c3ff2d712bb01b4e80b004b8df326ac568ab682bb3d59a15cab6ff80b137b9fa9a66fe5b05438b8b6141d4ea469

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe

MD5 3e6e91a0a2292b94b83916d430ad0db5
SHA1 ccbde14c585446acbfc7b981fdae3ec4f473b3b9
SHA256 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb
SHA512 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a

memory/2416-48-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2416-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2416-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2416-64-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2416-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2416-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2416-80-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe

MD5 bb7409da9c80af6ca5ef4fdb40b08ed7
SHA1 f415c4ab1ad47e2f14f5be85386d0f3537bebf78
SHA256 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e
SHA512 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe

MD5 4fa4a626bfe65bbb3ba048e66170556a
SHA1 05e0beeedc4a183056292c36cc87a9822f3a19af
SHA256 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4
SHA512 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe

MD5 3011f2257b899aa8196e02447383a46b
SHA1 cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940
SHA256 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
SHA512 db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe

MD5 255aac71617edb0cc31709ef30fbee0a
SHA1 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01
SHA256 d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b
SHA512 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc

memory/4520-98-0x0000000000900000-0x0000000000968000-memory.dmp

memory/1740-96-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe

MD5 4b300abf0da6582cde1e9ec29c214abf
SHA1 73ff7d346dd476d34236cbeb67268dcf0af570ac
SHA256 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff
SHA512 d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe

MD5 eb73f48eaf544bf7e035a58f95f73394
SHA1 251f0d09f14452538ecfa0924a4618c3c16887e3
SHA256 da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce
SHA512 a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.txt

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.txt

MD5 c06e890154e59a75f67e2d37295c2bc9
SHA1 e6deea575d36331a0c2f8d42586442c43f5d58b8
SHA256 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97
SHA512 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c

memory/2416-79-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-78-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-76-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-75-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2416-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-77-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/4520-103-0x00000000051A0000-0x0000000005216000-memory.dmp

memory/4572-105-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3968-108-0x0000000000AF0000-0x0000000000B24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp

MD5 b6cee06d96499009bc0fddd23dc935aa
SHA1 ffaef1baa4456b6e10bb40c2612dba7b18743d01
SHA256 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f
SHA512 b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

memory/4520-114-0x0000000005140000-0x000000000515E000-memory.dmp

memory/3968-115-0x0000000002A80000-0x0000000002A86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp

MD5 1623272fc3047895b1db3c60b2dd7bc5
SHA1 772e1f9d062d8b98d241ae54414c814b8a6610bb
SHA256 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1
SHA512 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73

C:\Users\Admin\AppData\Local\Temp\is-LMRG9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-LMRG9.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/3968-120-0x0000000002A90000-0x0000000002AB6000-memory.dmp

memory/3968-133-0x0000000002AB0000-0x0000000002AB6000-memory.dmp

memory/4520-135-0x00000000059B0000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2356-149-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2140-147-0x0000000000400000-0x000000000045B000-memory.dmp

memory/216-157-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4572-156-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2140-153-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1740-152-0x0000000000400000-0x000000000046D000-memory.dmp

memory/5008-145-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2416-166-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-169-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2416-167-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2416-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-165-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2416-163-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3784-170-0x0000000000400000-0x000000000324C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/3412-186-0x0000000000400000-0x000000000045B000-memory.dmp

memory/604-190-0x0000000000400000-0x000000000045B000-memory.dmp

memory/604-192-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4072-193-0x0000000000400000-0x00000000032A0000-memory.dmp

memory/316-194-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_4.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/316-198-0x0000000005A40000-0x0000000006058000-memory.dmp

memory/316-199-0x00000000054D0000-0x00000000054E2000-memory.dmp

memory/316-200-0x0000000005570000-0x00000000055AC000-memory.dmp

memory/316-201-0x00000000055B0000-0x00000000055FC000-memory.dmp

memory/316-202-0x0000000005820000-0x000000000592A000-memory.dmp

memory/3100-211-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2412-213-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2984-221-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3024-223-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 09:59

Reported

2024-11-06 10:01

Platform

win7-20241023-en

Max time kernel

41s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 2064 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe

sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe

sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe

sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe

sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe

sahiba_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe

sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp" /SL5="$7018E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe"

C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp" /SL5="$70198,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe"

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe

sahiba_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe

sahiba_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 984

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
N/A 127.0.0.1:49276 tcp
N/A 127.0.0.1:49278 tcp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 requested404.com udp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 74.114.154.18:443 xeronxikxxx.tumblr.com tcp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe

MD5 3e6e91a0a2292b94b83916d430ad0db5
SHA1 ccbde14c585446acbfc7b981fdae3ec4f473b3b9
SHA256 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb
SHA512 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a

memory/2064-34-0x00000000033B0000-0x00000000034CE000-memory.dmp

memory/2064-41-0x00000000033B0000-0x00000000034CE000-memory.dmp

memory/800-43-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/800-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS01814C96\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/800-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS01814C96\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/800-75-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-76-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-74-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-73-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-72-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/800-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/800-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/800-66-0x000000006494A000-0x000000006494F000-memory.dmp

memory/800-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/800-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/800-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/800-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-77-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.txt

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe

MD5 c06e890154e59a75f67e2d37295c2bc9
SHA1 e6deea575d36331a0c2f8d42586442c43f5d58b8
SHA256 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97
SHA512 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe

MD5 4fa4a626bfe65bbb3ba048e66170556a
SHA1 05e0beeedc4a183056292c36cc87a9822f3a19af
SHA256 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4
SHA512 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd

C:\Users\Admin\AppData\Local\Temp\is-IPVF9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-IPVF9.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe

MD5 bb7409da9c80af6ca5ef4fdb40b08ed7
SHA1 f415c4ab1ad47e2f14f5be85386d0f3537bebf78
SHA256 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e
SHA512 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611

C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp

MD5 1623272fc3047895b1db3c60b2dd7bc5
SHA1 772e1f9d062d8b98d241ae54414c814b8a6610bb
SHA256 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1
SHA512 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73

\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe

MD5 3011f2257b899aa8196e02447383a46b
SHA1 cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940
SHA256 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
SHA512 db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp

MD5 b6cee06d96499009bc0fddd23dc935aa
SHA1 ffaef1baa4456b6e10bb40c2612dba7b18743d01
SHA256 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f
SHA512 b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

memory/2220-150-0x00000000012A0000-0x0000000001308000-memory.dmp

memory/1232-101-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1672-110-0x0000000000400000-0x000000000046D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe

MD5 4b300abf0da6582cde1e9ec29c214abf
SHA1 73ff7d346dd476d34236cbeb67268dcf0af570ac
SHA256 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff
SHA512 d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587

C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe

MD5 255aac71617edb0cc31709ef30fbee0a
SHA1 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01
SHA256 d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b
SHA512 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc

\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe

MD5 eb73f48eaf544bf7e035a58f95f73394
SHA1 251f0d09f14452538ecfa0924a4618c3c16887e3
SHA256 da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce
SHA512 a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

memory/2016-151-0x0000000000B00000-0x0000000000B34000-memory.dmp

memory/2016-152-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2016-153-0x0000000000250000-0x0000000000276000-memory.dmp

memory/2016-154-0x0000000000270000-0x0000000000276000-memory.dmp

memory/2872-158-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/1232-159-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2928-163-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1672-164-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2204-177-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2204-176-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2324-179-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2324-182-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2324-180-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2324-178-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2204-173-0x0000000000240000-0x000000000029B000-memory.dmp

memory/800-172-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1984-171-0x00000000002B0000-0x000000000030B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/1984-169-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/1556-185-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-194-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-193-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-192-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1556-189-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-187-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-183-0x0000000000400000-0x000000000041E000-memory.dmp

memory/800-215-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/800-217-0x0000000000400000-0x000000000051E000-memory.dmp

memory/800-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/800-219-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/800-218-0x0000000064940000-0x0000000064959000-memory.dmp

memory/800-214-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD54B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD619.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2952-250-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1984-251-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/1984-247-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/2888-253-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1984-252-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/2888-258-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1968-279-0x0000000000400000-0x000000000045B000-memory.dmp

memory/492-284-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1984-283-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/492-282-0x00000000008C0000-0x000000000091B000-memory.dmp

memory/492-280-0x00000000008C0000-0x000000000091B000-memory.dmp

memory/1984-286-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/1984-285-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/2692-296-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2604-294-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1984-300-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/2908-297-0x0000000000400000-0x00000000032A0000-memory.dmp

memory/1204-298-0x0000000000400000-0x000000000324C000-memory.dmp

memory/1984-299-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/1984-302-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/1984-304-0x00000000002B0000-0x000000000030B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 09:59

Reported

2024-11-06 10:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2356 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe
PID 2936 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe
PID 2936 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe
PID 1416 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
PID 2852 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
PID 2852 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
PID 5020 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe
PID 5020 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe
PID 5020 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe
PID 4204 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
PID 4204 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
PID 4204 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
PID 116 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe
PID 116 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe
PID 116 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe
PID 3004 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe
PID 3004 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe
PID 2420 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe
PID 2420 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe
PID 2420 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe
PID 2440 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe
PID 2440 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe
PID 2440 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe
PID 3992 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe
PID 3992 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe
PID 3992 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe
PID 2256 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe
PID 2256 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe
PID 2256 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe
PID 1412 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp
PID 1412 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp
PID 1412 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp
PID 1396 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp
PID 1396 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp
PID 1396 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp
PID 2356 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
PID 2356 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe

sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe

sahiba_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe

sahiba_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe

sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe

sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe

sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe

sahiba_7.exe

C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp" /SL5="$7003C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe"

C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp" /SL5="$6021C,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2832 -ip 2832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1028

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 requested404.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 74.114.154.22:443 xeronxikxxx.tumblr.com tcp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
N/A 127.0.0.1:65143 tcp
N/A 127.0.0.1:65145 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 liezaphare.xyz udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe

MD5 3e6e91a0a2292b94b83916d430ad0db5
SHA1 ccbde14c585446acbfc7b981fdae3ec4f473b3b9
SHA256 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb
SHA512 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a

memory/1416-36-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1416-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-53-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1416-52-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1416-51-0x00000000007F0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1416-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-69-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1416-68-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe

MD5 bb7409da9c80af6ca5ef4fdb40b08ed7
SHA1 f415c4ab1ad47e2f14f5be85386d0f3537bebf78
SHA256 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e
SHA512 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611

memory/1396-90-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe

MD5 3011f2257b899aa8196e02447383a46b
SHA1 cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940
SHA256 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
SHA512 db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe

MD5 c06e890154e59a75f67e2d37295c2bc9
SHA1 e6deea575d36331a0c2f8d42586442c43f5d58b8
SHA256 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97
SHA512 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

memory/1412-88-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe

MD5 4b300abf0da6582cde1e9ec29c214abf
SHA1 73ff7d346dd476d34236cbeb67268dcf0af570ac
SHA256 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff
SHA512 d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe

MD5 255aac71617edb0cc31709ef30fbee0a
SHA1 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01
SHA256 d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b
SHA512 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe

MD5 4fa4a626bfe65bbb3ba048e66170556a
SHA1 05e0beeedc4a183056292c36cc87a9822f3a19af
SHA256 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4
SHA512 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe

MD5 eb73f48eaf544bf7e035a58f95f73394
SHA1 251f0d09f14452538ecfa0924a4618c3c16887e3
SHA256 da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce
SHA512 a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

memory/1416-67-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1416-66-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1416-65-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1416-64-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1416-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp

MD5 b6cee06d96499009bc0fddd23dc935aa
SHA1 ffaef1baa4456b6e10bb40c2612dba7b18743d01
SHA256 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f
SHA512 b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f

memory/2356-100-0x0000000004E90000-0x0000000004F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp

MD5 1623272fc3047895b1db3c60b2dd7bc5
SHA1 772e1f9d062d8b98d241ae54414c814b8a6610bb
SHA256 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1
SHA512 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73

memory/2356-104-0x0000000004E30000-0x0000000004E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S3M9J.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2444-122-0x00000000011C0000-0x00000000011C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S3M9J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2444-113-0x00000000011A0000-0x00000000011C6000-memory.dmp

memory/2444-101-0x0000000001190000-0x0000000001196000-memory.dmp

memory/2444-97-0x00000000009B0000-0x00000000009E4000-memory.dmp

memory/2356-96-0x00000000005E0000-0x0000000000648000-memory.dmp

memory/2356-123-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/4236-135-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2724-139-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1412-144-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4364-146-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2768-143-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1396-140-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2768-134-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1416-154-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1416-160-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1416-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-158-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-157-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-156-0x0000000000400000-0x000000000051E000-memory.dmp

memory/388-149-0x0000000000400000-0x000000000324C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/1920-177-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1544-180-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2832-181-0x0000000000400000-0x00000000032A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_4.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2476-182-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2476-186-0x0000000005590000-0x0000000005BA8000-memory.dmp

memory/2476-188-0x0000000005070000-0x00000000050AC000-memory.dmp

memory/2476-187-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

memory/2476-189-0x00000000050B0000-0x00000000050FC000-memory.dmp

memory/2476-190-0x0000000005370000-0x000000000547A000-memory.dmp

memory/5104-199-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4368-202-0x0000000000400000-0x000000000045B000-memory.dmp

memory/408-211-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4488-213-0x0000000000400000-0x000000000045B000-memory.dmp