Analysis Overview
SHA256
c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c
Threat Level: Known bad
The file c3704d9a70d0ad5a30590190e69f4748de1e232042bfbd6d43a3ea6f573dc18c was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Nullmixer family
NullMixer
RedLine
Detect Fabookie payload
SectopRAT payload
Redline family
RedLine payload
PrivateLoader
SectopRAT
Vidar family
Vidar
Sectoprat family
Fabookie family
Fabookie
Vidar Stealer
Detected Nirsoft tools
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 09:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 09:59
Reported
2024-11-06 10:01
Platform
win7-20240903-en
Max time kernel
95s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe
"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe
sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe
sahiba_8.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 272
C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9R3L0.tmp\sahiba_8.tmp" /SL5="$901A0,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe"
C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RGNHD.tmp\sahiba_5.tmp" /SL5="$8019E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe"
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 968
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | requested404.com | udp |
| US | 8.8.8.8:53 | superstationcity.com | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| US | 74.114.154.18:443 | xeronxikxxx.tumblr.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| N/A | 127.0.0.1:49269 | tcp | |
| N/A | 127.0.0.1:49272 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 937768008be3b71478be77f512943a75 |
| SHA1 | be2c1470c46eb18c49500dd5bb07a7cabe588398 |
| SHA256 | dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818 |
| SHA512 | 0cba8d244ea822578021fdac8a215bf5ed2e6c3ff2d712bb01b4e80b004b8df326ac568ab682bb3d59a15cab6ff80b137b9fa9a66fe5b05438b8b6141d4ea469 |
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\setup_install.exe
| MD5 | 3e6e91a0a2292b94b83916d430ad0db5 |
| SHA1 | ccbde14c585446acbfc7b981fdae3ec4f473b3b9 |
| SHA256 | 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb |
| SHA512 | 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a |
memory/2696-52-0x00000000033E0000-0x00000000034FE000-memory.dmp
memory/2696-46-0x00000000033E0000-0x00000000034FE000-memory.dmp
memory/2564-54-0x0000000000400000-0x000000000051E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2564-60-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2564-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-82-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2564-84-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_6.exe
| MD5 | 255aac71617edb0cc31709ef30fbee0a |
| SHA1 | 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01 |
| SHA256 | d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b |
| SHA512 | 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc |
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_2.exe
| MD5 | bb7409da9c80af6ca5ef4fdb40b08ed7 |
| SHA1 | f415c4ab1ad47e2f14f5be85386d0f3537bebf78 |
| SHA256 | 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e |
| SHA512 | 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611 |
C:\Users\Admin\AppData\Local\Temp\is-28O35.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-28O36.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/2536-152-0x0000000000F70000-0x0000000000FD8000-memory.dmp
memory/1896-151-0x00000000012A0000-0x00000000012D4000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_5.exe
| MD5 | 4b300abf0da6582cde1e9ec29c214abf |
| SHA1 | 73ff7d346dd476d34236cbeb67268dcf0af570ac |
| SHA256 | 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff |
| SHA512 | d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587 |
memory/1748-133-0x0000000000400000-0x000000000042C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_8.exe
| MD5 | c06e890154e59a75f67e2d37295c2bc9 |
| SHA1 | e6deea575d36331a0c2f8d42586442c43f5d58b8 |
| SHA256 | 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97 |
| SHA512 | 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c |
memory/2208-160-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2164-164-0x0000000000400000-0x00000000004D5000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_4.exe
| MD5 | eb73f48eaf544bf7e035a58f95f73394 |
| SHA1 | 251f0d09f14452538ecfa0924a4618c3c16887e3 |
| SHA256 | da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce |
| SHA512 | a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1 |
memory/1896-165-0x00000000002C0000-0x00000000002C6000-memory.dmp
memory/2856-121-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-167-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1748-166-0x0000000000400000-0x000000000042C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_9.exe
| MD5 | 270dd1da0ab7f38cdff6fab84562ec7a |
| SHA1 | cf7be169ee4415085baeb4aeaa60932ac5abf4ac |
| SHA256 | 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6 |
| SHA512 | dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286 |
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_7.exe
| MD5 | 3011f2257b899aa8196e02447383a46b |
| SHA1 | cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940 |
| SHA256 | 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b |
| SHA512 | db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323 |
memory/2564-96-0x0000000000520000-0x000000000063E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88A30AD6\sahiba_3.txt
| MD5 | 4fa4a626bfe65bbb3ba048e66170556a |
| SHA1 | 05e0beeedc4a183056292c36cc87a9822f3a19af |
| SHA256 | 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4 |
| SHA512 | 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd |
memory/2564-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-85-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2564-83-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2564-81-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2564-80-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2564-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2564-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2564-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-97-0x0000000000520000-0x000000000063E000-memory.dmp
memory/1896-168-0x0000000000500000-0x0000000000526000-memory.dmp
memory/1896-169-0x00000000004E0000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab80.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB1.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1404-228-0x0000000000470000-0x00000000004CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/2780-231-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2972-236-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-234-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-233-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-232-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2492-249-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-247-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-246-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-245-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2492-243-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-242-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-239-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-237-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1404-263-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2092-258-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-257-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-256-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-262-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2092-261-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2904-265-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1904-251-0x0000000000400000-0x00000000032A0000-memory.dmp
memory/1404-266-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-267-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-273-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-274-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/320-276-0x0000000000880000-0x00000000008DB000-memory.dmp
memory/2228-288-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-286-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2228-285-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2228-284-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2228-283-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-282-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-281-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/320-280-0x0000000000400000-0x000000000045B000-memory.dmp
memory/320-279-0x0000000000880000-0x00000000008DB000-memory.dmp
memory/320-275-0x0000000000880000-0x00000000008DB000-memory.dmp
memory/2908-308-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-300-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-311-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2908-306-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2908-304-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2908-303-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1404-302-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-301-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2564-299-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-298-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2564-297-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-296-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2564-294-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1892-310-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2564-295-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1404-313-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2312-312-0x0000000000400000-0x000000000324C000-memory.dmp
memory/2564-319-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2564-318-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2564-317-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2564-316-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2564-315-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1404-321-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-322-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-323-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-325-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/1404-324-0x0000000000470000-0x00000000004CB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 09:59
Reported
2024-11-06 10:01
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4520 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe
"C:\Users\Admin\AppData\Local\Temp\dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.exe
sahiba_9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3784 -ip 3784
C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp" /SL5="$70090,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2416 -ip 2416
C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp" /SL5="$F0068,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 360
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1028
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | requested404.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | superstationcity.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 74.114.154.18:443 | xeronxikxxx.tumblr.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| N/A | 127.0.0.1:52455 | tcp | |
| N/A | 127.0.0.1:52457 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 937768008be3b71478be77f512943a75 |
| SHA1 | be2c1470c46eb18c49500dd5bb07a7cabe588398 |
| SHA256 | dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818 |
| SHA512 | 0cba8d244ea822578021fdac8a215bf5ed2e6c3ff2d712bb01b4e80b004b8df326ac568ab682bb3d59a15cab6ff80b137b9fa9a66fe5b05438b8b6141d4ea469 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\setup_install.exe
| MD5 | 3e6e91a0a2292b94b83916d430ad0db5 |
| SHA1 | ccbde14c585446acbfc7b981fdae3ec4f473b3b9 |
| SHA256 | 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb |
| SHA512 | 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a |
memory/2416-48-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2416-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2416-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2416-64-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2416-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2416-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2416-80-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_2.exe
| MD5 | bb7409da9c80af6ca5ef4fdb40b08ed7 |
| SHA1 | f415c4ab1ad47e2f14f5be85386d0f3537bebf78 |
| SHA256 | 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e |
| SHA512 | 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_3.exe
| MD5 | 4fa4a626bfe65bbb3ba048e66170556a |
| SHA1 | 05e0beeedc4a183056292c36cc87a9822f3a19af |
| SHA256 | 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4 |
| SHA512 | 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_7.exe
| MD5 | 3011f2257b899aa8196e02447383a46b |
| SHA1 | cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940 |
| SHA256 | 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b |
| SHA512 | db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_6.exe
| MD5 | 255aac71617edb0cc31709ef30fbee0a |
| SHA1 | 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01 |
| SHA256 | d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b |
| SHA512 | 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc |
memory/4520-98-0x0000000000900000-0x0000000000968000-memory.dmp
memory/1740-96-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_5.exe
| MD5 | 4b300abf0da6582cde1e9ec29c214abf |
| SHA1 | 73ff7d346dd476d34236cbeb67268dcf0af570ac |
| SHA256 | 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff |
| SHA512 | d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_4.exe
| MD5 | eb73f48eaf544bf7e035a58f95f73394 |
| SHA1 | 251f0d09f14452538ecfa0924a4618c3c16887e3 |
| SHA256 | da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce |
| SHA512 | a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_9.txt
| MD5 | 270dd1da0ab7f38cdff6fab84562ec7a |
| SHA1 | cf7be169ee4415085baeb4aeaa60932ac5abf4ac |
| SHA256 | 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6 |
| SHA512 | dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\sahiba_8.txt
| MD5 | c06e890154e59a75f67e2d37295c2bc9 |
| SHA1 | e6deea575d36331a0c2f8d42586442c43f5d58b8 |
| SHA256 | 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97 |
| SHA512 | 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c |
memory/2416-79-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-78-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-76-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-75-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2416-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-77-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS09E5F597\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4520-103-0x00000000051A0000-0x0000000005216000-memory.dmp
memory/4572-105-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3968-108-0x0000000000AF0000-0x0000000000B24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SQT9S.tmp\sahiba_5.tmp
| MD5 | b6cee06d96499009bc0fddd23dc935aa |
| SHA1 | ffaef1baa4456b6e10bb40c2612dba7b18743d01 |
| SHA256 | 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f |
| SHA512 | b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f |
memory/4520-114-0x0000000005140000-0x000000000515E000-memory.dmp
memory/3968-115-0x0000000002A80000-0x0000000002A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-C6ULR.tmp\sahiba_8.tmp
| MD5 | 1623272fc3047895b1db3c60b2dd7bc5 |
| SHA1 | 772e1f9d062d8b98d241ae54414c814b8a6610bb |
| SHA256 | 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1 |
| SHA512 | 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73 |
C:\Users\Admin\AppData\Local\Temp\is-LMRG9.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-LMRG9.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/3968-120-0x0000000002A90000-0x0000000002AB6000-memory.dmp
memory/3968-133-0x0000000002AB0000-0x0000000002AB6000-memory.dmp
memory/4520-135-0x00000000059B0000-0x0000000005F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/2356-149-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2140-147-0x0000000000400000-0x000000000045B000-memory.dmp
memory/216-157-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4572-156-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2140-153-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1740-152-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5008-145-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2416-166-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-169-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2416-167-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2416-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-165-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2416-163-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3784-170-0x0000000000400000-0x000000000324C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
memory/3412-186-0x0000000000400000-0x000000000045B000-memory.dmp
memory/604-190-0x0000000000400000-0x000000000045B000-memory.dmp
memory/604-192-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4072-193-0x0000000000400000-0x00000000032A0000-memory.dmp
memory/316-194-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_4.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/316-198-0x0000000005A40000-0x0000000006058000-memory.dmp
memory/316-199-0x00000000054D0000-0x00000000054E2000-memory.dmp
memory/316-200-0x0000000005570000-0x00000000055AC000-memory.dmp
memory/316-201-0x00000000055B0000-0x00000000055FC000-memory.dmp
memory/316-202-0x0000000005820000-0x000000000592A000-memory.dmp
memory/3100-211-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2412-213-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2984-221-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3024-223-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 09:59
Reported
2024-11-06 10:01
Platform
win7-20241023-en
Max time kernel
41s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.exe
sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp" /SL5="$7018E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe"
C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp" /SL5="$70198,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe"
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 272
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 424
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 984
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| N/A | 127.0.0.1:49276 | tcp | |
| N/A | 127.0.0.1:49278 | tcp | |
| US | 8.8.8.8:53 | superstationcity.com | udp |
| US | 8.8.8.8:53 | requested404.com | udp |
| US | 8.8.8.8:53 | superstationcity.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 74.114.154.18:443 | xeronxikxxx.tumblr.com | tcp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS01814C96\setup_install.exe
| MD5 | 3e6e91a0a2292b94b83916d430ad0db5 |
| SHA1 | ccbde14c585446acbfc7b981fdae3ec4f473b3b9 |
| SHA256 | 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb |
| SHA512 | 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a |
memory/2064-34-0x00000000033B0000-0x00000000034CE000-memory.dmp
memory/2064-41-0x00000000033B0000-0x00000000034CE000-memory.dmp
memory/800-43-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/800-49-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS01814C96\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/800-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS01814C96\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/800-75-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-76-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-74-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-73-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-72-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/800-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/800-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-67-0x0000000064940000-0x0000000064959000-memory.dmp
memory/800-66-0x000000006494A000-0x000000006494F000-memory.dmp
memory/800-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/800-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/800-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/800-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-77-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_9.txt
| MD5 | 270dd1da0ab7f38cdff6fab84562ec7a |
| SHA1 | cf7be169ee4415085baeb4aeaa60932ac5abf4ac |
| SHA256 | 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6 |
| SHA512 | dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286 |
\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_8.exe
| MD5 | c06e890154e59a75f67e2d37295c2bc9 |
| SHA1 | e6deea575d36331a0c2f8d42586442c43f5d58b8 |
| SHA256 | 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97 |
| SHA512 | 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c |
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_3.exe
| MD5 | 4fa4a626bfe65bbb3ba048e66170556a |
| SHA1 | 05e0beeedc4a183056292c36cc87a9822f3a19af |
| SHA256 | 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4 |
| SHA512 | 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd |
C:\Users\Admin\AppData\Local\Temp\is-IPVF9.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-IPVF9.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_2.exe
| MD5 | bb7409da9c80af6ca5ef4fdb40b08ed7 |
| SHA1 | f415c4ab1ad47e2f14f5be85386d0f3537bebf78 |
| SHA256 | 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e |
| SHA512 | 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611 |
C:\Users\Admin\AppData\Local\Temp\is-02MAF.tmp\sahiba_8.tmp
| MD5 | 1623272fc3047895b1db3c60b2dd7bc5 |
| SHA1 | 772e1f9d062d8b98d241ae54414c814b8a6610bb |
| SHA256 | 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1 |
| SHA512 | 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73 |
\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_7.exe
| MD5 | 3011f2257b899aa8196e02447383a46b |
| SHA1 | cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940 |
| SHA256 | 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b |
| SHA512 | db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323 |
\Users\Admin\AppData\Local\Temp\is-VB2I9.tmp\sahiba_5.tmp
| MD5 | b6cee06d96499009bc0fddd23dc935aa |
| SHA1 | ffaef1baa4456b6e10bb40c2612dba7b18743d01 |
| SHA256 | 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f |
| SHA512 | b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f |
memory/2220-150-0x00000000012A0000-0x0000000001308000-memory.dmp
memory/1232-101-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1672-110-0x0000000000400000-0x000000000046D000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_5.exe
| MD5 | 4b300abf0da6582cde1e9ec29c214abf |
| SHA1 | 73ff7d346dd476d34236cbeb67268dcf0af570ac |
| SHA256 | 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff |
| SHA512 | d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587 |
C:\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_6.exe
| MD5 | 255aac71617edb0cc31709ef30fbee0a |
| SHA1 | 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01 |
| SHA256 | d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b |
| SHA512 | 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc |
\Users\Admin\AppData\Local\Temp\7zS01814C96\sahiba_4.exe
| MD5 | eb73f48eaf544bf7e035a58f95f73394 |
| SHA1 | 251f0d09f14452538ecfa0924a4618c3c16887e3 |
| SHA256 | da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce |
| SHA512 | a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1 |
memory/2016-151-0x0000000000B00000-0x0000000000B34000-memory.dmp
memory/2016-152-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2016-153-0x0000000000250000-0x0000000000276000-memory.dmp
memory/2016-154-0x0000000000270000-0x0000000000276000-memory.dmp
memory/2872-158-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1232-159-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2928-163-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1672-164-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2204-177-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2204-176-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2324-179-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2324-182-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2324-180-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2324-178-0x0000000000240000-0x000000000029B000-memory.dmp
memory/2204-173-0x0000000000240000-0x000000000029B000-memory.dmp
memory/800-172-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1984-171-0x00000000002B0000-0x000000000030B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/1984-169-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/1556-185-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-194-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-193-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-192-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1556-189-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-187-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-183-0x0000000000400000-0x000000000041E000-memory.dmp
memory/800-215-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/800-217-0x0000000000400000-0x000000000051E000-memory.dmp
memory/800-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/800-219-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/800-218-0x0000000064940000-0x0000000064959000-memory.dmp
memory/800-214-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD54B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD619.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2952-250-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1984-251-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/1984-247-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/2888-253-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1984-252-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/2888-258-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1968-279-0x0000000000400000-0x000000000045B000-memory.dmp
memory/492-284-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1984-283-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/492-282-0x00000000008C0000-0x000000000091B000-memory.dmp
memory/492-280-0x00000000008C0000-0x000000000091B000-memory.dmp
memory/1984-286-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/1984-285-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/2692-296-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2604-294-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1984-300-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/2908-297-0x0000000000400000-0x00000000032A0000-memory.dmp
memory/1204-298-0x0000000000400000-0x000000000324C000-memory.dmp
memory/1984-299-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/1984-302-0x00000000002B0000-0x000000000030B000-memory.dmp
memory/1984-304-0x00000000002B0000-0x000000000030B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 09:59
Reported
2024-11-06 10:01
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2356 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe
sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp" /SL5="$7003C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe"
C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp" /SL5="$6021C,238351,154624,C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 556
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2832 -ip 2832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1028
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | superstationcity.com | udp |
| US | 8.8.8.8:53 | requested404.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 74.114.154.22:443 | xeronxikxxx.tumblr.com | tcp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| N/A | 127.0.0.1:65143 | tcp | |
| N/A | 127.0.0.1:65145 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | f.youtuuee.com | udp |
| US | 8.8.8.8:53 | liezaphare.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\setup_install.exe
| MD5 | 3e6e91a0a2292b94b83916d430ad0db5 |
| SHA1 | ccbde14c585446acbfc7b981fdae3ec4f473b3b9 |
| SHA256 | 4ff18dc2fe0d3a6522a7bccb363eefce100f52d9da3566a3f4954ae0cae9f2fb |
| SHA512 | 74757b04a31fc52f76b8bb079323616f3f5086405a61069d4b483d046c924f379b51fdb5f3686c4beaac5665c7b7bef4efc058ef5bc8cba30fde95a77ca9b11a |
memory/1416-36-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1416-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-53-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1416-52-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1416-51-0x00000000007F0000-0x000000000087F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1416-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-69-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1416-68-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_2.exe
| MD5 | bb7409da9c80af6ca5ef4fdb40b08ed7 |
| SHA1 | f415c4ab1ad47e2f14f5be85386d0f3537bebf78 |
| SHA256 | 6c64ee41cc2643df2f95efde9a4ab31c71bef2af1371c71931fd216e93209c2e |
| SHA512 | 9b3fad8a7ead617be9b76a9b6bd6b3bb12f99362446609e5591e2609f4b13cb26271c4fce194627031be2633f274c2b95fd0fdb591ae798be4a413d7df3a7611 |
memory/1396-90-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_7.exe
| MD5 | 3011f2257b899aa8196e02447383a46b |
| SHA1 | cb90ff25622aa5e5e20e257f6c6cb3ce58bd6940 |
| SHA256 | 4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b |
| SHA512 | db29dcb83a786af54720ad0a6db69949f3479c95cc940e005b803000e28d00a5dbe3d68b075215c8c4c4f804986e9c3839a3de3a93751725326e1b62ef420323 |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_8.exe
| MD5 | c06e890154e59a75f67e2d37295c2bc9 |
| SHA1 | e6deea575d36331a0c2f8d42586442c43f5d58b8 |
| SHA256 | 76d4acbc47089e7b075834a63bd148062da9d01b2d9bfada50dbe2bfc500cd97 |
| SHA512 | 3d64c2a95e738b50e1ae8a048fac79d974118e86fbdb6fde537a891bfa9a7dbbaeeaf068d3f7432567d1bf2f93b96182a61f49a71f718847f99ee1de3649ad5c |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_9.exe
| MD5 | 270dd1da0ab7f38cdff6fab84562ec7a |
| SHA1 | cf7be169ee4415085baeb4aeaa60932ac5abf4ac |
| SHA256 | 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6 |
| SHA512 | dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286 |
memory/1412-88-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_5.exe
| MD5 | 4b300abf0da6582cde1e9ec29c214abf |
| SHA1 | 73ff7d346dd476d34236cbeb67268dcf0af570ac |
| SHA256 | 783242dd1841ef1e7b62d7004291bfe3cd20816109dcd6932ec797aa5e6f09ff |
| SHA512 | d9c3a11830da2e39cd9b6b0e476f5a6bca7fe94d0a6300e838118bed998bde79c30f25ed758fba459d81ae06a87d9fc708eae318126c47529b23b4d17fba4587 |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_6.exe
| MD5 | 255aac71617edb0cc31709ef30fbee0a |
| SHA1 | 98ef84fd1e1cc4ff60a52bab85d00db7093a8f01 |
| SHA256 | d0812c78e146d7774b25061dbdabae004fefc503ea363b441fa691add1eef26b |
| SHA512 | 2d2ae0e917453a52ab374ae4f0b12a4ec3e16ecf3c6aff2352a3daa187f189c000adc241ea48077fb7c1fbfc36cfa6702969a70a25502cc7db5ec9ef554121bc |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_3.exe
| MD5 | 4fa4a626bfe65bbb3ba048e66170556a |
| SHA1 | 05e0beeedc4a183056292c36cc87a9822f3a19af |
| SHA256 | 7e1282097df8513b7a380803f31386373c178bb97102862d6a08816c0a8902f4 |
| SHA512 | 3236f3a9baf67ec60e1fef21c7c053df5f33d70b8fad9146ad45f2d9f55c9db95e468d5edabb6658a43bb11776a813f0a5448b560b7939f35a38490c2345e7cd |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\sahiba_4.exe
| MD5 | eb73f48eaf544bf7e035a58f95f73394 |
| SHA1 | 251f0d09f14452538ecfa0924a4618c3c16887e3 |
| SHA256 | da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce |
| SHA512 | a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1 |
memory/1416-67-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1416-66-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1416-65-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1416-64-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1416-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-62-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS87B593B7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\is-GM86I.tmp\sahiba_5.tmp
| MD5 | b6cee06d96499009bc0fddd23dc935aa |
| SHA1 | ffaef1baa4456b6e10bb40c2612dba7b18743d01 |
| SHA256 | 9553aee4cfe474165afa02a4f89455aaba3e27fe03bfda46ec85ec7c6f01574f |
| SHA512 | b710767c8802981495368f0b4e0dd87a4b04833b974e6b82605c92a8303b1cf5525634b3c34a1e251193c73c59579aa15704260c3898a2d49f641770b2d95b4f |
memory/2356-100-0x0000000004E90000-0x0000000004F06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-FQC6B.tmp\sahiba_8.tmp
| MD5 | 1623272fc3047895b1db3c60b2dd7bc5 |
| SHA1 | 772e1f9d062d8b98d241ae54414c814b8a6610bb |
| SHA256 | 89b72c11ec6a19aeb26bc5305912b5b734e732211fe12160d3a07507a0fd99c1 |
| SHA512 | 135c85f2f2eba58f6f64a218f5a4e76a57d97906d50fa9877fa5b9292bc34a341dda0b72470736019e1031403be32f7505cf3f797502292fe97c29adbc8daa73 |
memory/2356-104-0x0000000004E30000-0x0000000004E4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-S3M9J.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/2444-122-0x00000000011C0000-0x00000000011C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-S3M9J.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2444-113-0x00000000011A0000-0x00000000011C6000-memory.dmp
memory/2444-101-0x0000000001190000-0x0000000001196000-memory.dmp
memory/2444-97-0x00000000009B0000-0x00000000009E4000-memory.dmp
memory/2356-96-0x00000000005E0000-0x0000000000648000-memory.dmp
memory/2356-123-0x0000000005560000-0x0000000005B04000-memory.dmp
memory/4236-135-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/2724-139-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1412-144-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4364-146-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2768-143-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1396-140-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2768-134-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1416-154-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1416-160-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1416-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-158-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-157-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-156-0x0000000000400000-0x000000000051E000-memory.dmp
memory/388-149-0x0000000000400000-0x000000000324C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
memory/1920-177-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1544-180-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2832-181-0x0000000000400000-0x00000000032A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_4.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2476-182-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2476-186-0x0000000005590000-0x0000000005BA8000-memory.dmp
memory/2476-188-0x0000000005070000-0x00000000050AC000-memory.dmp
memory/2476-187-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
memory/2476-189-0x00000000050B0000-0x00000000050FC000-memory.dmp
memory/2476-190-0x0000000005370000-0x000000000547A000-memory.dmp
memory/5104-199-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4368-202-0x0000000000400000-0x000000000045B000-memory.dmp
memory/408-211-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4488-213-0x0000000000400000-0x000000000045B000-memory.dmp