Analysis Overview
SHA256
7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
Threat Level: Known bad
The file a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Xmrig family
PrivateLoader
Nullmixer family
xmrig
Vidar
NullMixer
Vidar family
Privateloader family
Vidar Stealer
XMRig Miner payload
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 21:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 21:48
Reported
2024-11-26 21:50
Platform
win7-20241010-en
Max time kernel
78s
Max time network
153s
Command Line
Signatures
NullMixer
Nullmixer family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_9.exe
sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_9.exe"
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_5.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 428
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732657704 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 127.0.0.1:49290 | tcp | |
| N/A | 127.0.0.1:49292 | tcp | |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp | |
| SG | 37.0.11.9:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS82980BC7\setup_install.exe
| MD5 | ed3cf04a534ea39e173c7925f50204dc |
| SHA1 | 23251d98a9e3e9cd9d884d1c80e34880bd7a1200 |
| SHA256 | d231ebe7bd40f8b150822913bcd85139e0e4f015d4822eab61f45410ba6b977e |
| SHA512 | e3085ad1567f8bc3f484303278b56896b999b2fdcf1b8346d73820d6b53223a63c649096e12d761b6a4bb36f4e581eb517b346fcc670393f4a6eba1809d5fd9a |
memory/2344-33-0x0000000002870000-0x000000000298E000-memory.dmp
memory/2344-41-0x0000000002880000-0x000000000299E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS82980BC7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS82980BC7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/3052-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3052-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS82980BC7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS82980BC7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3052-64-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3052-63-0x000000006494A000-0x000000006494F000-memory.dmp
memory/3052-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3052-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3052-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3052-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3052-76-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3052-75-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-74-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-73-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-72-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-71-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3052-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3052-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3052-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3052-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3052-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_9.txt
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_8.txt
| MD5 | c85639691074f9d98ec530901c153d2b |
| SHA1 | cac948e5b1f9d7417e7c5ead543fda1108f0e9ed |
| SHA256 | 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4 |
| SHA512 | 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_7.txt
| MD5 | 62ca6931bc7a374f80ff8541138baa9e |
| SHA1 | d36e63034bddf32d3c79106a75cfa679cfdd336a |
| SHA256 | 5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a |
| SHA512 | 5e7e4edefa978e7e355ee9692ff925241c7d1e4f1aff0f3e4068685b6a3eb00638a2706cda0a0581e240dc31e18b96c41fbc7f9e42f30673a29b7c995ddd8952 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_6.txt
| MD5 | c2fc45bff7f1962f4bf80d0400075760 |
| SHA1 | 493ea1e415f8a733a1f78c5a72c9a2f28fd228c4 |
| SHA256 | bfaa3e81e84266f3c696578b4aedc023d98d2c1f0840e693cdf581f7a10c503d |
| SHA512 | 143db60d1676d90ecbfe2541d84ae77fed39b5a3f4ea8e9c64d1d3e25c0b9d5abd513dec6f2357a27a922016412572343675109a95f766ed640cc89ba8598def |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_5.txt
| MD5 | 8cad9c4c58553ec0ca5fd50aec791b8a |
| SHA1 | a2a4385cb2df58455764eb879b5d6aaf5e3585ac |
| SHA256 | f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294 |
| SHA512 | 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_4.txt
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_3.txt
| MD5 | fc1bf039d6e2275262ee314cb5dcdcb9 |
| SHA1 | 596c821bf1be4690daec15c62cf6457b0b5de722 |
| SHA256 | 12f2a4af5a7e54ff55a57549d351315ad3e1dac80aef43200f1abdd20b1a3f00 |
| SHA512 | 4a0a8715913f6502eaa43767ee9a821457814329a16023192287a31bf2e5ff68a021dbcb858900160dcac03b901a4166fbf858d8f6f44af95f22f8627457a374 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_2.txt
| MD5 | 13d4228eebba30a121c8544a5493b16a |
| SHA1 | 7dff5b6638e6e840e1b4ecaa83406f3173bbb0fd |
| SHA256 | 3ed9c981d1b1c61fc0de3e7973af1a6f9cad82f4509a01f51efb0ca29cd0e5ca |
| SHA512 | b118e4305f72f2811f79dbda7b08c35b20b2ac44c4db34002c7735b1e9eb4f404fcdb6d785345c30f52ce05955b34d25cdfc192f2f56e1f3470e222ffbb1a996 |
C:\Users\Admin\AppData\Local\Temp\7zS82980BC7\sahiba_1.txt
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1276-175-0x0000000001230000-0x0000000001268000-memory.dmp
memory/588-172-0x0000000001200000-0x0000000001208000-memory.dmp
memory/796-185-0x0000000000400000-0x0000000002C56000-memory.dmp
memory/1032-188-0x00000000000F0000-0x00000000001DE000-memory.dmp
memory/1276-197-0x0000000000250000-0x0000000000256000-memory.dmp
memory/1276-201-0x0000000000260000-0x0000000000288000-memory.dmp
memory/1832-205-0x000000013F6B0000-0x000000013F6C0000-memory.dmp
memory/1276-208-0x0000000000480000-0x0000000000486000-memory.dmp
memory/2404-210-0x0000000001F20000-0x0000000002004000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1924-222-0x0000000000360000-0x0000000000444000-memory.dmp
memory/3052-236-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3052-235-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3052-234-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3052-233-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3052-232-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3052-231-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7D0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar86F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/1380-299-0x00000000000D0000-0x00000000001D0000-memory.dmp
memory/1880-313-0x0000000000400000-0x0000000002CB2000-memory.dmp
memory/1832-317-0x0000000000760000-0x000000000076E000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/2208-321-0x000000013F4A0000-0x000000013F4B0000-memory.dmp
memory/620-326-0x000000013FCB0000-0x000000013FCB6000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 3dd04c64d429a7abe7597c74520fc334 |
| SHA1 | 83472650a1f15b46e5aff124b414dc962dd6a8fa |
| SHA256 | bed7403ab5841851c0f0606035b4cd77a7030e0c7307bf19dbdc51e1b78f0e5a |
| SHA512 | 230039226e92f6a424fc0de36d98c28dce0e61d79374018d18be2068ef2880f7530e0ad9bab16e83ec4ce39dfd1500d3ef635361ccb47592ec50d9c1337bd380 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 21:48
Reported
2024-11-26 21:50
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_3.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a447d89f3c72c8f5c81e9cac1b3eeb53_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe
sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_9.exe
sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_7.exe
sahiba_7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 4508
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_8.exe
sahiba_8.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 568
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732657701 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1964 -ip 1964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 2000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1964 -ip 1964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1980
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:54600 | tcp | |
| N/A | 127.0.0.1:54602 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.2.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 69.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.89.13:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.89.15.51.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.9:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\setup_install.exe
| MD5 | ed3cf04a534ea39e173c7925f50204dc |
| SHA1 | 23251d98a9e3e9cd9d884d1c80e34880bd7a1200 |
| SHA256 | d231ebe7bd40f8b150822913bcd85139e0e4f015d4822eab61f45410ba6b977e |
| SHA512 | e3085ad1567f8bc3f484303278b56896b999b2fdcf1b8346d73820d6b53223a63c649096e12d761b6a4bb36f4e581eb517b346fcc670393f4a6eba1809d5fd9a |
memory/4508-36-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/4508-56-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4508-55-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4508-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4508-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4508-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4508-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4508-49-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4508-45-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/4508-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4508-62-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4508-64-0x0000000000400000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_1.txt
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_9.txt
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_8.txt
| MD5 | c85639691074f9d98ec530901c153d2b |
| SHA1 | cac948e5b1f9d7417e7c5ead543fda1108f0e9ed |
| SHA256 | 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4 |
| SHA512 | 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_7.exe
| MD5 | 62ca6931bc7a374f80ff8541138baa9e |
| SHA1 | d36e63034bddf32d3c79106a75cfa679cfdd336a |
| SHA256 | 5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a |
| SHA512 | 5e7e4edefa978e7e355ee9692ff925241c7d1e4f1aff0f3e4068685b6a3eb00638a2706cda0a0581e240dc31e18b96c41fbc7f9e42f30673a29b7c995ddd8952 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_5.exe
| MD5 | 8cad9c4c58553ec0ca5fd50aec791b8a |
| SHA1 | a2a4385cb2df58455764eb879b5d6aaf5e3585ac |
| SHA256 | f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294 |
| SHA512 | 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3 |
memory/4956-88-0x0000000000100000-0x00000000001EE000-memory.dmp
memory/4788-89-0x0000000000D10000-0x0000000000D48000-memory.dmp
memory/4788-91-0x0000000002CB0000-0x0000000002CB6000-memory.dmp
memory/4788-92-0x000000001B6B0000-0x000000001B6D8000-memory.dmp
memory/4788-93-0x0000000002CC0000-0x0000000002CC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_4.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_3.exe
| MD5 | fc1bf039d6e2275262ee314cb5dcdcb9 |
| SHA1 | 596c821bf1be4690daec15c62cf6457b0b5de722 |
| SHA256 | 12f2a4af5a7e54ff55a57549d351315ad3e1dac80aef43200f1abdd20b1a3f00 |
| SHA512 | 4a0a8715913f6502eaa43767ee9a821457814329a16023192287a31bf2e5ff68a021dbcb858900160dcac03b901a4166fbf858d8f6f44af95f22f8627457a374 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_2.exe
| MD5 | 13d4228eebba30a121c8544a5493b16a |
| SHA1 | 7dff5b6638e6e840e1b4ecaa83406f3173bbb0fd |
| SHA256 | 3ed9c981d1b1c61fc0de3e7973af1a6f9cad82f4509a01f51efb0ca29cd0e5ca |
| SHA512 | b118e4305f72f2811f79dbda7b08c35b20b2ac44c4db34002c7735b1e9eb4f404fcdb6d785345c30f52ce05955b34d25cdfc192f2f56e1f3470e222ffbb1a996 |
C:\Users\Admin\AppData\Local\Temp\7zS4A0231F7\sahiba_6.exe
| MD5 | c2fc45bff7f1962f4bf80d0400075760 |
| SHA1 | 493ea1e415f8a733a1f78c5a72c9a2f28fd228c4 |
| SHA256 | bfaa3e81e84266f3c696578b4aedc023d98d2c1f0840e693cdf581f7a10c503d |
| SHA512 | 143db60d1676d90ecbfe2541d84ae77fed39b5a3f4ea8e9c64d1d3e25c0b9d5abd513dec6f2357a27a922016412572343675109a95f766ed640cc89ba8598def |
memory/4508-68-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-67-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-66-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-65-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-63-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4508-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4508-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4508-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-95-0x0000000000BB0000-0x0000000000BB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/1272-108-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/3792-117-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/4508-141-0x0000000000400000-0x000000000051E000-memory.dmp
memory/4508-145-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4508-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4508-143-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4508-142-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4508-139-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4960-147-0x0000000000400000-0x0000000002C56000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/1964-202-0x0000000000400000-0x0000000002CB2000-memory.dmp
memory/1964-212-0x0000000000400000-0x0000000002CB2000-memory.dmp
memory/1272-214-0x00000000026F0000-0x00000000026FE000-memory.dmp
memory/1272-215-0x0000000002720000-0x0000000002732000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | be0b4b1c809dc419f44b990378cbae31 |
| SHA1 | 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806 |
| SHA256 | 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53 |
| SHA512 | 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24 |
memory/1596-242-0x0000000000AC0000-0x0000000000AC6000-memory.dmp
memory/1404-247-0x0000000002580000-0x00000000025A0000-memory.dmp
memory/1404-246-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-244-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-250-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-251-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-249-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-248-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-252-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-253-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-254-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1404-255-0x0000000140000000-0x0000000140786000-memory.dmp