Malware Analysis Report

2024-09-22 16:41

Sample ID 231031-rxt2msca95
Target 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip
SHA256 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64
Tags
babadeda crypter discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64

Threat Level: Known bad

The file 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip was found to be: Known bad.

Malicious Activity Summary

babadeda crypter discovery loader

Babadeda family

Babadeda Crypter

Babadeda

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Enumerates physical storage devices

Detects BABADEDA Crypter

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-31 14:34

Signatures

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Detects BABADEDA Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 14:34

Reported

2023-10-31 14:37

Platform

win7-20231025-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Detects BABADEDA Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe

"C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

"C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1112

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:80 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

memory/2608-447-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2608-449-0x00000000032C0000-0x0000000003BD1000-memory.dmp

memory/2944-450-0x0000000001360000-0x0000000001C71000-memory.dmp

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\ue32ctmn20.dll

MD5 0b1f0dfd122b188ab703aca852efa0b6
SHA1 7ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA256 1fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA512 2617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e

\Users\Admin\AppData\Roaming\System.Data.SQLite\ue32ctmn20.dll

MD5 0b1f0dfd122b188ab703aca852efa0b6
SHA1 7ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA256 1fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA512 2617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\base.xml

MD5 950be22c751d458a2e081045c0b47e10
SHA1 090c2f362d8d4fb43d5c5817b388946b49772834
SHA256 68e3a6c88bee53a4abd1b4ee126899e89351a3bd1afd02268ba89238b8cb189d
SHA512 9bbef5b61f04b06f9a6d478662c8875a4cd0067a4de245188c92054ff5ddfb9702e762052ca51a5d51db65b0b3e14a86ba431e5cb97490034f395ca4d57f1724

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

memory/2608-462-0x00000000032C0000-0x0000000003BD1000-memory.dmp

memory/2944-463-0x0000000001360000-0x0000000001C71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 14:34

Reported

2023-10-31 14:37

Platform

win10v2004-20231023-en

Max time kernel

153s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Detects BABADEDA Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe

"C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

"C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:80 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe

MD5 1b63eb3f79b113c3ae50c3e490c4d549
SHA1 25d5360b311c71c11d73f44cb7d9305cb620d5af
SHA256 21c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA512 0412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb

memory/3252-453-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5020-454-0x0000000000170000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\ue32ctmn20.dll

MD5 0b1f0dfd122b188ab703aca852efa0b6
SHA1 7ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA256 1fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA512 2617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\ue32ctmn20.dll

MD5 0b1f0dfd122b188ab703aca852efa0b6
SHA1 7ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA256 1fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA512 2617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e

C:\Users\Admin\AppData\Roaming\System.Data.SQLite\base.xml

MD5 950be22c751d458a2e081045c0b47e10
SHA1 090c2f362d8d4fb43d5c5817b388946b49772834
SHA256 68e3a6c88bee53a4abd1b4ee126899e89351a3bd1afd02268ba89238b8cb189d
SHA512 9bbef5b61f04b06f9a6d478662c8875a4cd0067a4de245188c92054ff5ddfb9702e762052ca51a5d51db65b0b3e14a86ba431e5cb97490034f395ca4d57f1724

memory/5020-465-0x0000000000170000-0x0000000000A81000-memory.dmp