Malware Analysis Report

2024-09-22 16:43

Sample ID 231230-rsvsdahahk
Target 1b6a482264775b5ab5b792c89f4cb272
SHA256 19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2
Tags
babadeda vidar 953 crypter discovery loader stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2

Threat Level: Known bad

The file 1b6a482264775b5ab5b792c89f4cb272 was found to be: Known bad.

Malicious Activity Summary

babadeda vidar 953 crypter discovery loader stealer upx

Vidar

Babadeda Crypter

Babadeda

Vidar Stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks installed software on the system

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-30 14:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 14:27

Reported

2024-01-01 02:23

Platform

win7-20231215-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2504 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
PID 2504 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
PID 2504 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
PID 2504 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe

"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"

C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe

"C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 74.114.154.18:443 xeronxikxxx.tumblr.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/3036-6-0x0000000002F10000-0x00000000032F8000-memory.dmp

memory/3036-15-0x0000000002F10000-0x00000000032F8000-memory.dmp

memory/2504-17-0x0000000001240000-0x0000000001628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

C:\Users\Admin\AppData\Roaming\Sentry Framework\COPYING.txt

MD5 cedef94f5701b0f14e5d358caf023480
SHA1 fc717140a9dd390068bad40a70f55e502f7c66e8
SHA256 54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a
SHA512 bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5

C:\Users\Admin\AppData\Roaming\Sentry Framework\RELEASE_NOTES.html

MD5 77db64e395175649374d32e386fd1033
SHA1 1e26bbd5055d3717e7f57219f2b7c1a305f84678
SHA256 7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163
SHA512 238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0

C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml

MD5 fc1038543e8e17a57d1780c715cbd32b
SHA1 474f18e8d95d0b774248c8af312dc648daea1a3a
SHA256 e8d6412d8b4e8b2b84f8e72799a2ddfa18358967edf38458b216e8c6b56a6005
SHA512 dd1421cc6e6308ffee0de19dcb8d76405d9b4fbde9fe487d884e012aab275627b57fec87f579ec60552c445536e6c633a56f788ab1d99ba34e6eac4e7738a746

C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml

MD5 b35a38d9f72cc3950e780d9553e43500
SHA1 b168fb0f7f83fce470e0689f7f4ebe9c27b32cc6
SHA256 670cb3aea6e0a7e7a01311fed78461b115540c6856761cf2672eacc1f32a9674
SHA512 bd4bce7a08306aa5d1b32d33d5c421dc51db98175c1922fde82030a730f68ff75e79993d066d29ace63badd6428c46f82539ad0accd374f7f8988baa532848a3

memory/2504-531-0x0000000000C30000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe

MD5 283611ce7db656828b2aa850d80e4d52
SHA1 c536707ed3fbac4a0b8b95608fd119ca945024a7
SHA256 d63b56356c6b5bd71b479bdf020a23c9f2c9853de96296eade1768fcac02b278
SHA512 c7eaff35ee6b931d7a480de149fb5a6bf5f4f2c1d7988a60ba1e955a9fecca35a1406eaf95ef7d346adb333165293e0a43b2b815ee27ad981e2361da8bb82392

C:\Users\Admin\AppData\Roaming\Sentry Framework\librsvg-2-1.dll

MD5 52e8bac9e1504c55e01e8aa8c2104413
SHA1 fb52993c48d90e92322c3065af529125a5b4d790
SHA256 1b6af23ad3b5c0961790a569a70531b8cfda7e7994f63303182c1e530fa10397
SHA512 43d21d41ed27cceda0741b7f9ada0f202f85441c9d1a6d544f23e296c7c462e8edad57ad74b6349eee31a51f9db543d0fea4605e0483e7fec3ab5cabdb05ded4

C:\Users\Admin\AppData\Roaming\Sentry Framework\ui.xml

MD5 1685e7d5daf2431688974106d7ec55c8
SHA1 5958995da6f985493558a15c916d72b1ea2184d4
SHA256 7154d9211f795054f7a60f072d7d22c4cff87e49d8b724a1897952f39d728f19
SHA512 2ee37c33fc2975e21ab27e84f041582663dc131de0fbaf3fc6387c97f34e81d1e3fc7152bbd0e11269e74a135f45a32b265fbf6fda198654d409e0c864cc24d1

memory/2504-548-0x0000000001240000-0x0000000001628000-memory.dmp

memory/1224-552-0x0000000000400000-0x0000000000B07000-memory.dmp

memory/1224-554-0x00000000027B0000-0x00000000057B0000-memory.dmp

memory/1224-555-0x0000000000400000-0x0000000000B07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB35A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarB3BA.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1224-598-0x00000000027B0000-0x00000000057B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 14:27

Reported

2024-01-01 02:23

Platform

win10v2004-20231215-en

Max time kernel

51s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe

"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"

C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe

"C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1588

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 xeronxikxxx.tumblr.com udp
US 74.114.154.18:443 xeronxikxxx.tumblr.com tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FR 20.199.58.43:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FR 20.199.58.43:443 tcp
FR 20.199.58.43:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 629837597bfa4fcb7a124907c1e404d8
SHA1 426777b49fa754dc17522f645f05351b2fb09d58
SHA256 dedf77699b799afb2eb9c30f33a7a026cad3459c294af54008f38269c6e874e3
SHA512 3b8ea64df085e222eb758e76de45f4863c78edcdb5440ce28792e7f021f12f14d1636178431e14d54e9e33b7af5fa1f7e132b01b268f83f35c6f5265407dbfa0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

memory/4688-13-0x00000000005D0000-0x00000000009B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 d2f4bc357b954f71c563f6073387bbe1
SHA1 1fc41b50de9baa6d8ecb05636a21fbb2fcd3abf0
SHA256 898a40625625818e0c7134a5c2d20213681038c336e45b1454bb7b0920d1496b
SHA512 e62abeb786aec2facb5a1adf0a25b48a670469f71184a8fdb5b7fd1cb7d04df9cec15287992f29c71198f78000fa1d863de3aea7bc821750bd826fc32974b46c

C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\it\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4688-382-0x00000000005D0000-0x00000000009B8000-memory.dmp

memory/2028-384-0x0000000000400000-0x0000000000B07000-memory.dmp

memory/2028-386-0x0000000002DD0000-0x0000000005DD0000-memory.dmp

memory/2028-396-0x0000000000400000-0x0000000000B07000-memory.dmp

memory/2028-398-0x0000000002DD0000-0x0000000005DD0000-memory.dmp