Analysis Overview
SHA256
19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2
Threat Level: Known bad
The file 1b6a482264775b5ab5b792c89f4cb272 was found to be: Known bad.
Malicious Activity Summary
Vidar
Babadeda Crypter
Babadeda
Vidar Stealer
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Checks installed software on the system
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-30 14:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 14:27
Reported
2024-01-01 02:23
Platform
win7-20231215-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe
"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"
C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
"C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 74.114.154.18:443 | xeronxikxxx.tumblr.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ac23d03c4b8d531016a3c1ebfa2bc91c |
| SHA1 | 11383627d5515ed2257f594db7fbce3a4b9106f8 |
| SHA256 | 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06 |
| SHA512 | bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1 |
memory/3036-6-0x0000000002F10000-0x00000000032F8000-memory.dmp
memory/3036-15-0x0000000002F10000-0x00000000032F8000-memory.dmp
memory/2504-17-0x0000000001240000-0x0000000001628000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | e7a789232ef503dcb4929791673009a3 |
| SHA1 | 8bc28bce4c9d8b4a6e360100441ba54a878de4c1 |
| SHA256 | 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1 |
| SHA512 | 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\en\Phototheca EULA.rtf
| MD5 | 9325aee138a4d9a15d651920fb403ffc |
| SHA1 | 19eb57cd989571fa8cd426cbd680430c0e006408 |
| SHA256 | 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35 |
| SHA512 | d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\fr\searchhelp.rtf
| MD5 | 520077fd6d03c64c735258d4d87921d8 |
| SHA1 | 1b8d82d7da2d85527ce91e72f179fb8a418d47de |
| SHA256 | 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598 |
| SHA512 | 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de |
C:\Users\Admin\AppData\Roaming\Sentry Framework\COPYING.txt
| MD5 | cedef94f5701b0f14e5d358caf023480 |
| SHA1 | fc717140a9dd390068bad40a70f55e502f7c66e8 |
| SHA256 | 54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a |
| SHA512 | bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\RELEASE_NOTES.html
| MD5 | 77db64e395175649374d32e386fd1033 |
| SHA1 | 1e26bbd5055d3717e7f57219f2b7c1a305f84678 |
| SHA256 | 7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163 |
| SHA512 | 238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml
| MD5 | fc1038543e8e17a57d1780c715cbd32b |
| SHA1 | 474f18e8d95d0b774248c8af312dc648daea1a3a |
| SHA256 | e8d6412d8b4e8b2b84f8e72799a2ddfa18358967edf38458b216e8c6b56a6005 |
| SHA512 | dd1421cc6e6308ffee0de19dcb8d76405d9b4fbde9fe487d884e012aab275627b57fec87f579ec60552c445536e6c633a56f788ab1d99ba34e6eac4e7738a746 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml
| MD5 | b35a38d9f72cc3950e780d9553e43500 |
| SHA1 | b168fb0f7f83fce470e0689f7f4ebe9c27b32cc6 |
| SHA256 | 670cb3aea6e0a7e7a01311fed78461b115540c6856761cf2672eacc1f32a9674 |
| SHA512 | bd4bce7a08306aa5d1b32d33d5c421dc51db98175c1922fde82030a730f68ff75e79993d066d29ace63badd6428c46f82539ad0accd374f7f8988baa532848a3 |
memory/2504-531-0x0000000000C30000-0x0000000000C40000-memory.dmp
C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
| MD5 | 283611ce7db656828b2aa850d80e4d52 |
| SHA1 | c536707ed3fbac4a0b8b95608fd119ca945024a7 |
| SHA256 | d63b56356c6b5bd71b479bdf020a23c9f2c9853de96296eade1768fcac02b278 |
| SHA512 | c7eaff35ee6b931d7a480de149fb5a6bf5f4f2c1d7988a60ba1e955a9fecca35a1406eaf95ef7d346adb333165293e0a43b2b815ee27ad981e2361da8bb82392 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\librsvg-2-1.dll
| MD5 | 52e8bac9e1504c55e01e8aa8c2104413 |
| SHA1 | fb52993c48d90e92322c3065af529125a5b4d790 |
| SHA256 | 1b6af23ad3b5c0961790a569a70531b8cfda7e7994f63303182c1e530fa10397 |
| SHA512 | 43d21d41ed27cceda0741b7f9ada0f202f85441c9d1a6d544f23e296c7c462e8edad57ad74b6349eee31a51f9db543d0fea4605e0483e7fec3ab5cabdb05ded4 |
C:\Users\Admin\AppData\Roaming\Sentry Framework\ui.xml
| MD5 | 1685e7d5daf2431688974106d7ec55c8 |
| SHA1 | 5958995da6f985493558a15c916d72b1ea2184d4 |
| SHA256 | 7154d9211f795054f7a60f072d7d22c4cff87e49d8b724a1897952f39d728f19 |
| SHA512 | 2ee37c33fc2975e21ab27e84f041582663dc131de0fbaf3fc6387c97f34e81d1e3fc7152bbd0e11269e74a135f45a32b265fbf6fda198654d409e0c864cc24d1 |
memory/2504-548-0x0000000001240000-0x0000000001628000-memory.dmp
memory/1224-552-0x0000000000400000-0x0000000000B07000-memory.dmp
memory/1224-554-0x00000000027B0000-0x00000000057B0000-memory.dmp
memory/1224-555-0x0000000000400000-0x0000000000B07000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB35A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarB3BA.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/1224-598-0x00000000027B0000-0x00000000057B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 14:27
Reported
2024-01-01 02:23
Platform
win10v2004-20231215-en
Max time kernel
51s
Max time network
141s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe
"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
"C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 2028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2028 -ip 2028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1588
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xeronxikxxx.tumblr.com | udp |
| US | 74.114.154.18:443 | xeronxikxxx.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FR | 20.199.58.43:443 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FR | 20.199.58.43:443 | tcp | |
| FR | 20.199.58.43:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ac23d03c4b8d531016a3c1ebfa2bc91c |
| SHA1 | 11383627d5515ed2257f594db7fbce3a4b9106f8 |
| SHA256 | 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06 |
| SHA512 | bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 629837597bfa4fcb7a124907c1e404d8 |
| SHA1 | 426777b49fa754dc17522f645f05351b2fb09d58 |
| SHA256 | dedf77699b799afb2eb9c30f33a7a026cad3459c294af54008f38269c6e874e3 |
| SHA512 | 3b8ea64df085e222eb758e76de45f4863c78edcdb5440ce28792e7f021f12f14d1636178431e14d54e9e33b7af5fa1f7e132b01b268f83f35c6f5265407dbfa0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | e7a789232ef503dcb4929791673009a3 |
| SHA1 | 8bc28bce4c9d8b4a6e360100441ba54a878de4c1 |
| SHA256 | 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1 |
| SHA512 | 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87 |
memory/4688-13-0x00000000005D0000-0x00000000009B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | d2f4bc357b954f71c563f6073387bbe1 |
| SHA1 | 1fc41b50de9baa6d8ecb05636a21fbb2fcd3abf0 |
| SHA256 | 898a40625625818e0c7134a5c2d20213681038c336e45b1454bb7b0920d1496b |
| SHA512 | e62abeb786aec2facb5a1adf0a25b48a670469f71184a8fdb5b7fd1cb7d04df9cec15287992f29c71198f78000fa1d863de3aea7bc821750bd826fc32974b46c |
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\it\Phototheca EULA.rtf
| MD5 | 9325aee138a4d9a15d651920fb403ffc |
| SHA1 | 19eb57cd989571fa8cd426cbd680430c0e006408 |
| SHA256 | 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35 |
| SHA512 | d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4688-382-0x00000000005D0000-0x00000000009B8000-memory.dmp
memory/2028-384-0x0000000000400000-0x0000000000B07000-memory.dmp
memory/2028-386-0x0000000002DD0000-0x0000000005DD0000-memory.dmp
memory/2028-396-0x0000000000400000-0x0000000000B07000-memory.dmp
memory/2028-398-0x0000000002DD0000-0x0000000005DD0000-memory.dmp