Malware Analysis Report

2024-09-22 16:36

Sample ID 240119-a63lpscdf4
Target 6678549db6974d6962363d8b82ee7be2
SHA256 ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc

Threat Level: Known bad

The file 6678549db6974d6962363d8b82ee7be2 was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda

Babadeda Crypter

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-19 00:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 00:50

Reported

2024-01-19 02:47

Platform

win7-20231215-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2956 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
PID 2956 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
PID 2956 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
PID 2956 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$400F4,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70120,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

"C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp

Files

memory/2388-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp

MD5 c072361ac82755ffda80f067bb88ce3d
SHA1 6d7612ea450d83ec19b1fbee417ba988398fa379
SHA256 5c463d6e08109507f2bdf3738e6187061e3375a5d6b25cca367abc1b35f1e551
SHA512 e0860a24b74e77f7139415ce2a3ffeffb184176a596bfd3b6a33207a2eaeed5c243800cb02945674e7b12d63f530cc2c15ea8c1e29ed61b79bbe95a4d69a0fa7

C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp

MD5 688580aee28364e47054759d00d5deb3
SHA1 d04e840dc6fbfd17ebde15b4f99555ea70e58dac
SHA256 fc287c98cfdcb42402750f949be8b0d391241925cc4debd3bd2ac37567c5b6c9
SHA512 56c26d4924d46966a6783a4b69e9f7ebb211a8309f846d9649c397f6c80556f8fdd43a551cd7879043b0ba59c15972f881dd0bd17d6930f129da63e90a15c8ff

memory/2336-7-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2336-11-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2676-10-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp

MD5 e1f761cde120ab5fb715eaa71bfdf516
SHA1 b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2
SHA256 98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90
SHA512 4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

memory/2388-17-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2956-21-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 7a02ce6b522ba864109b8b45725be181
SHA1 8de711069679063678d23b053615a4174f83f278
SHA256 afd8679dacd4859db26d3557fe1fac43350eea39e0001865158e1a1cea02a9f1
SHA512 ca5694b0a9ab1591081e577feb9601108d5593a668667bdb5fb0e6398c528afb5d921f1c12ff4a92fcf2dabbe561fe4ce7ebad588de2d296a55fad699469c565

memory/2956-460-0x0000000003F00000-0x0000000003F10000-memory.dmp

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 20d63e4d1d3d46658ad8190d12ce226f
SHA1 fa85ac197fa74a86e7148fbbd970409dcfabc91f
SHA256 4e9b60406f83f95c951bc5e8ebec7f2a11fa7a8d60324ae991f87829252abc96
SHA512 857b877af96b9659b7e94ec4583c1d0fd285979f26d54d5cd0abab4ff48ae7426de5c5faadc2c846134331c108b221f7c649b949e80ea56af639cf4edce9841c

\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 5e2280b28757d342699e94953ecc6477
SHA1 8250222a4e90607205c7c96f4018a078db7836bc
SHA256 9dff030919c8f7c5cc221aab5c05307bfaf35a266a7ae58f9cdc11cf5a55ad5c
SHA512 27f72a7a147f613b6fee562960a3b096cd6817861a47d02056728a7d6cca449fcce61e18ab66f0434bfc890214f0ed52d80093d3f1a133648fd5705cc48619eb

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

MD5 9f87dd2c42e20f2ddda8945e37797cdf
SHA1 065b4f901eb52404fd1c87f2ec80d8cc1d55b30e
SHA256 301ca38c72885d3dfa043d7f2ce8bb0b06b6519dd691992fcc3841d0cc7a88c1
SHA512 ad6098b4cfb49c1aadaf6b1496a7430ec5cafd0e9e0886af1bbe9468eba27172d7b8f7eb62edf3025f319a18b82e2f8141b35a3b2e70dda23a837a6ba6d48479

memory/2956-466-0x00000000044F0000-0x00000000049C2000-memory.dmp

\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

MD5 35a2e37dcaf6c1afbe1060840bdd11df
SHA1 ce5436b9cde7734a0b7026fde6c04acb0a062869
SHA256 15c35537fdb4359a27f8ed4d6fcc464288601730b40d40ca5591bc301c3a39b7
SHA512 12a0fe0410f06ec7ad86eae6cf7fe710bfafcbd17c7827c6e6a5b7cff653f7161aba814af4b30f525c83d40ff633f90bf72bdc887ae2fbb0a8a3d7892bbf4765

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml

MD5 cb2d543f6b9936599848824ddb769661
SHA1 707c7bf30bc47aab26780c70accaaa6824395aa1
SHA256 b3f91f360c775655a7c22acb7f81905c9f2b1217c456f0542418e2460c998191
SHA512 61e621aa47bacca92aafa8765c494871d3409b807427479fe6ab5cbc87f37310621710b7cd180ba894b7eee643ce9467fcdc625ecfa5c837480b4de845d23346

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 b27961b9dbd41f562f0243aa5ad527e1
SHA1 e154419c584057be1024892c918406b5ed128f79
SHA256 f72cfdc607db3acbfe90bca1ea74856419f41f8e3634e4ad2c62f421f771cb1a
SHA512 df80b8c4a033ca6a5754fe271b324faee6646676a3855e8dc179986a14d1a1a99672f6a4deee0c38ae71d45e01816b5de1d921ac415bf71b9bc44a006104d01b

memory/1092-470-0x0000000000400000-0x00000000008D2000-memory.dmp

memory/2956-472-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2676-474-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 8cf4dec152a9d79a3d62202b886eda9b
SHA1 0c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256 c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512 a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 00:50

Reported

2024-01-19 02:46

Platform

win10v2004-20231222-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 400 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 400 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 4524 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 4524 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 4524 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
PID 2620 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2620 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 2620 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp
PID 3848 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
PID 3848 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
PID 3848 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70056,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe

"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$60184,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

"C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
MD 45.142.212.149:80 tcp
MD 45.142.212.149:80 tcp

Files

memory/400-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/400-2-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp

MD5 57a06e07060d585c38dcc166d641e5c1
SHA1 c354fd98258370e716e3471b07b845629cce9619
SHA256 15121d314f6e6867076ac102ca2484f79a82accd3d10b2474a5249a56a02bb6c
SHA512 2ffe8735b69c2a05d52402db56366f11330a1a70820d4ed16a206aba4a896bd8858bbc2936ea0b0d6f42d80c0a537fe77b7c97d75fb8ba93e0962aaa7fbf83b2

memory/4524-6-0x0000000002820000-0x0000000002821000-memory.dmp

memory/2620-9-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/400-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3848-17-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/4524-11-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 9ed28c93a57204a74f55211b8900a1b1
SHA1 0241e2c2c074dc4097d9441646a66b18938d4324
SHA256 b32b321ddf33641ae04f85edd3d3501bd07d6a094e63db668b70d8b4f011a7d9
SHA512 c0d8b7bac1618cc21ae826c6eceb3c8223f76c16783e209ea8a3957787372b8ce258c2df68878c8398b3d070cac095baa0db35b07290feb1026a79cd09830d05

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml

MD5 f7d3204f988639ac885aaf487784eed2
SHA1 be29d74eb70d1ffc9331575c546ae8e822fff709
SHA256 811c4039afefcf4b9437c90da42667c2465bfdd2e6754361267aa43e88827fc9
SHA512 44fbca7efb1e3b6c2b49ca7221d86ce23d308f2e232166fd6f85692dbdd931b67ecae9b40f80b36f18aa38544ecfb13a3183063bcc1fcbac205c79e841ba0182

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

MD5 2d64bc914fcf5ed3e8e266eedb66b244
SHA1 a6bc1dc43e3fa094c01b36a5b5e43068d54e99d5
SHA256 11f8d59022e89e27a38367b0665528e01b4d193c6efb02c9941ad66230437ea2
SHA512 801a1f8225b757cfa64a1be363b6e86a78d2e65ab4aadfb30fc59c0610ca81949c462e4604c78fd05454603da675efd86c6750e195fe6ab848780a0a50337e5a

memory/3252-467-0x0000000000400000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

MD5 801591ff035ff7d05785157fbf977c31
SHA1 0f0e2538e622c9ca6f7ad133a4dea929765b01f1
SHA256 41871ccefc813203a0661763ab340dcabf449e0d76ff58d46c05f747e96ff4d3
SHA512 f6c7bdcf45a07f531ff9841198cee1cf5587acd5bd6223ab62429c755cb1baa217c691f5dd1715435ba4c36b81ab8941a883025e6ac5cc5070679abf208909fd

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 7b2ed4e658885205038a38a55da93dea
SHA1 efe839d6b4e95ecd7eb210ccc94e7d4b492788ac
SHA256 28e1ae3685afe6a0d0421e1704023cc717ec2bb86b59be9c39ec218698ac4973
SHA512 8fac1d598496e907359e773a44567dc96c8d0cbe55cfe4d9e74329e9ecd4427fe71d32c1f7f648310267138cb40887b91269f0965d7ffe959c511a2218636e8e

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

MD5 82b3c20f785bc7c3db291a734c2991ea
SHA1 85b969bebb947c8b8bf86e4315cf93cff288f0c3
SHA256 7115e8197092b5b5dae12ef8d12e1d16b58df3d5915fae0040dcf8a9528e88b9
SHA512 bd810f9382b98f81a5e92fbacffa26ee46c7316d52899f4306c4ac79788801cf98cb143152ddfff846f249db7d768c54dd63666d063ad2dfdbad3c3c07bdd2bb

memory/2620-473-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3848-471-0x0000000000400000-0x000000000071A000-memory.dmp

C:\ProgramData\kaosdma.txt

MD5 8cf4dec152a9d79a3d62202b886eda9b
SHA1 0c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256 c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512 a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd