Malware Analysis Report

2024-09-22 16:28

Sample ID 240215-ajyz1adb64
Target 9c75e5c9f56150d3648691950f544f6b
SHA256 85ac0e8244160430f8ca3d4fb031180ccf656a2d524a8fc2c828379c1c7b9e5f
Tags
amadey babadeda crypter discovery loader trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85ac0e8244160430f8ca3d4fb031180ccf656a2d524a8fc2c828379c1c7b9e5f

Threat Level: Known bad

The file 9c75e5c9f56150d3648691950f544f6b was found to be: Known bad.

Malicious Activity Summary

amadey babadeda crypter discovery loader trojan upx

Amadey

Babadeda Crypter

Babadeda

UPX packed file

Modifies file permissions

Blocklisted process makes network request

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Checks installed software on the system

Enumerates physical storage devices

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-15 00:15

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 00:15

Reported

2024-02-15 00:17

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

142s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9c75e5c9f56150d3648691950f544f6b.msi

Signatures

Amadey

trojan amadey

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e577474.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{84C5FFCF-54F6-4D06-B8A8-024A3C41F96B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI757E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI883C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI883D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577474.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f3f59b11877f515c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f3f59b110000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f3f59b11000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df3f59b11000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f3f59b1100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 644 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2424 wrote to memory of 644 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2424 wrote to memory of 2544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2424 wrote to memory of 2544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2424 wrote to memory of 2544 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2544 wrote to memory of 2976 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2544 wrote to memory of 2976 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2544 wrote to memory of 2976 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2544 wrote to memory of 1336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2544 wrote to memory of 1336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2544 wrote to memory of 1336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2544 wrote to memory of 2628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe
PID 2544 wrote to memory of 2628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe
PID 2544 wrote to memory of 2628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe
PID 2628 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2628 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2628 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1808 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 1808 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 1808 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 2544 wrote to memory of 3304 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2544 wrote to memory of 3304 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2544 wrote to memory of 3304 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9c75e5c9f56150d3648691950f544f6b.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B0EF84752C886E6DF4BA1C385E7F19D9

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe

"C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3791175113-1062217823-1177695025-1000"

C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

"C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 114.134.221.88.in-addr.arpa udp
RU 185.215.113.55:80 185.215.113.55 tcp
RU 185.215.113.55:80 185.215.113.55 tcp
US 8.8.8.8:53 55.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 bd51b098612667bf7910bd70d646b012
SHA1 eee4197b9b6875e2e4426b932a8a4ad43a8f0ab4
SHA256 d03ebd65d396a89957cd3d95bff12f4bb055358e4d98ed14bdb0a763d2304fb7
SHA512 57f4835e2d2935c22af97586e78d83810d8bbfc4b3860db85beaaa686fd63eccf22f9bae0ed6ab844e914ad6bdf4ee604d4bf21749b381cac6ed4924aaed707c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 18841d0ad1ea3a9f3d3cd42de1440724
SHA1 756c1ee7c7a07b35195e66bfdba20177bf5b450c
SHA256 d0caade85217db4017609785cb583a868d78c7da3f30a7d0b3de5af955476418
SHA512 6ab1966772f848f3610e480d067dfaf663e969b0f5df0152177385e86ca16fe9370f2d0c037dca3dcbeea5ad4f5266727aefc990d6f5e3249e532261c1446800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_8EC50B7D4DA1A3FDB786C82CBBFC5A66

MD5 f2180738b9e80d152d92724ee2d2e14c
SHA1 ae4fa5f3a9f4bff0765b648267507a7ca802dcc6
SHA256 82bdcb79ed35ca77d70ec19c6519b88bacbc237b0c0c25b84ea301f01dfb9a77
SHA512 866c3717702fe43e916985f59711fe69f6cc4dadbcb903e0b6d2dd64ad11e17d81023a260ba895781b01374b3d2ee7307143c1e19d15b0436e8959e9a9ae6fec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_8EC50B7D4DA1A3FDB786C82CBBFC5A66

MD5 d9106362287b7f1a324db8e6fe7ebff7
SHA1 60d90d74610c4952024ff249dbcdd9dde540d0d9
SHA256 ff3e45923c87d5a9e3299fbfff29cd72b315309f878a4513f389140471e87eff
SHA512 b263cdd9f4bd193e9fa70dda3b938bea28489445196e77b4711f29f732481b21ca80483b0f7c64252a19a96b6ea302abfb5b90090055209a3acb2d6549b6972b

C:\Windows\Installer\MSI757E.tmp

MD5 4caaa03e0b59ca60a3d34674b732b702
SHA1 ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256 d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA512 25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\msiwrapper.ini

MD5 6dacc66a028ef34dd61f2f9a7642b7c2
SHA1 bad408bf28ea3f7518ce19cc307809fe243a3e95
SHA256 db153a4111de46cb867e16ea27bdf9a4ebe0266b544667f2dc81e848c58eb3da
SHA512 16891325207b2b2e53d746d1f8e955e5a1a51688e39630de687f33ca74d07fa28a4a7ddbe14c12b15b2d5eb46f239829245c2de0da0b20df75116d3cd1c85a46

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\msiwrapper.ini

MD5 98f88a37470d5c6c183f51b0fc1c2641
SHA1 dac7a9604b9b6e0722cebbe9a0c362171338ef20
SHA256 476004835e6d5f02f4655b0a6ca9b8dcc40d6626fec74e5e0652dc38f66518d9
SHA512 093da2afa0c81b47856b35925192ee10b55ec592967b3744933f14988cf47a29ca2fe1c7b2b2a88465bb0e22396245f64ba024c7b29181e60af7873eb58aac7b

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files.cab

MD5 7c75eaeabeebc1b3e17a957df0a5ef4a
SHA1 7dcefa6a552b87e05b96a562511d9c103de8ab40
SHA256 5c3a384065bda8b29c805352570c1a75d4e841544093b8ec5cffa96dda61019b
SHA512 a79224ab26ca6a704af37e0588c23c39f24fa9c919aff3ff20eb77683205d4c9842a44b97ac3b9d0faa661c64d46bd94c57d10d18150c18f74f5d2dde094959b

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\files\1setup.exe

MD5 18d15fbb6b9c6178c170106d18ef0e0b
SHA1 177cf1a1a5d3ac67ed8114a104fd6306f61bf2ad
SHA256 300dacb4b2d8e80b33e03bfa5b15a1d6527b58de0c5719f5054b198041a7884b
SHA512 eec1ea5897b1917de1e6c1d4ff3bdc3dbf5022d98e679741157b3edfbcc854771759933a96e2954f3c0623f4e4daa2cc42f1043c1c0f2d8dd250a0aa01a3960e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

memory/1808-95-0x00000000004D0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en_GB\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

C:\Users\Admin\AppData\Roaming\BlueIris\Uninstall\uninstall.xml

MD5 019735e72d79b80578c326d2d63d1b3c
SHA1 0f34dd070a35563277662388bdc13176741b439b
SHA256 857b1f64844a123d3c2e95ced7bf4bb361f59134d2e79c062890df61da415a56
SHA512 adc68f17b37ddb3b887e0a42c2b968d68ac42011d4864399b72372eaaef845d66c0672ea025a169fd175ad9d10e1580d637960becd02fbf317286947fbac64bd

C:\Users\Admin\AppData\Roaming\BlueIris\Uninstall\uninstall.xml

MD5 86644073e8a0750499f518382efd1122
SHA1 469f026742c5fee59bc718fc1c79c824f14978e7
SHA256 1e7062d917805f079b1c445002dc2a1f673a485767cda8c7d87cf21851b25c75
SHA512 4fc190da93a047edee1df37748e351b23e56f6f4acd253d23e9fcd8f845c5156716583ec0aef8b29bdc678ec20ea6b8f669af0ef676bfc29a94ec532ff79336e

C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 cc16634f7bb53413cb4dde0a6fa90da0
SHA1 504d254425757ee92950f2ca9d1da5a32171377b
SHA256 161640bd9baa26a92996eb110e988e18a92afc321a200c4a7bdb69ac22fa7589
SHA512 d4dd6442d81ed8666f4b6cfa9aa4315da1cf97e75dfe07e6270fe1a1e2d29a1699e3396b96a11286ac509680d90e2a16a4a5c8b357144cf1d2e7b99c899c3f87

C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 148107dedcb50e49cd6857c6df3fd4bd
SHA1 33549ae282f9387230e0fbbda87f99a32d8617c9
SHA256 9ebf6565a3ae4013a1e2a603d36781ed4416009581b8d57cc49b1158e1cfee99
SHA512 25bdad6def4fb2df6baed57d083fd69f3b4f01057908827aaf014cb7447430ce3a4049453a33cc87899214d53f149d585c58c6faf6ce78e0eff7875bbd36a220

C:\Users\Admin\AppData\Roaming\BlueIris\libintl-8.dll

MD5 00855b551eac9fbd25c7528879cf884e
SHA1 a2fe7785153bfdb3cc10e44f9c760929bfdd3616
SHA256 9e851f57154e11418095b821e08e1bab4a7f6116c4329da24e07bff40c77f887
SHA512 a5775d3b1e7cb0a1dc25e9e5ff133462ef89d82cef4695c414e69c6bbbdb9dee6410a1b3b72cf143e5a4f131cf726caaefd31eb46b7d19294ef34b92f8d14984

C:\Users\Admin\AppData\Roaming\BlueIris\ui.xml

MD5 2e79233b3ad881df35237c30ee2eeda9
SHA1 72d2d617bfb5322915fae6ada090a85d037e5ad2
SHA256 d8530c0e05387ae70687ef470616a72240c4b38bfd5cc459b2601c3eca68c864
SHA512 d8126c0882ecd7553301788b8ee7cdf6d91a7f38a322dea43de4aac5ceed57ade0937469858c19dfb36f1340efbe3101ba83bc2352fa05de41d91a2fe152eb02

C:\Users\Admin\AppData\Roaming\BlueIris\libintl-8.dll

MD5 ac518a90c9d63af358b5b3c47d1d09b0
SHA1 92a2f0840aea159e05553186cafe1ba56834bc5a
SHA256 bd48b561699d9034c7977ec73615191503b46ad799c8125d5bfe94e27044a4ea
SHA512 ef023905496aa6e047eaa2b538f33a9bd258bfd99fcef94f11ebb48b8b366132cdf54c78db57186ec70e2ff116945cb4c47deef648fffd33137a6e6839e6addf

memory/460-695-0x0000000000530000-0x0000000000D60000-memory.dmp

memory/1808-696-0x00000000004D0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-6a766876-787c-4b71-9457-048bd20178a2\msiwrapper.ini

MD5 cc31bf5b158b079679e4f429a9612b26
SHA1 2b4468f44a10b55eee123be7aa60a7dde2bcf635
SHA256 d8600a1446c59909412c9ce55d76747bb140e26c39bb95550c29d2b5325769b9
SHA512 f35d901e5c7da5a86fb1b8a7a6053292e1b36ec9a38eddb22e0015f2ee7085fc33b27eb677e2fb21809d3a6e0b6d8aafed1b424066dcf5706dce78b74fd46cd7

\??\Volume{119bf5f3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e54c240d-e5b5-452e-b556-0f90ce2a566d}_OnDiskSnapshotProp

MD5 6baf8843e61b680d4a6400c459f0bbbb
SHA1 ba3eccef4bd2c225ab6ef3e020426f38ee31a73d
SHA256 02a076e42519836be6f7fb31019bea50c3e71e5d762f743f997e8471cefddb92
SHA512 eda318e79299f1da425bfa32885f78d5408c1ffce87a8dac4478ac15c0f4bb04d44668f81e1d8dee29a3c8b7245ba336361ab4c184741b3ba90652fd5fbbb368

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1806bfcb6baf8498160c369b68aba55b
SHA1 fab30aedb58bf5be7929bfabf94fc575e5babc47
SHA256 4b7483cc9196989739a2da35a613f61aac6348f394c8edd7dd2eeefadb620379
SHA512 e91f373ea0bc4160a2d894e14201ef6c62de8b3b5d1419a0d451c6a97ded30bbdb511d6906760a85b52bf0dec0a08fdf4f3db7061d0f36c2d1fe90d81e7e992a

C:\Users\Admin\AppData\Local\Temp\152137911751

MD5 bce8ecac8445f103a3aa7f1e844414f5
SHA1 f2a1e078281fdaad95037ab00d9dde00a1106711
SHA256 e34d180a13c28e9b56abdef8e4b621c3603de9f95c4bda9db49c92e1c77fca23
SHA512 be03ab18c2145e2d04c6a5f1db7502404cd787f17ceae43a6ae6aeb27957a5a60dd1e2553ebe5cd7c5be802e7fc7e7cb6c2481ae24d9489d695af12cb886c767

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 00:15

Reported

2024-02-15 00:17

Platform

win7-20231215-en

Max time kernel

123s

Max time network

140s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9c75e5c9f56150d3648691950f544f6b.msi

Signatures

Amadey

trojan amadey

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76cab0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI389C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76caaf.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76cab0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID44C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI389B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\f76caaf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 368 wrote to memory of 776 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 776 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 776 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 776 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 2232 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 368 wrote to memory of 2232 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 368 wrote to memory of 2232 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 368 wrote to memory of 2232 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 368 wrote to memory of 1608 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1608 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2304 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 2304 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 2304 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 2304 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe
PID 368 wrote to memory of 1308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 1308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 1308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 368 wrote to memory of 1308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9c75e5c9f56150d3648691950f544f6b.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000560" "00000000000002F8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7A4D09F0ECF99A4D017DFC5A5DF24

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe

"C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-452311807-3713411997-1028535425-1000"

C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

"C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
RU 185.215.113.55:80 185.215.113.55 tcp
RU 185.215.113.55:80 185.215.113.55 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5015.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar5057.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81acb967818462177c496137c6a6f7bd
SHA1 2c6ffadc2b596e1558e972783bcb8046a734ad4a
SHA256 d644bf3845b23d7d0ba778931aa5efab4acf888f6df903d2aa4590c55545398e
SHA512 ee225b196ed85025665fac3418f36732e244e6a3663ee3b482290ccb4c7c99a879e737c8a0ca259114f4214a53a58bf1b84e8e9973da58de4725b10257db83c4

C:\Windows\Installer\MSID44C.tmp

MD5 4caaa03e0b59ca60a3d34674b732b702
SHA1 ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256 d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA512 25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\msiwrapper.ini

MD5 e8e0a8a7daa3f36c9d60520af49d4a45
SHA1 8885e7a8b7813756af2c659d8f212bab09ade387
SHA256 64fc9ab91e1ac895f655755cf4f5138f92ea2819a44b48c18b8513c79e28acf2
SHA512 b89c9d284449763b168e3e1ad3eaee32edfa8061fc1ce0595ce350e37c4488bd113c935871132a31d7777122c07a7717d120c5bd96f875b59169339716f59f2e

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\msiwrapper.ini

MD5 d4613902dad8f9dbd87b7e1124ef88c6
SHA1 1584c47d78e7727495ee45814770e31bec1621e7
SHA256 73987c5f6a1cc34531f2bcf30760a6159dacaceb24ee3f9816ccbab16f327e30
SHA512 8c35a3cefe093e8db61ac277e4922b78a861e4654f1b43de641429cd16d1f02235c64f735b0cd14ae4b7be4d19d39e25c36086ad015b8b7f34392001be61bc32

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\msiwrapper.ini

MD5 85f1a667bb5bbba512df764372b34752
SHA1 3b483cfaf08b65473f95ef7219a2e5447d13e68b
SHA256 a7f9fafd935b8f74122e0f8d14dafb8e842941ad253a7f8b04b46908c90390a6
SHA512 5c51368007d2eecedafc2701731181099552931d8805ef64fa1d2d431aa5801d84c6086c6c41ac4e9f90ea8595c7688942a80ea2c4be6e99c18415b5199929e1

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files.cab

MD5 7c75eaeabeebc1b3e17a957df0a5ef4a
SHA1 7dcefa6a552b87e05b96a562511d9c103de8ab40
SHA256 5c3a384065bda8b29c805352570c1a75d4e841544093b8ec5cffa96dda61019b
SHA512 a79224ab26ca6a704af37e0588c23c39f24fa9c919aff3ff20eb77683205d4c9842a44b97ac3b9d0faa661c64d46bd94c57d10d18150c18f74f5d2dde094959b

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe

MD5 3e0c0ba0f453260c5ef718a0a51e2462
SHA1 7b584ec8f73b72d51cfbf60172a9490ed4941c56
SHA256 647cee07d1732181aa3a468c84a9279742531ad9597d2e63f787e86fcb1b8119
SHA512 d0835b1db9a80bc0583ec00d70076728e85e1e25b653922c7615c40df66b9d37e77db4d0686aa3763a5e4e05f617f7dce5aefc4dbf9d8737a3e8c9f297caaaea

\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe

MD5 0d20ee198ffc853a5ca9279023ca5a0c
SHA1 77d387656b54d133fd623762312152cf38ebe8bd
SHA256 2577843f81210344af8ccea7c2c27d51c4bae4a613b22a3dd760d2c943509a99
SHA512 3e9e26fe8cbd398af6001ea1971a525d4cfdcf0032f313ca42068835ae1a43af6c3b6dfb3454ba293649176617b3f8139a8ada58e007d006ff18805febe7241c

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\files\1setup.exe

MD5 18d15fbb6b9c6178c170106d18ef0e0b
SHA1 177cf1a1a5d3ac67ed8114a104fd6306f61bf2ad
SHA256 300dacb4b2d8e80b33e03bfa5b15a1d6527b58de0c5719f5054b198041a7884b
SHA512 eec1ea5897b1917de1e6c1d4ff3bdc3dbf5022d98e679741157b3edfbcc854771759933a96e2954f3c0623f4e4daa2cc42f1043c1c0f2d8dd250a0aa01a3960e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 05b2516ee6bb26e13b8363302affb3ad
SHA1 8d1c151d9579cb89dc83c64143b043ce15d4b23d
SHA256 1d3863336184c6d98211c88b5e9a8abd1be1c4dffdde7cd2628a21c50b4ad2d5
SHA512 e0b46c27149d03d5e9d69d8e4fde36851f505d1361e6cfb53582ae411e13103030c71d57b73a1244d67ff40de52d5c99a0700c63e6e702c05f8d7b00a28faf10

memory/1608-211-0x0000000002B50000-0x0000000002F38000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/1608-212-0x0000000002B50000-0x0000000002F38000-memory.dmp

memory/1608-216-0x0000000002B50000-0x0000000002F38000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

memory/2304-217-0x00000000000A0000-0x0000000000488000-memory.dmp

memory/2304-935-0x00000000000A0000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\BlueIris\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\BlueIris\Uninstall\uninstall.xml

MD5 bdeca3910bc9d343a6da69e78c09fb92
SHA1 c524b387384307908bbde2cc83cee0ad1c594946
SHA256 ca5b703c30bfc0af04457ed397b509a87782d16aa760abe8f0ca01b2f73a2cd1
SHA512 cdea0cfc8f9c4fcf06483d2a019047cca76a4662511a5a81c83ce1b3150b4964f40db2a7f0d2a51e401f1d476eada945c309ceaa9a1185d4a9e758b716a44185

C:\Users\Admin\AppData\Roaming\BlueIris\Uninstall\uninstall.xml

MD5 891f47f663af205672ed1d919844f977
SHA1 66d9a515f6b6d1d58725e984cf4948dd1fdcb1f2
SHA256 bf9bfd632dc4897b54293375a2abc6b054fd5db333d3f7ec0e66f5e51016050e
SHA512 b47a71042a1d19099c8a116d908f535e7dc4c8f703b7841ef92761bbf44d4e2e0d7ba9f2f135c146215d9dd9218c4653f55c4dedd8c3347faccb88caf67b12cf

memory/2304-1077-0x0000000000A40000-0x0000000000A50000-memory.dmp

\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 6df4c119e13922a0d554ed9762cad06f
SHA1 aeedf17a8cb4ed43103a4a30fb4b815ecd543a99
SHA256 1d8c0805d15dd29d663bc1f3a31c3576a464cc55fc03763f1ccf8ed491c55170
SHA512 82fb6ab50883a73a411d4667734e53cd3f5cc18440380c4df89cd55c6f31b3f0edb73f1528a84f05ad9d6d754dd3491f3f57f8bddfb99eac1125b1744dbc5408

\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 1a4c1bc8ddb635f4057b02af4addae5f
SHA1 30270bde7ffe0837cd403d5676eff9b264a10f7f
SHA256 df669cb9ecf1354a9c16ad44f9aefa631c0eb8d0119a19d5575c22a2bfa25e25
SHA512 c0dcb2d2959dc5908c62e3ea278165fc097a661f43821ada5922e020e731d9e80c7cb190fca6f974174b149df6a5007f6b34aa79c880de96e3211031acb4fc97

C:\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 19037d5fe7a01a342d384b0401b952cc
SHA1 da9b020ca45adf13525ed70f192bb86b8c9cddbb
SHA256 a9893dfafe2a6256768d46142a29e7932fc4d69ce93228bed674399edebf81b3
SHA512 dda1eb87444538285735f3b188793083249fd26e617f706a44def107658e84f8324405ae956323c8f6ec90820961ed56db6a2e91f9f6cc6e720163992859cedf

\Users\Admin\AppData\Roaming\BlueIris\cmsengine.exe

MD5 9cd33ba3d98926bf3de9239ec56e8902
SHA1 89eaeefc0fe686508fa642ea292284783b0ee4fe
SHA256 17965dec2585f8e63381a68413eb449baf3fef0b5c2edfabe22780535c0e4764
SHA512 7a45e301b8f2554b7ff5cea5cfc9c0614a4fdc3401a78d14f2bf8690d4cfcb832120ea1bd3db27cbd10e3b6284d6f1bcce31a810ffbcb4e20ce1eeeda291c05b

C:\Users\Admin\AppData\Roaming\BlueIris\libintl-8.dll

MD5 0a25e2b6c8b2cf8b896ac878d48760d1
SHA1 420b3e97129d689e0912d9eda1f38bb31df939fc
SHA256 4e2dbf422c68c6c985be8013da726a63228e4b7dfbd48a967334535546f9a921
SHA512 a31107f345f7d0830920caa637442300ad215c45c99e5319609f2ec2ba0ed5c2b478e2d5558ffaa94cde6fed60746fdf4e47d3fe8eb6cde4c4b1e03e80c53cd6

memory/2304-1095-0x0000000004960000-0x0000000005190000-memory.dmp

C:\Users\Admin\AppData\Roaming\BlueIris\ui.xml

MD5 ca51e82ed2a00fcd5d62653283f45a4c
SHA1 6cd6b698a207918aece598552db698ee6b7da2b3
SHA256 328860f1f6f9dfca55f907868de3a39963b56d0e1864f151ebe14f4e058e83cb
SHA512 6289470dffd0c19ab2321aaa64006406010ce762e23a90dc80b1f476f1557c5597ffa6e5e9904bdde849586cd6daaaef33be258295dddb86e12cbb13635892be

\Users\Admin\AppData\Roaming\BlueIris\libintl-8.dll

MD5 876f24a9ce1bca4062cea3672d130d26
SHA1 801105866a802204b97f9547cbd636d2275a67e6
SHA256 61baa749ec902239ff25668685ef47f26372880f5425726c7b583d2ada3c49aa
SHA512 feea39f504d62ee5f87266a3cd0d55912dd1dfc5145775a0afa30c9a81fe2beb429613ee2400436dc567ca105132d9ae76c2603c7bcfe6fa5ce9e993266cb423

memory/2304-1099-0x0000000004960000-0x0000000005190000-memory.dmp

memory/2304-1098-0x00000000000A0000-0x0000000000488000-memory.dmp

memory/2764-1100-0x00000000012B0000-0x0000000001AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-e723d293-6492-467e-b475-155f1dcd074b\msiwrapper.ini

MD5 086b2685610ad75da36f5c87150b2a67
SHA1 910f4c0432ee09be00c7f813c3e7c28789e3df8a
SHA256 ca74b00cda52ecc7a6b6e5fa9360ee3092fb06cd678cb6774979d6bac61a1744
SHA512 3266bb5b6c6358d0775c78a1e3ee4567808fdfb198dde78c7fb2b655d10556f2701a21de8a350180b80bd514e2644f9d21089fb8a500d422197f18d0b251ee0b

C:\Users\Admin\AppData\Local\Temp\152145231180

MD5 2d0135c5c9aeae46c065fd1b18af0434
SHA1 8a78f63647ec455aaa31aebf0c0bba4e4b55e6ed
SHA256 bb612ff30e39cbe6c33c6bd88461df93a56907a4733258b9129420b518843438
SHA512 227c0fe70bd75ae43ae3a2d5bb3cba04c07c40c89232498c2f84721e887cc8e30433f55aa9775585ea04f5eb076e57fe5ae53292fe4315d69afa0ddc32d5460d