Malware Analysis Report

2024-09-22 16:46

Sample ID 240227-wvvydagc3t
Target a9d35b3546a908c804d177020daefcb0
SHA256 45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827
Tags
amadey babadeda crypter discovery loader trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827

Threat Level: Known bad

The file a9d35b3546a908c804d177020daefcb0 was found to be: Known bad.

Malicious Activity Summary

amadey babadeda crypter discovery loader trojan upx

Amadey

Babadeda Crypter

Babadeda

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-27 18:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 18:15

Reported

2024-02-27 18:17

Platform

win10v2004-20240226-en

Max time kernel

116s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe"

Signatures

Amadey

trojan amadey

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe

"C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1904519900-954640453-4250331663-1000"

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

"C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3548 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.5:443 185.215.113.5 tcp
RU 185.215.113.5:443 185.215.113.5 tcp
US 8.8.8.8:53 20.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 5.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 135.223.24.100.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.202.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.202.85.209.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.5:443 185.215.113.5 tcp
RU 185.215.113.5:443 185.215.113.5 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/4752-11-0x0000000000F50000-0x0000000001338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en_GB\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

MD5 2127159799a0fb58dbb1ce53b78dd007
SHA1 d96ec16e5d118f4615390d54325f57a4521e63dc
SHA256 6b7406526a4f8791008452a6157b6407019a99482df7dd3a32a82b8cbda991d8
SHA512 f2a7f3af3b0fe1b2ed81280e31e88e482ac2406d7fb4765a636a9c74d9f280084fd3442fe6d9966ee8bcbd52f643a88c4bbfd9336c9705eeea83b263070acf7a

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

MD5 280f56dc217fa53785ff90ff19352aa2
SHA1 da60dc21f284c2966c6182dd0d46829c5a6d672d
SHA256 862f1f02f434c1cc78a8676a42bd9e28b78b3ade34d6df254480ea46686d8bf9
SHA512 6b82f678ff4bd9d454379d421ed2ca4e583c8ad250488061573248ecb9f2370adc5897e0c111b934c4597eb859b78821532a8579f1ce68086aa3248357b50737

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 7ecebf023300b9b55d8c45a4c418e777
SHA1 f82a08f188eeab23adb988cfdecd9bfb7d5d3f58
SHA256 5de35a3de224a39ae9e5f68f55711e75a13869e05c11cf02cf026996ab10b53c
SHA512 55bf4127741901c3636a82e8f638e6489a0f4facfe02fe062fe32c5748a4374e0d453966389761f5cb9becd74fd664f7cf189071851dc947f035121b75a62005

memory/4420-570-0x0000000000F60000-0x0000000001443000-memory.dmp

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\libintl-8.dll

MD5 4a9b0f444ac743624a8a975d121c7111
SHA1 99c8d48075e63e7b5aa80d39bc6e375c5e6d080b
SHA256 6486eb74a008109826731bf73e4cfed5acd4feb2b8c8c2825bb2ecdb9da982a5
SHA512 a32595907bd5e03fc473d1628ff5db076cd4b62eed1de43b55a774c0e3508096218c16e7afd12e2ca9e9fc8203aadfe1d38140a0c917784d722f19668dc6d9a4

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\manual.pdf

MD5 b78eb6c1f6364dea245a592bf1cb6a13
SHA1 b509bc936a3882db2c911d6bde86da05e5bf829d
SHA256 db1efa5c12505764838c95c1f377d3584dde6ff5c7470a4d0c7bb61254065608
SHA512 834a06116f2e9e62c60a6024dcbb5f18f938820bb04bfb221fbdcd49b3f0fb61a471edf3056fb1256357beeaf36e8b4d0a5331c2bcfc4f1d2fd5e7f3a277269c

memory/4752-572-0x0000000000F50000-0x0000000001338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152119045199

MD5 e51b16cc10974bea3b3d20f3f0416f83
SHA1 e0306d8ec1424c99c4b998038b3dac4592cdd094
SHA256 4e7d3c0c0fb406c0c2c557b31f95771aceaad3386786be1cd04a3d8c85e216a8
SHA512 7031be454c14ef606b230cb96673b07a5bb37ce868abf940765c313a6e25d1a7ce28bdffd5059d9748be094327cc60910fc81cb8eae511a258712c3aa47a454d

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 18:15

Reported

2024-02-27 18:17

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe"

Signatures

Amadey

trojan amadey

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2072 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
PID 2788 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe

"C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

"C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"

Network

Country Destination Domain Proto
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.20:80 185.215.113.20 tcp
RU 185.215.113.5:443 tcp
RU 185.215.113.5:443 tcp
RU 185.215.113.5:443 tcp
RU 185.215.113.5:443 tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/2072-15-0x0000000003380000-0x0000000003768000-memory.dmp

memory/2072-6-0x0000000003380000-0x0000000003768000-memory.dmp

memory/2788-17-0x0000000000F40000-0x0000000001328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

MD5 44018e1779270b083ad90da3dffe9b15
SHA1 e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA256 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512 ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

MD5 b3c74bb5250effad46ce11a96c9468c2
SHA1 3a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA256 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512 a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

MD5 3272be2da53b6d5271111431f7d90d28
SHA1 7ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA256 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA512 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

MD5 228d4bd899577ed16ad3ac74b592a0e6
SHA1 baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256 fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

MD5 2719683b8dba819f2e6bd9e9b7307f1c
SHA1 6cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA512 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

MD5 2127159799a0fb58dbb1ce53b78dd007
SHA1 d96ec16e5d118f4615390d54325f57a4521e63dc
SHA256 6b7406526a4f8791008452a6157b6407019a99482df7dd3a32a82b8cbda991d8
SHA512 f2a7f3af3b0fe1b2ed81280e31e88e482ac2406d7fb4765a636a9c74d9f280084fd3442fe6d9966ee8bcbd52f643a88c4bbfd9336c9705eeea83b263070acf7a

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

MD5 3cb080be4c851aafcc4783ea77ba1786
SHA1 aa3f0227d60e3608b5cb1295b18159dadee22003
SHA256 8c40283125120bb7f9e391b215144928978d90cbcaddbff9df7612abec9b53ef
SHA512 e954ece61e7204135ad643039ded7e02db93a8eda78892b662a35f965be3f780b34713a16ffcde132ee265f63a9f9dc3e93536e219f6daa57d5badab692ac9bf

memory/2788-817-0x0000000000C90000-0x0000000000CA0000-memory.dmp

\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 8bdcdb3e83a1c1be455261ecc962e4de
SHA1 19d75b448099147c7778d740042ee1b6882f5421
SHA256 2d15996edb4020417ce3784284e2ebcdb3ba7b1918d9a05664741cbd69c0eff6
SHA512 4ee7bfe95ce89557bff39332ff448a594bf84c7e0b50ea765e86e3e9fbfc7812adacd06fc131f4166739f2948051d6310385ebbfbf13bab870b3fba5fac82417

\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 33caf22b37079592db9a9f82fe16fa9a
SHA1 0c1f806ef014d84654c17237031471317b4743e4
SHA256 99eada288948f399a05ef1a515c6edb75a7d3421a70de5de3f7313d371193c20
SHA512 f7244f7ef126d1ed5458acb41574b482f0af92bb8ccc5db09ad67371cce9032de3888bd8227d7d10e6f549807397c97a1b4726cc55c2845a016dd2eb940e43ea

\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 14208d0a0cb56f1b1300ea79ba310036
SHA1 00bbe2be8aacc2789d678e865e8f68c6162109ed
SHA256 5adbb8b4ab2bf90505b4d21c9944bc0d8a253125ab9ed01c89df3814f9114b54
SHA512 c569c06301de7276ed07b89a554e49c019e204fdeb02effc97412188d1b81f77186cf3bcdedef1d9eb63cc20f270f5e2eea348b8546e4628c745f933b5642a11

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 c8d00458ef78da55cd91ac66eed7ed83
SHA1 847bba317b66592b09fbcadaedd595f9bfee23c7
SHA256 74e437c8ca7b8fcf1a02653d2bc6d049190991938700fe38b7b8f9d275dc11ad
SHA512 281bcfc3e77b653eeb41142f1486c651d3526fa955fe3ace416a95f0416a6c5ee90bbd6d7da2aa023990acc67f6dee074d1360b1cc34f912b4a95c4abbec726f

\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 90862fb7b53c2df3387d8bbd35ae7e68
SHA1 7ad5419907d95c703970e1b4d14819f448ae5e1e
SHA256 7a80b80f82ce0c9530d079ccaedf9bd07f5fc53039cdc2b275610fdc59edca67
SHA512 0b2a6b61cd3e9ec76e8b7ec23c1a7e11523f5a2715f7eeec17aa0f28d180b17ec0997e7768f765a001593f3f483bbabf3f0317a86694e367babcd8779fab8eba

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

MD5 06e79988fba42039dffd684fd07635da
SHA1 dfd68b630b76e8466801e69534e1e88b9938bedf
SHA256 758861f27238f401ef9ca7249a884b62bd8e03c6e510fa2176964f9fcc40e51e
SHA512 010115b21c68a15c1d3db522d68feaedfa09a3fca15ddce18bc94b0ef9860c60caad0da5190159436c32d3ebd4a57f330ee27700e8c28b8eb0b1d4ddecacd2c2

memory/2788-837-0x0000000005240000-0x0000000005723000-memory.dmp

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\libintl-8.dll

MD5 4a9b0f444ac743624a8a975d121c7111
SHA1 99c8d48075e63e7b5aa80d39bc6e375c5e6d080b
SHA256 6486eb74a008109826731bf73e4cfed5acd4feb2b8c8c2825bb2ecdb9da982a5
SHA512 a32595907bd5e03fc473d1628ff5db076cd4b62eed1de43b55a774c0e3508096218c16e7afd12e2ca9e9fc8203aadfe1d38140a0c917784d722f19668dc6d9a4

memory/2788-834-0x0000000000F40000-0x0000000001328000-memory.dmp

memory/2788-829-0x0000000005240000-0x0000000005723000-memory.dmp

C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\manual.pdf

MD5 b78eb6c1f6364dea245a592bf1cb6a13
SHA1 b509bc936a3882db2c911d6bde86da05e5bf829d
SHA256 db1efa5c12505764838c95c1f377d3584dde6ff5c7470a4d0c7bb61254065608
SHA512 834a06116f2e9e62c60a6024dcbb5f18f938820bb04bfb221fbdcd49b3f0fb61a471edf3056fb1256357beeaf36e8b4d0a5331c2bcfc4f1d2fd5e7f3a277269c

memory/2380-840-0x0000000000AA0000-0x0000000000F83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBB36.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarBB49.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\152127219347

MD5 678bfa388f95ade9da2a3dc79e9847cc
SHA1 cc43196791853fb7d1fc43f2d41f5018c4dd8ec9
SHA256 ec8fbf41e1bb1651b1d9f1ee4528fc9d1e21568ae30344224078aba7809fe516
SHA512 f7f2e98a68b749d47c06ee6c57537b85a38ea7100fc40baa08d0a9850fb4372782aa8250516e28d05d79ca9dfbe451eb4c09d8c2561bd97c39c81bcc051b86ab