Analysis Overview
SHA256
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
Threat Level: Known bad
The file e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909 was found to be: Known bad.
Malicious Activity Summary
Babadeda
OutSteel
Babadeda Crypter
Reads user/profile data of web browsers
Modifies file permissions
Enumerates connected drives
Checks computer location settings
AutoIT Executable
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 14:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 14:44
Reported
2024-04-10 14:47
Platform
win7-20240221-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OutSteel
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76447f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI455A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f764480.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\f764480.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5938.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5939.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f76447f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "00000000000005B8"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C15203D9BA38D081398EBB2EB6C75E74
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe
"C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe"
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp |
Files
C:\Windows\Installer\MSI455A.tmp
| MD5 | 4caaa03e0b59ca60a3d34674b732b702 |
| SHA1 | ee80c8f4684055ac8960b9720fb108be07e1d10c |
| SHA256 | d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d |
| SHA512 | 25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34 |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\msiwrapper.ini
| MD5 | 1f828ebcc6e5cd2a5ac53647f113e3f0 |
| SHA1 | d4d09f5b27806593c40f9946d667fef15fc62e05 |
| SHA256 | b91602781fd052150b933f821d3dcc1f3aa54292ce2992ebd230ba923cdc9b1c |
| SHA512 | 78b47da3343d3a0b64f37af9cefcf4b7d3a8c3665fcc9a429a77d1113408dcd53351472a69adf1060376b7b88b7bf2af91980031df4dd95cc887da403bbae2cd |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\msiwrapper.ini
| MD5 | 4ae0d5ecdb522602d02203df3669c86e |
| SHA1 | 17e78aa3fa85c88eed1520b64a27495bff0954d5 |
| SHA256 | 44ad1bb81f49b29e1f6ad0c984cde640eb84b05b1ea3a3230f5cdb9c8acc1353 |
| SHA512 | 5acaea126ee04a594e04285241461a2d16ebc5eee411950da8da6e2d3ed6bd11f7baf14f3bc8fe2ddd2b3c8b3e09f19773dc23d5089d186a12e4e705bb1de1b7 |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\msiwrapper.ini
| MD5 | 9691b94a172d1a85cd7c0480374dce8d |
| SHA1 | 7876e66e3b7fe6a0901702701783322f256d9f47 |
| SHA256 | e4af041724a180d517ca7b892d8754c9d8df263d355dd7ab6e166e50a5670a4a |
| SHA512 | 1bb2b2061f977254dec7eed5803c49863e0b05a81e57aaa6c3eed7ba947234e16f773837ab0eb5d2e1ec4b4c5bab9e9fc9adcbbf08cd20d3f7652f605815e75e |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files.cab
| MD5 | 6f7c8bbe4e94980ca7c1b878c048be94 |
| SHA1 | 2ee86ce71bd986ff8e92f5a2b876098ccbab42dc |
| SHA256 | f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae |
| SHA512 | 4c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe
| MD5 | e3ffe9b1db336ca7f34e0f26215d4ee4 |
| SHA1 | 3ec434df80529311342401ac7a7acd066e19c90f |
| SHA256 | 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901 |
| SHA512 | 71168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 44018e1779270b083ad90da3dffe9b15 |
| SHA1 | e09c06b564abe26bcf91ecb7632d761c3234b30d |
| SHA256 | 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c |
| SHA512 | ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 3272be2da53b6d5271111431f7d90d28 |
| SHA1 | 7ec382eee6282454d5b0b03751f3d14c568bbfa5 |
| SHA256 | 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982 |
| SHA512 | 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 2719683b8dba819f2e6bd9e9b7307f1c |
| SHA1 | 6cbac17ebf8b56489ad8b8c458dd618b2788512a |
| SHA256 | 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a |
| SHA512 | 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 228d4bd899577ed16ad3ac74b592a0e6 |
| SHA1 | baf99e34e126d6c41b7aa39caabc2376358bab70 |
| SHA256 | fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5 |
| SHA512 | 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | b3c74bb5250effad46ce11a96c9468c2 |
| SHA1 | 3a339e244a29fe41d13fa4cc951a7e0a2862e299 |
| SHA256 | 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825 |
| SHA512 | a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3 |
memory/1616-960-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
memory/2792-962-0x00000000002F0000-0x0000000000A2F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\msiwrapper.ini
| MD5 | 1a3bda6748819be0f045d7cada621b26 |
| SHA1 | 6beaa019acc9aa0739154d8cf8f1d8110140ad82 |
| SHA256 | 53b40697ca818f8bbe75579027cd7e805dfc1f9e762dc874bd2727d8479e0e53 |
| SHA512 | b0d246f846348bcab9f22591d25fbb9c79bd6f788ee72e6655232960aa3f459ba62755984fcd1e678ab0e2e2c2bec934ae74d3000eba7a83a21a03c268fd8827 |
memory/2792-985-0x00000000002F0000-0x0000000000A2F000-memory.dmp
memory/2792-987-0x00000000002F0000-0x0000000000A2F000-memory.dmp
memory/2792-989-0x00000000002F0000-0x0000000000A2F000-memory.dmp
memory/2792-991-0x00000000002F0000-0x0000000000A2F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 14:44
Reported
2024-04-10 14:47
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OutSteel
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{6EDAE2A7-3AD8-49A4-8751-7FB5826F46B9} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSI6E4B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6E4C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI61B7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5760ec.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5760ec.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4973ED0FAB5ADF7011FA1732CEFC26CE
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe
"C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe"
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp |
Files
C:\Windows\Installer\MSI61B7.tmp
| MD5 | 4caaa03e0b59ca60a3d34674b732b702 |
| SHA1 | ee80c8f4684055ac8960b9720fb108be07e1d10c |
| SHA256 | d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d |
| SHA512 | 25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34 |
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82cdeeaa-b942-4d49-9bf5-346f7eeffd6d}_OnDiskSnapshotProp
| MD5 | f7ae3c295729162ecfa9f298bc98d013 |
| SHA1 | d96194a2a17bbd7ab0b87b137508c48cef8f87a5 |
| SHA256 | f926af16511fa895d39335e5cd567e4e3a90f47bc050df1b534be6dfc6211f5e |
| SHA512 | a84b1a3595517069fa35310f1420004ad626aa639ac2e8619b2cbee52f495983d8dbd01a8f15d5578421fe4cc3939f1d8e6e9a571b88283c3501b7cd72c7990a |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | f91a761adffa6a40ce5a428fea48a473 |
| SHA1 | 129a30f5c9ee7696f0544599249d5632ed9979ae |
| SHA256 | de2b00309cf72aff0cad62658e5c9f1b816f234bb78a73b2b45dac164e8455b6 |
| SHA512 | d0d1bb1eae5aa64d4b382f9f5707e0b4bef780a824bd560712c41ad850f34f9bbc5326b74dc5e5b21e6933fb0d8ffe95c8b09629c8003f40f05f473a42fda5c8 |
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\msiwrapper.ini
| MD5 | eb7c810bfc79c6ee2e5a5e7727fcb24a |
| SHA1 | 0ff13cf99d3b62550c9110047d600a6f98005156 |
| SHA256 | 3c50c5b1e15a5433f88d92c0e42c4e87b1b32a18a936e12f430a8257e594f397 |
| SHA512 | b89998d425a37a03925a0d5b13c3076fae173738ddc3a087f9df4ff1c7b010e65fa088562e558d5dbf3a0be416553ef7b4aa643aad9ed64186c2796dbad63df8 |
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files.cab
| MD5 | 6f7c8bbe4e94980ca7c1b878c048be94 |
| SHA1 | 2ee86ce71bd986ff8e92f5a2b876098ccbab42dc |
| SHA256 | f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae |
| SHA512 | 4c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b |
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe
| MD5 | e3ffe9b1db336ca7f34e0f26215d4ee4 |
| SHA1 | 3ec434df80529311342401ac7a7acd066e19c90f |
| SHA256 | 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901 |
| SHA512 | 71168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 3272be2da53b6d5271111431f7d90d28 |
| SHA1 | 7ec382eee6282454d5b0b03751f3d14c568bbfa5 |
| SHA256 | 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982 |
| SHA512 | 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | b3c74bb5250effad46ce11a96c9468c2 |
| SHA1 | 3a339e244a29fe41d13fa4cc951a7e0a2862e299 |
| SHA256 | 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825 |
| SHA512 | a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 228d4bd899577ed16ad3ac74b592a0e6 |
| SHA1 | baf99e34e126d6c41b7aa39caabc2376358bab70 |
| SHA256 | fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5 |
| SHA512 | 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 2719683b8dba819f2e6bd9e9b7307f1c |
| SHA1 | 6cbac17ebf8b56489ad8b8c458dd618b2788512a |
| SHA256 | 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a |
| SHA512 | 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 44018e1779270b083ad90da3dffe9b15 |
| SHA1 | e09c06b564abe26bcf91ecb7632d761c3234b30d |
| SHA256 | 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c |
| SHA512 | ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
memory/60-966-0x0000000000280000-0x00000000009BF000-memory.dmp
memory/4724-964-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\msiwrapper.ini
| MD5 | 00936651b95fe2b496c40a99a67359da |
| SHA1 | 8f66e37cb485cc116f116722f655f6f77ed8adb7 |
| SHA256 | b89e87c2f80401df2d79748575a9d63f1c7aa99c29bca3eb41ed9155dcfe8dfe |
| SHA512 | e5c84f6ac1b5d3e29f503d7aa3db71864a22efa2bbb00e7d332fefa6f92593e73344d1acce19e7a7c95a75e118396b9a1de59d359a01942919f6e1ea97c7a994 |
memory/60-981-0x0000000000280000-0x00000000009BF000-memory.dmp
memory/60-983-0x0000000000280000-0x00000000009BF000-memory.dmp
memory/60-985-0x0000000000280000-0x00000000009BF000-memory.dmp