Analysis Overview
SHA256
fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3
Threat Level: Known bad
The file fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3 was found to be: Known bad.
Malicious Activity Summary
Babadeda
Babadeda Crypter
OutSteel
Reads user/profile data of web browsers
Loads dropped DLL
UPX packed file
Checks computer location settings
Executes dropped EXE
Enumerates connected drives
Checks installed software on the system
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 15:04
Reported
2024-04-10 15:07
Platform
win7-20240221-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OutSteel
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\CsvHelper\\7-zip.dll" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe
"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3452737119-3959686427-228443150-1000"
C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ac23d03c4b8d531016a3c1ebfa2bc91c |
| SHA1 | 11383627d5515ed2257f594db7fbce3a4b9106f8 |
| SHA256 | 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06 |
| SHA512 | bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1 |
memory/2876-14-0x00000000031C0000-0x00000000035A8000-memory.dmp
memory/2876-15-0x00000000031C0000-0x00000000035A8000-memory.dmp
memory/2876-16-0x00000000031C0000-0x00000000035A8000-memory.dmp
memory/2876-17-0x00000000031C0000-0x00000000035A8000-memory.dmp
memory/2968-19-0x0000000000120000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | e7a789232ef503dcb4929791673009a3 |
| SHA1 | 8bc28bce4c9d8b4a6e360100441ba54a878de4c1 |
| SHA256 | 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1 |
| SHA512 | 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]
| MD5 | 44018e1779270b083ad90da3dffe9b15 |
| SHA1 | e09c06b564abe26bcf91ecb7632d761c3234b30d |
| SHA256 | 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c |
| SHA512 | ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b |
C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]
| MD5 | b3c74bb5250effad46ce11a96c9468c2 |
| SHA1 | 3a339e244a29fe41d13fa4cc951a7e0a2862e299 |
| SHA256 | 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825 |
| SHA512 | a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]
| MD5 | 3272be2da53b6d5271111431f7d90d28 |
| SHA1 | 7ec382eee6282454d5b0b03751f3d14c568bbfa5 |
| SHA256 | 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982 |
| SHA512 | 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]
| MD5 | 228d4bd899577ed16ad3ac74b592a0e6 |
| SHA1 | baf99e34e126d6c41b7aa39caabc2376358bab70 |
| SHA256 | fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5 |
| SHA512 | 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc |
C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]
| MD5 | 2719683b8dba819f2e6bd9e9b7307f1c |
| SHA1 | 6cbac17ebf8b56489ad8b8c458dd618b2788512a |
| SHA256 | 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a |
| SHA512 | 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee |
\Users\Admin\AppData\Roaming\CsvHelper\7-zip.dll
| MD5 | 23c651b2ace76d42fec3989bcba3ce7b |
| SHA1 | 378776d20133f20a4c42476bdcb0a408ef1dce1c |
| SHA256 | 1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2 |
| SHA512 | e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml
| MD5 | 25ff929da5c3723895a26e22045336f0 |
| SHA1 | ad9867b6eb3b092dc870ed02dfc9bd6db4e6e194 |
| SHA256 | 16d4d5175cc233d7d18321a74b87ab14a80a7e9173e0b55e4810793cce7da4f9 |
| SHA512 | cf65fd9dbbfb964e828cd7f962bc2d9fd8e1c7316b20b81fc9bc0ab12e02e1a3403d455f80990eb53ff4f2191a618abfab6c5a586e535f4bfbd7d9d0abbfb352 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml
| MD5 | b93816edf32e4ff83b703379e66c5a36 |
| SHA1 | c3eaba74bc9f7a4e8a17890fd119eb3ce7107d0d |
| SHA256 | 913adab269547de77b7b9792ab7a81af5029c9f391c58e33dccaa18b4abe11bb |
| SHA512 | fda4e1cca70c2b82050f5ab4989ece93d14a5bce3ce9dd12c3e75955654486e62e7b3cfeb2aedfe15fd458e54690644f8224b6171bfce6c6ccc8de6f341090ba |
memory/2968-938-0x0000000002280000-0x0000000002290000-memory.dmp
C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
memory/2968-950-0x0000000005240000-0x000000000597F000-memory.dmp
memory/2968-957-0x0000000000120000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Roaming\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
memory/2968-951-0x0000000005240000-0x000000000597F000-memory.dmp
memory/2968-959-0x0000000005240000-0x000000000597F000-memory.dmp
memory/864-960-0x00000000009E0000-0x000000000111F000-memory.dmp
C:\Users\Admin\AppData\Roaming\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
memory/864-964-0x00000000009E0000-0x000000000111F000-memory.dmp
memory/864-966-0x00000000009E0000-0x000000000111F000-memory.dmp
memory/864-968-0x00000000009E0000-0x000000000111F000-memory.dmp
memory/864-970-0x00000000009E0000-0x000000000111F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 15:04
Reported
2024-04-10 15:07
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OutSteel
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\CsvHelper\\7-zip.dll" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe
"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-817259280-2658881748-983986378-1000"
C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ac23d03c4b8d531016a3c1ebfa2bc91c |
| SHA1 | 11383627d5515ed2257f594db7fbce3a4b9106f8 |
| SHA256 | 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06 |
| SHA512 | bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1 |
memory/1888-11-0x0000000000AF0000-0x0000000000ED8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | e7a789232ef503dcb4929791673009a3 |
| SHA1 | 8bc28bce4c9d8b4a6e360100441ba54a878de4c1 |
| SHA256 | 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1 |
| SHA512 | 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87 |
C:\Users\Admin\AppData\Roaming\CsvHelper\7-zip.dll
| MD5 | 23c651b2ace76d42fec3989bcba3ce7b |
| SHA1 | 378776d20133f20a4c42476bdcb0a408ef1dce1c |
| SHA256 | 1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2 |
| SHA512 | e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | 3220a6aefb4fc719cc8849f060859169 |
| SHA1 | 85f624debcefd45fdfdf559ac2510a7d1501b412 |
| SHA256 | 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765 |
| SHA512 | 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d |
C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml
| MD5 | 1059dc8eb23ef7cb4da1e1011c2c1802 |
| SHA1 | 86ed8ef0d6cc9d9285bbb941905e06fbcda01dbe |
| SHA256 | f0b08ca9be07067d8c75eb11f0b2a38703e1038f40a3c2e06a992986d5622371 |
| SHA512 | 890a3e16db18f965e9ac6bf99bd351adf2dda3c927c75229244cbd93c8db3c1fcef251886e64ca8dbe6ebb5c4d1d71bcd1413b9b1e1927dc90ca1c708e85e5ec |
C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml
| MD5 | add9f9f7c84af52fdcca1fadec989365 |
| SHA1 | 5fe1a339ea598b455860f2e2cc98d3885de27b04 |
| SHA256 | 902df7bdccbf1fcb9a18be5926b589aaea1fe84c8f6646ca9c605b633ce428fc |
| SHA512 | be9ef0279be69b9c4c2d132aaba72e88469e89df5118b5e98fc4402ffbe8b7550d7db972aba2b8531117004e71b4a82574f78850ae4f9383d187f07b5a8dd375 |
C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
C:\Users\Admin\AppData\Roaming\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
C:\Users\Admin\AppData\Roaming\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
memory/1888-653-0x0000000000AF0000-0x0000000000ED8000-memory.dmp
memory/2132-654-0x0000000000900000-0x000000000103F000-memory.dmp
memory/2132-655-0x0000000000900000-0x000000000103F000-memory.dmp
memory/2132-656-0x0000000000900000-0x000000000103F000-memory.dmp
memory/2132-658-0x0000000000900000-0x000000000103F000-memory.dmp
memory/2132-660-0x0000000000900000-0x000000000103F000-memory.dmp
memory/2132-662-0x0000000000900000-0x000000000103F000-memory.dmp