Malware Analysis Report

2024-09-22 16:35

Sample ID 240410-sfsypafc9x
Target fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3
SHA256 fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3
Tags
babadeda outsteel crypter discovery loader spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3

Threat Level: Known bad

The file fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3 was found to be: Known bad.

Malicious Activity Summary

babadeda outsteel crypter discovery loader spyware stealer upx

Babadeda

Babadeda Crypter

OutSteel

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-10 15:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 15:04

Reported

2024-04-10 15:07

Platform

win7-20240221-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

OutSteel

stealer outsteel

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\CsvHelper\\7-zip.dll" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2968 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 2968 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 2968 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 2968 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 864 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe

"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3452737119-3959686427-228443150-1000"

C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe

"C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A

Network

Country Destination Domain Proto
RU 45.146.165.91:8080 tcp
RU 45.146.165.91:8080 tcp
RU 45.146.165.91:8080 tcp
RU 45.146.165.91:8080 tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/2876-14-0x00000000031C0000-0x00000000035A8000-memory.dmp

memory/2876-15-0x00000000031C0000-0x00000000035A8000-memory.dmp

memory/2876-16-0x00000000031C0000-0x00000000035A8000-memory.dmp

memory/2876-17-0x00000000031C0000-0x00000000035A8000-memory.dmp

memory/2968-19-0x0000000000120000-0x0000000000508000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]

MD5 44018e1779270b083ad90da3dffe9b15
SHA1 e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA256 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512 ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b

C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]

MD5 b3c74bb5250effad46ce11a96c9468c2
SHA1 3a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA256 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512 a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3

C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]

MD5 3272be2da53b6d5271111431f7d90d28
SHA1 7ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA256 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA512 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26

C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]

MD5 228d4bd899577ed16ad3ac74b592a0e6
SHA1 baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256 fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc

C:\Users\Admin\AppData\Roaming\CsvHelper\Images\[email protected]

MD5 2719683b8dba819f2e6bd9e9b7307f1c
SHA1 6cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA512 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee

\Users\Admin\AppData\Roaming\CsvHelper\7-zip.dll

MD5 23c651b2ace76d42fec3989bcba3ce7b
SHA1 378776d20133f20a4c42476bdcb0a408ef1dce1c
SHA256 1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2
SHA512 e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8

C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml

MD5 25ff929da5c3723895a26e22045336f0
SHA1 ad9867b6eb3b092dc870ed02dfc9bd6db4e6e194
SHA256 16d4d5175cc233d7d18321a74b87ab14a80a7e9173e0b55e4810793cce7da4f9
SHA512 cf65fd9dbbfb964e828cd7f962bc2d9fd8e1c7316b20b81fc9bc0ab12e02e1a3403d455f80990eb53ff4f2191a618abfab6c5a586e535f4bfbd7d9d0abbfb352

C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml

MD5 b93816edf32e4ff83b703379e66c5a36
SHA1 c3eaba74bc9f7a4e8a17890fd119eb3ce7107d0d
SHA256 913adab269547de77b7b9792ab7a81af5029c9f391c58e33dccaa18b4abe11bb
SHA512 fda4e1cca70c2b82050f5ab4989ece93d14a5bce3ce9dd12c3e75955654486e62e7b3cfeb2aedfe15fd458e54690644f8224b6171bfce6c6ccc8de6f341090ba

memory/2968-938-0x0000000002280000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe

MD5 f5de326683df44d71ed1b986fd836e0b
SHA1 33bc899da6afd2b82b27d59acd0844b521e57079
SHA256 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA512 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a

memory/2968-950-0x0000000005240000-0x000000000597F000-memory.dmp

memory/2968-957-0x0000000000120000-0x0000000000508000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper\libfreetype-4.dll

MD5 1bf457ea201a3374f7c37f43d5c3ffdb
SHA1 bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA256 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512 c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074

memory/2968-951-0x0000000005240000-0x000000000597F000-memory.dmp

memory/2968-959-0x0000000005240000-0x000000000597F000-memory.dmp

memory/864-960-0x00000000009E0000-0x000000000111F000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper\Guide.pdf

MD5 349a1d8bb00ae11bbf535cd909838c65
SHA1 c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA256 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512 f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51

memory/864-964-0x00000000009E0000-0x000000000111F000-memory.dmp

memory/864-966-0x00000000009E0000-0x000000000111F000-memory.dmp

memory/864-968-0x00000000009E0000-0x000000000111F000-memory.dmp

memory/864-970-0x00000000009E0000-0x000000000111F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 15:04

Reported

2024-04-10 15:07

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

OutSteel

stealer outsteel

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\CsvHelper\\7-zip.dll" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2352 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2352 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1888 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 1888 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 1888 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe
PID 2132 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe

"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-817259280-2658881748-983986378-1000"

C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe

"C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
RU 45.146.165.91:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 45.146.165.91:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 45.146.165.91:8080 tcp
RU 45.146.165.91:8080 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/1888-11-0x0000000000AF0000-0x0000000000ED8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\CsvHelper\7-zip.dll

MD5 23c651b2ace76d42fec3989bcba3ce7b
SHA1 378776d20133f20a4c42476bdcb0a408ef1dce1c
SHA256 1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2
SHA512 e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml

MD5 1059dc8eb23ef7cb4da1e1011c2c1802
SHA1 86ed8ef0d6cc9d9285bbb941905e06fbcda01dbe
SHA256 f0b08ca9be07067d8c75eb11f0b2a38703e1038f40a3c2e06a992986d5622371
SHA512 890a3e16db18f965e9ac6bf99bd351adf2dda3c927c75229244cbd93c8db3c1fcef251886e64ca8dbe6ebb5c4d1d71bcd1413b9b1e1927dc90ca1c708e85e5ec

C:\Users\Admin\AppData\Roaming\CsvHelper\Uninstall\uninstall.xml

MD5 add9f9f7c84af52fdcca1fadec989365
SHA1 5fe1a339ea598b455860f2e2cc98d3885de27b04
SHA256 902df7bdccbf1fcb9a18be5926b589aaea1fe84c8f6646ca9c605b633ce428fc
SHA512 be9ef0279be69b9c4c2d132aaba72e88469e89df5118b5e98fc4402ffbe8b7550d7db972aba2b8531117004e71b4a82574f78850ae4f9383d187f07b5a8dd375

C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe

MD5 f5de326683df44d71ed1b986fd836e0b
SHA1 33bc899da6afd2b82b27d59acd0844b521e57079
SHA256 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA512 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a

C:\Users\Admin\AppData\Roaming\CsvHelper\libfreetype-4.dll

MD5 1bf457ea201a3374f7c37f43d5c3ffdb
SHA1 bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA256 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512 c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074

C:\Users\Admin\AppData\Roaming\CsvHelper\Guide.pdf

MD5 349a1d8bb00ae11bbf535cd909838c65
SHA1 c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA256 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512 f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51

memory/1888-653-0x0000000000AF0000-0x0000000000ED8000-memory.dmp

memory/2132-654-0x0000000000900000-0x000000000103F000-memory.dmp

memory/2132-655-0x0000000000900000-0x000000000103F000-memory.dmp

memory/2132-656-0x0000000000900000-0x000000000103F000-memory.dmp

memory/2132-658-0x0000000000900000-0x000000000103F000-memory.dmp

memory/2132-660-0x0000000000900000-0x000000000103F000-memory.dmp

memory/2132-662-0x0000000000900000-0x000000000103F000-memory.dmp