Malware Analysis Report

2024-10-16 03:24

Sample ID 210826-epqpjsdkt2
Target 9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd
SHA256 9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd
Tags
babuk smokeloader backdoor discovery evasion ransomware spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd

Threat Level: Known bad

The file 9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd was found to be: Known bad.

Malicious Activity Summary

babuk smokeloader backdoor discovery evasion ransomware spyware stealer themida trojan

SmokeLoader

Babuk Locker

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Downloads MZ/PE file

Executes dropped EXE

Modifies extensions of user files

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Deletes itself

Enumerates connected drives

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-26 08:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-26 08:49

Reported

2021-08-26 11:16

Platform

win10v20210410

Max time kernel

152s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe"

Signatures

Babuk Locker

ransomware babuk

SmokeLoader

trojan backdoor smokeloader

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\MeasureWait.raw => C:\Users\Admin\Pictures\MeasureWait.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchInstall.tiff C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockComplete.tiff C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\DebugUpdate.png => C:\Users\Admin\Pictures\DebugUpdate.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\MeasureWait.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushRequest.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\SkipConfirm.png => C:\Users\Admin\Pictures\SkipConfirm.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\DebugUpdate.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\MoveUnregister.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\PushRequest.png => C:\Users\Admin\Pictures\PushRequest.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\SearchInstall.tiff => C:\Users\Admin\Pictures\SearchInstall.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\BlockComplete.tiff => C:\Users\Admin\Pictures\BlockComplete.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockComplete.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\MoveUnregister.png => C:\Users\Admin\Pictures\MoveUnregister.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchInstall.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipConfirm.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\M: N/A N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2692 set thread context of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe
PID 3040 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe
PID 3040 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe
PID 2696 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2696 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2696 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BA8B.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 3152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 3152 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2380 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3152 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 3152 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 3628 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3628 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe

"C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe"

C:\Users\Admin\AppData\Local\Temp\BA8B.exe

C:\Users\Admin\AppData\Local\Temp\BA8B.exe

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 aucmoney.com udp
N/A 8.8.8.8:53 thegymmum.com udp
N/A 8.8.8.8:53 atvcampingtrips.com udp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 51.254.68.139:15009 tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 104.26.12.31:443 api.ip.sb tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp
N/A 218.51.156.7:80 atvcampingtrips.com tcp

Files

memory/2256-114-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

memory/2256-115-0x0000000000400000-0x0000000002CBB000-memory.dmp

memory/3040-116-0x0000000001200000-0x0000000001216000-memory.dmp

memory/2696-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA8B.exe

MD5 eeb0f28c077d4b7f9740232aa95d93b4
SHA1 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967
SHA256 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af
SHA512 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

C:\Users\Admin\AppData\Local\Temp\BA8B.exe

MD5 eeb0f28c077d4b7f9740232aa95d93b4
SHA1 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967
SHA256 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af
SHA512 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

memory/2696-121-0x0000000077000000-0x000000007718E000-memory.dmp

memory/2696-122-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/2696-124-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

memory/2696-125-0x0000000003690000-0x0000000003691000-memory.dmp

memory/2696-126-0x00000000059C0000-0x00000000059C1000-memory.dmp

memory/2696-127-0x0000000005810000-0x0000000005811000-memory.dmp

memory/2696-128-0x0000000005850000-0x0000000005851000-memory.dmp

memory/2696-129-0x00000000059B0000-0x00000000059B1000-memory.dmp

memory/2696-130-0x0000000007220000-0x0000000007221000-memory.dmp

memory/2696-131-0x0000000007920000-0x0000000007921000-memory.dmp

memory/2696-132-0x0000000007E50000-0x0000000007E51000-memory.dmp

memory/2696-133-0x00000000073F0000-0x00000000073F1000-memory.dmp

memory/2696-134-0x0000000007510000-0x0000000007511000-memory.dmp

memory/2696-135-0x00000000077F0000-0x00000000077F1000-memory.dmp

memory/2696-136-0x0000000007890000-0x0000000007891000-memory.dmp

memory/2692-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

memory/2692-140-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2692-144-0x0000000005540000-0x0000000005541000-memory.dmp

memory/2692-145-0x0000000005420000-0x0000000005421000-memory.dmp

memory/2692-146-0x0000000005490000-0x0000000005491000-memory.dmp

memory/2692-147-0x0000000005390000-0x0000000005422000-memory.dmp

memory/2692-148-0x0000000009A70000-0x0000000009A81000-memory.dmp

memory/2692-149-0x0000000009CB0000-0x0000000009D4C000-memory.dmp

memory/2692-150-0x000000000C580000-0x000000000C5B1000-memory.dmp

memory/3152-151-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3152-152-0x000000000040ABC0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

memory/2380-154-0x0000000000000000-mapping.dmp

memory/3148-155-0x0000000000000000-mapping.dmp

memory/3152-156-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3628-157-0x0000000000000000-mapping.dmp

memory/2192-158-0x0000000000000000-mapping.dmp