Analysis Overview
SHA256
d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd
Threat Level: Known bad
The file d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Babuk Locker
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Deletes shadow copies
Downloads MZ/PE file
Modifies extensions of user files
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Themida packer
Checks BIOS information in registry
Enumerates connected drives
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Interacts with shadow copies
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-26 07:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-26 07:15
Reported
2021-08-26 09:17
Platform
win10v20210408
Max time kernel
153s
Max time network
129s
Command Line
Signatures
Babuk Locker
SmokeLoader
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\GrantMount.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveSave.crw => C:\Users\Admin\Pictures\MoveSave.crw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResetRead.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DebugTrace.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantMount.tif => C:\Users\Admin\Pictures\GrantMount.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseExport.png => C:\Users\Admin\Pictures\UseExport.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameGroup.raw => C:\Users\Admin\Pictures\RenameGroup.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InstallClear.crw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportEnter.raw => C:\Users\Admin\Pictures\ImportEnter.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchSelect.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BlockImport.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetGroup.png => C:\Users\Admin\Pictures\ResetGroup.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchSelect.tif => C:\Users\Admin\Pictures\SearchSelect.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetDisconnect.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RenameGroup.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UpdateStart.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetRead.raw => C:\Users\Admin\Pictures\ResetRead.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResetGroup.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UseExport.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BlockImport.tiff | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallClear.crw => C:\Users\Admin\Pictures\InstallClear.crw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveSave.crw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ImportEnter.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugTrace.tif => C:\Users\Admin\Pictures\DebugTrace.tif.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UpdateStart.png => C:\Users\Admin\Pictures\UpdateStart.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2336 set thread context of 3576 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | C:\Users\Admin\AppData\Local\Temp\AudioB.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe
"C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe"
C:\Users\Admin\AppData\Local\Temp\685F.exe
C:\Users\Admin\AppData\Local\Temp\685F.exe
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | aucmoney.com | udp |
| N/A | 8.8.8.8:53 | thegymmum.com | udp |
| N/A | 8.8.8.8:53 | atvcampingtrips.com | udp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 41.41.255.235:80 | atvcampingtrips.com | tcp |
| N/A | 51.254.68.139:15009 | tcp | |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
Files
memory/664-115-0x0000000000400000-0x0000000002CBB000-memory.dmp
memory/664-114-0x0000000002D10000-0x0000000002DBE000-memory.dmp
memory/3024-116-0x0000000000620000-0x0000000000636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\685F.exe
| MD5 | eeb0f28c077d4b7f9740232aa95d93b4 |
| SHA1 | 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967 |
| SHA256 | 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af |
| SHA512 | 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c |
memory/1236-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\685F.exe
| MD5 | eeb0f28c077d4b7f9740232aa95d93b4 |
| SHA1 | 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967 |
| SHA256 | 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af |
| SHA512 | 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c |
memory/1236-120-0x0000000077020000-0x00000000771AE000-memory.dmp
memory/1236-122-0x0000000000970000-0x0000000000971000-memory.dmp
memory/1236-124-0x0000000005950000-0x0000000005951000-memory.dmp
memory/1236-125-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/1236-126-0x0000000005340000-0x0000000005341000-memory.dmp
memory/1236-127-0x0000000005330000-0x0000000005331000-memory.dmp
memory/1236-128-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1236-129-0x0000000005280000-0x0000000005281000-memory.dmp
memory/1236-130-0x0000000006BB0000-0x0000000006BB1000-memory.dmp
memory/1236-131-0x00000000072B0000-0x00000000072B1000-memory.dmp
memory/1236-132-0x0000000006D80000-0x0000000006D81000-memory.dmp
memory/1236-133-0x0000000007CE0000-0x0000000007CE1000-memory.dmp
memory/1236-134-0x0000000006FB0000-0x0000000006FB1000-memory.dmp
memory/1236-135-0x0000000007110000-0x0000000007111000-memory.dmp
memory/1236-136-0x00000000070F0000-0x00000000070F1000-memory.dmp
memory/2336-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
memory/2336-140-0x0000000000510000-0x0000000000511000-memory.dmp
memory/2336-144-0x0000000005070000-0x0000000005071000-memory.dmp
memory/2336-145-0x0000000005010000-0x0000000005011000-memory.dmp
memory/2336-146-0x0000000005060000-0x0000000005061000-memory.dmp
memory/2336-147-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/2336-148-0x0000000009510000-0x0000000009521000-memory.dmp
memory/2336-149-0x0000000009740000-0x00000000097DC000-memory.dmp
memory/2336-150-0x000000000C010000-0x000000000C041000-memory.dmp
memory/3576-151-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3576-152-0x000000000040ABC0-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
memory/3576-154-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1404-155-0x0000000000000000-mapping.dmp
memory/2368-156-0x0000000000000000-mapping.dmp
memory/1720-157-0x0000000000000000-mapping.dmp
memory/1712-158-0x0000000000000000-mapping.dmp