Malware Analysis Report

2024-10-16 03:24

Sample ID 210826-tcp94zce5e
Target d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd
SHA256 d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd
Tags
babuk smokeloader backdoor discovery evasion ransomware spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd

Threat Level: Known bad

The file d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd was found to be: Known bad.

Malicious Activity Summary

babuk smokeloader backdoor discovery evasion ransomware spyware stealer themida trojan

SmokeLoader

Babuk Locker

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Downloads MZ/PE file

Modifies extensions of user files

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Themida packer

Checks BIOS information in registry

Enumerates connected drives

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Interacts with shadow copies

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-26 07:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-26 07:15

Reported

2021-08-26 09:17

Platform

win10v20210408

Max time kernel

153s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe"

Signatures

Babuk Locker

ransomware babuk

SmokeLoader

trojan backdoor smokeloader

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\GrantMount.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\MoveSave.crw => C:\Users\Admin\Pictures\MoveSave.crw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResetRead.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\DebugTrace.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\GrantMount.tif => C:\Users\Admin\Pictures\GrantMount.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\UseExport.png => C:\Users\Admin\Pictures\UseExport.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\RenameGroup.raw => C:\Users\Admin\Pictures\RenameGroup.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallClear.crw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\ImportEnter.raw => C:\Users\Admin\Pictures\ImportEnter.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchSelect.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\ResetGroup.png => C:\Users\Admin\Pictures\ResetGroup.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\SearchSelect.tif => C:\Users\Admin\Pictures\SearchSelect.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\SetDisconnect.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameGroup.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateStart.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\ResetRead.raw => C:\Users\Admin\Pictures\ResetRead.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResetGroup.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseExport.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\InstallClear.crw => C:\Users\Admin\Pictures\InstallClear.crw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\MoveSave.crw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened for modification C:\Users\Admin\Pictures\ImportEnter.raw.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\DebugTrace.tif => C:\Users\Admin\Pictures\DebugTrace.tif.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateStart.png => C:\Users\Admin\Pictures\UpdateStart.png.babyk C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\685F.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\685F.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\685F.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\M: N/A N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\685F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.exe
PID 3024 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.exe
PID 3024 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.exe
PID 1236 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\685F.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 1236 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\685F.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 1236 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\685F.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 2336 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Users\Admin\AppData\Local\Temp\AudioB.exe
PID 3576 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 3576 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 1404 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1404 wrote to memory of 2368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3576 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 3576 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AudioB.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1720 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe

"C:\Users\Admin\AppData\Local\Temp\d30f4f3ab220d45783b08baec0e322ee10841beed00dc6ff00569ac5d02709fd.exe"

C:\Users\Admin\AppData\Local\Temp\685F.exe

C:\Users\Admin\AppData\Local\Temp\685F.exe

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 aucmoney.com udp
N/A 8.8.8.8:53 thegymmum.com udp
N/A 8.8.8.8:53 atvcampingtrips.com udp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 41.41.255.235:80 atvcampingtrips.com tcp
N/A 51.254.68.139:15009 tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 172.67.75.172:443 api.ip.sb tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp

Files

memory/664-115-0x0000000000400000-0x0000000002CBB000-memory.dmp

memory/664-114-0x0000000002D10000-0x0000000002DBE000-memory.dmp

memory/3024-116-0x0000000000620000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\685F.exe

MD5 eeb0f28c077d4b7f9740232aa95d93b4
SHA1 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967
SHA256 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af
SHA512 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

memory/1236-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\685F.exe

MD5 eeb0f28c077d4b7f9740232aa95d93b4
SHA1 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967
SHA256 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af
SHA512 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

memory/1236-120-0x0000000077020000-0x00000000771AE000-memory.dmp

memory/1236-122-0x0000000000970000-0x0000000000971000-memory.dmp

memory/1236-124-0x0000000005950000-0x0000000005951000-memory.dmp

memory/1236-125-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/1236-126-0x0000000005340000-0x0000000005341000-memory.dmp

memory/1236-127-0x0000000005330000-0x0000000005331000-memory.dmp

memory/1236-128-0x0000000005240000-0x0000000005241000-memory.dmp

memory/1236-129-0x0000000005280000-0x0000000005281000-memory.dmp

memory/1236-130-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

memory/1236-131-0x00000000072B0000-0x00000000072B1000-memory.dmp

memory/1236-132-0x0000000006D80000-0x0000000006D81000-memory.dmp

memory/1236-133-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

memory/1236-134-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

memory/1236-135-0x0000000007110000-0x0000000007111000-memory.dmp

memory/1236-136-0x00000000070F0000-0x00000000070F1000-memory.dmp

memory/2336-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

memory/2336-140-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2336-144-0x0000000005070000-0x0000000005071000-memory.dmp

memory/2336-145-0x0000000005010000-0x0000000005011000-memory.dmp

memory/2336-146-0x0000000005060000-0x0000000005061000-memory.dmp

memory/2336-147-0x0000000004E00000-0x0000000004E92000-memory.dmp

memory/2336-148-0x0000000009510000-0x0000000009521000-memory.dmp

memory/2336-149-0x0000000009740000-0x00000000097DC000-memory.dmp

memory/2336-150-0x000000000C010000-0x000000000C041000-memory.dmp

memory/3576-151-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3576-152-0x000000000040ABC0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AudioB.exe

MD5 cf88599048145e4911915215a91527f4
SHA1 f4ba5c7117736388c4de3442b1d6e4f84628c15d
SHA256 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
SHA512 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

memory/3576-154-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1404-155-0x0000000000000000-mapping.dmp

memory/2368-156-0x0000000000000000-mapping.dmp

memory/1720-157-0x0000000000000000-mapping.dmp

memory/1712-158-0x0000000000000000-mapping.dmp