Analysis Overview
SHA256
b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7
Threat Level: Known bad
The file b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
SmokeLoader
Detects Smokeloader packer
Vidar
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Deletes itself
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Enumerates processes with tasklist
Runs ping.exe
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 09:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 09:51
Reported
2022-10-11 09:54
Platform
win10-20220812-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B72A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E477.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E69B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\B72A.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\B72A.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\36666d19-b227-4d7e-b65b-f04a5a03d60d\\BCAA.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4856 set thread context of 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | C:\Users\Admin\AppData\Local\Temp\BCAA.exe |
| PID 3352 set thread context of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\BCAA.exe | C:\Users\Admin\AppData\Local\Temp\BCAA.exe |
| PID 1972 set thread context of 2116 | N/A | C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe | C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E69B.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E477.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E477.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E477.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E477.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe
"C:\Users\Admin\AppData\Local\Temp\b1c6801cda370f55a29b629e62f46c899d57494c6dd2bf7583c4f17e1a4bcaa7.exe"
C:\Users\Admin\AppData\Local\Temp\B72A.exe
C:\Users\Admin\AppData\Local\Temp\B72A.exe
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C65F.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C65F.dll
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
C:\Windows\SysWOW64\ftp.exe
ftp /?
C:\Users\Admin\AppData\Local\Temp\E477.exe
C:\Users\Admin\AppData\Local\Temp\E477.exe
C:\Users\Admin\AppData\Local\Temp\E69B.exe
C:\Users\Admin\AppData\Local\Temp\E69B.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 476
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Preferences.vsd & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\36666d19-b227-4d7e-b65b-f04a5a03d60d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
"C:\Users\Admin\AppData\Local\Temp\BCAA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
"C:\Users\Admin\AppData\Local\Temp\BCAA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zsXAL$" Simulation.vsd
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
Bags.exe.pif f
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe
"C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe"
C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe
"C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| US | 52.182.143.208:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 104.21.93.30:80 | furubujjul.net | tcp |
| CH | 179.43.163.115:80 | tcp | |
| AT | 45.138.74.230:80 | 45.138.74.230 | tcp |
| US | 8.8.8.8:53 | pelegisr.com | udp |
| NL | 185.220.204.62:443 | pelegisr.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | gayworld.at | udp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| US | 8.8.8.8:53 | gregunny.com | udp |
| N/A | 127.0.0.127:80 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | citnet.ru | udp |
| US | 8.8.8.8:53 | ekcentric.com | udp |
| US | 8.8.8.8:53 | cracker.biz | udp |
| US | 172.67.191.24:80 | cracker.biz | tcp |
| US | 172.67.191.24:443 | cracker.biz | tcp |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| KW | 37.34.248.24:80 | rgyui.top | tcp |
| US | 8.8.8.8:53 | piratia-life.ru | udp |
| DE | 51.89.16.8:80 | piratia-life.ru | tcp |
| US | 8.8.8.8:53 | GqaSrgKXZxBgAB.GqaSrgKXZxBgAB | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| US | 8.8.8.8:53 | t.me | udp |
| UZ | 195.158.3.162:80 | winnlinne.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/2424-115-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-119-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-122-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2424-149-0x00000000006B0000-0x00000000007FA000-memory.dmp
memory/2424-150-0x0000000000690000-0x0000000000699000-memory.dmp
memory/2424-151-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2424-152-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2152-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B72A.exe
| MD5 | 52d4af6eab9e603ed974524ea0a7103c |
| SHA1 | 0bd5d7b73a649c17c40685fab934aeb13d734c82 |
| SHA256 | b7d5fb28fcb3168a491be679b71c79ad28e4dde619361671095c81c2b6c97970 |
| SHA512 | f9211e95ea9aec395e32165c82f2663924a2097e454cd7c8e3e8bc394073ec963be4ec7a5b6193368f403e502efa475b0a218565b8860d18d57f792290421e25 |
memory/2152-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-157-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-158-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-168-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-171-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-172-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-170-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-173-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-169-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-174-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-175-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-176-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4856-180-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-181-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-182-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-183-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/5020-184-0x0000000000000000-mapping.dmp
memory/4856-185-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/2152-186-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-188-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4856-187-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
C:\Users\Admin\AppData\Local\Temp\C65F.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
memory/4236-201-0x0000000000000000-mapping.dmp
memory/3320-261-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4856-265-0x0000000002380000-0x000000000249B000-memory.dmp
\Users\Admin\AppData\Local\Temp\C65F.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
\Users\Admin\AppData\Local\Temp\C65F.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
memory/4788-297-0x0000000000000000-mapping.dmp
memory/3732-312-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E477.exe
| MD5 | 3dabfe4b4afb699a16982ac876ef3446 |
| SHA1 | c347543716e7ca4d470c4a92db7f69fdb9a4ec7a |
| SHA256 | 1e53e076219c58919f63ce28e5cb5088444598b07a682a79b55f2858fa5d753f |
| SHA512 | 6110899cfc5d2f760c418f069a0b7e1ebce843e157bc3de5fa2cc95d2359dad04a9fa68ee672e69490652d05d0309761599f049152c98007b9912960c98c58d9 |
memory/4828-327-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E69B.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
C:\Users\Admin\AppData\Local\Temp\E477.exe
| MD5 | 3dabfe4b4afb699a16982ac876ef3446 |
| SHA1 | c347543716e7ca4d470c4a92db7f69fdb9a4ec7a |
| SHA256 | 1e53e076219c58919f63ce28e5cb5088444598b07a682a79b55f2858fa5d753f |
| SHA512 | 6110899cfc5d2f760c418f069a0b7e1ebce843e157bc3de5fa2cc95d2359dad04a9fa68ee672e69490652d05d0309761599f049152c98007b9912960c98c58d9 |
memory/3188-349-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E69B.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
memory/4236-377-0x0000000004830000-0x0000000004970000-memory.dmp
memory/4236-384-0x0000000004AB0000-0x0000000004BEE000-memory.dmp
memory/904-388-0x0000000000000000-mapping.dmp
memory/3320-418-0x0000000000400000-0x0000000000537000-memory.dmp
memory/904-414-0x0000000000C30000-0x0000000000C3C000-memory.dmp
memory/3732-456-0x00000000005A0000-0x000000000064E000-memory.dmp
memory/3732-465-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3732-461-0x00000000006F0000-0x00000000006F9000-memory.dmp
memory/4828-470-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/4828-503-0x0000000000620000-0x000000000076A000-memory.dmp
memory/4828-507-0x0000000000400000-0x0000000000593000-memory.dmp
memory/1980-515-0x0000000000000000-mapping.dmp
memory/3188-518-0x0000000001000000-0x0000000001075000-memory.dmp
memory/3188-519-0x0000000000D80000-0x0000000000DEB000-memory.dmp
memory/3732-524-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4236-525-0x0000000004AB0000-0x0000000004BEE000-memory.dmp
memory/4828-531-0x0000000000620000-0x000000000076A000-memory.dmp
memory/3188-532-0x0000000001000000-0x0000000001075000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Preferences.vsd
| MD5 | 23df91b58a61d477860ae3d23b098968 |
| SHA1 | b474e7cd93994fbbe780842e3cbebcd833981a34 |
| SHA256 | 7f50c3b8b4e5f2117c562a78e2a08c65a25c019e3341c649b2a44b7873ae190d |
| SHA512 | ea05e91b616ec2861ae2586fbd17120fd00e3b059c3200a7676a57146344bc54ff418902912ac2a184eb7e0ab1926b9a56774a10ba68166c030319a6974f4331 |
memory/2136-535-0x0000000000000000-mapping.dmp
memory/4724-545-0x0000000000000000-mapping.dmp
memory/3188-570-0x0000000000D80000-0x0000000000DEB000-memory.dmp
C:\Users\Admin\AppData\Local\36666d19-b227-4d7e-b65b-f04a5a03d60d\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/1328-576-0x0000000000000000-mapping.dmp
memory/1176-580-0x0000000000000000-mapping.dmp
memory/3320-606-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3352-603-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4464-657-0x0000000000000000-mapping.dmp
memory/4484-668-0x0000000000000000-mapping.dmp
memory/4524-681-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BCAA.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/648-770-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Simulation.vsd
| MD5 | 75d2326d2d1bb6de24f3dda341482c13 |
| SHA1 | 38c9138a24824073eef171cf365ebb01a2c4937f |
| SHA256 | b6031d6424a4221830e29153fc7125dbd251b454539de76fee852a6875840431 |
| SHA512 | b3521bdc95c871ffb8f5866f2f9699ed8343715437e40f9da42a4740e1b279ddb6d4aa85229485baf8331bba5868c4299860031888c322e96b29ce6aa3761dc3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Euros.vsd
| MD5 | e0352752dddef97bad04fa25c81fe867 |
| SHA1 | 1c040b67598bbccdd510a49f842668935365fd71 |
| SHA256 | 97208cb34d8b0af9e7bf3b8400ddd249337a58c4be8a38f39e3874900a73d455 |
| SHA512 | 331ac25e2122779710fd0c4b3818df6ab3c1ea7df2d406953cfe39734dac32283f849a37766c0070fcd2dba82502c22b2e28867dcf64a9931cc5d8c14e4a1240 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 6f59ed058aa06aaf5ec6213b955aabd4 |
| SHA1 | baf7b828a563b8fb6111e4ce35e0055575ad80b4 |
| SHA256 | 2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5 |
| SHA512 | 6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | ab49441e23f0db0616e5463696bd6d78 |
| SHA1 | 719fd7aa71914a63b911fe96f47d2db2304c9e71 |
| SHA256 | b0eac3bfcf353a3ce8248062bc8084fd84636bbbbd31b7bea02c99d076a9eabf |
| SHA512 | 174883b26c6cfcc4afec64f82b06d6d39ee57bf9c321baa070d56e8e4e09d760a120de38f99741475c35600a55abfed3197a452f2002681fa898ee807d30ea22 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 0698dbc93ba7b6bef73ba316695f8317 |
| SHA1 | a444078ff1eb7c88f52cb4e324365926b491ed47 |
| SHA256 | 263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c |
| SHA512 | ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 4da19c7ce612c350c2688a75957d3ed9 |
| SHA1 | fb75d503a8cf1075ee0f04292de35d7fd8dfd8ed |
| SHA256 | db7ec342a2917b9ea2a02662ad3c5e63035a30cc2564765a8bc72f3097ee3302 |
| SHA512 | e1133afc636389cbde28e62a5ff606cac8b84d057da72cfabace187d277ff6a6c8f9c40c9544c52bd2787e193b91aaad727673932f49fbc3316201f6786c542e |
memory/4524-802-0x0000000000400000-0x0000000000537000-memory.dmp
memory/432-806-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
memory/2632-844-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
memory/1972-883-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
memory/2116-924-0x000000000042161D-mapping.dmp
C:\Users\Admin\AppData\Local\c9148176-a407-401a-b550-436b3f8b33de\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
memory/2116-962-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4068-964-0x0000000000000000-mapping.dmp
memory/4524-984-0x0000000000400000-0x0000000000537000-memory.dmp