Malware Analysis Report

2025-06-16 02:13

Sample ID 240123-1bpz8safb7
Target toolspub1(1).exe
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
Tags
amadey djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881

Threat Level: Known bad

The file toolspub1(1).exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan

Vidar

ZGRat

Detected Djvu ransomware

Detect Vidar Stealer

Amadey

Djvu Ransomware

Detect ZGRat V1

SmokeLoader

Modifies Installed Components in the registry

Downloads MZ/PE file

Modifies file permissions

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies system certificate store

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 21:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 21:28

Reported

2024-01-23 21:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f6ad753-c032-4230-ad31-8304e9da2cca\\C3AE.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C3AE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\57C5.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AD8E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sdbsvdw N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sdbsvdw N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sdbsvdw N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AD8E.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AD8E.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8E.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sdbsvdw N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57C5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2808 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8E.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8E.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8E.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD8E.exe
PID 1208 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1208 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1208 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1208 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1208 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBE9.exe
PID 1208 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBE9.exe
PID 1208 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBE9.exe
PID 1208 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBE9.exe
PID 2588 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 2588 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 2588 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 2588 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 748 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\Temp\C3AE.exe
PID 1588 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 1588 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 1588 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 1588 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\C3AE.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 2372 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe
PID 1208 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

C:\Users\Admin\AppData\Local\Temp\AD8E.exe

C:\Users\Admin\AppData\Local\Temp\AD8E.exe

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0f6ad753-c032-4230-ad31-8304e9da2cca" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\CBE9.exe

C:\Users\Admin\AppData\Local\Temp\CBE9.exe

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

"C:\Users\Admin\AppData\Local\Temp\C3AE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

"C:\Users\Admin\AppData\Local\Temp\C3AE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe

"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe"

C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe

"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe"

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe

"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1444

C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe

"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {5A13B0A5-B1DF-4352-96B0-556982AA5C85} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\sdbsvdw

C:\Users\Admin\AppData\Roaming\sdbsvdw

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Users\Admin\AppData\Local\Temp\57C5.exe

C:\Users\Admin\AppData\Local\Temp\31BA.exe

C:\Users\Admin\AppData\Local\Temp\31BA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.171.233.129:80 brusuax.com tcp
RU 82.147.84.194:80 82.147.84.194 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.171.233.129:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
KR 211.53.230.67:80 habrafa.com tcp
KR 211.53.230.67:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
FI 65.109.242.152:443 65.109.242.152 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
DE 146.0.41.68:80 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
IT 185.196.10.146:80 185.196.10.146 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 www.cafullgas.pro udp
FR 154.56.32.6:443 www.cafullgas.pro tcp
FR 154.56.32.6:443 www.cafullgas.pro tcp
NL 45.15.156.13:443 tcp
NL 45.15.156.13:443 tcp
US 8.8.8.8:53 iplis.ru udp
US 172.67.147.32:443 iplis.ru tcp

Files

memory/2508-1-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2508-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2508-3-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1208-4-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/2508-5-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD8E.exe

MD5 9ce6a73712203e69e4e95ebcf891d198
SHA1 137acc0d91bfa8793c3f8f95f9a85665b22c1e97
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
SHA512 d146f29c944b322bacf93e2deca44d27c160a708a27f27309cfd4176ff89a54f0c63527bfb3697b383a17562d91613ad1ee7b423bba70a59757ff3800301925d

memory/2808-18-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2808-19-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1208-20-0x0000000003DE0000-0x0000000003DF6000-memory.dmp

memory/2808-21-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3AE.exe

MD5 3ff2d354490b034a1654fb2b0783bfc4
SHA1 0452ced8b9a8f8c4a72bd795313bb7f048aa3d2b
SHA256 c6572bdb6ccd2bbebeef871d39fc32fe8c9f6578aeb78cddb3c3f9cea22bc3f5
SHA512 3a7d79390c45507a5b8aa5d2fa1a2137566c6242403828c486d919003a103f1dce2d012780fe414cbf4f6759ef08b82b22c160f8246a4e501e8fe5fc2e3563ad

memory/1712-30-0x00000000002E0000-0x0000000000372000-memory.dmp

memory/1712-31-0x00000000002E0000-0x0000000000372000-memory.dmp

memory/2588-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1712-34-0x0000000001F30000-0x000000000204B000-memory.dmp

memory/2588-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2588-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2588-40-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBE9.exe

MD5 2ec5bf4cdacfa2c66740dd1394d837fa
SHA1 6370da235c5af89816a11bdc863b060e02ee5e6b
SHA256 a57d515b1ed6beffd11acbd421d918acdb1a45fe81ba5c57573a019136fcb243
SHA512 55c961b7ef980c7a1509f5789ca7b2c21cb4c4facfe000ec79f3adda725aa244be9248f327d1ec6455f6bab4abf9726f7bd28505b26cccbe3895f9828db30df6

memory/564-67-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/564-66-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/564-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/748-73-0x00000000004D0000-0x0000000000562000-memory.dmp

memory/2588-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/748-75-0x00000000004D0000-0x0000000000562000-memory.dmp

memory/1588-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-83-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b314f0727e25ec3f8c73d240a3ff95af
SHA1 c09c59600c1676ad7b64c945afc3f43fceb342dd
SHA256 1140ff12078738e601f4d124b35c5e0ae98636c0429afbed153dade1bdcd82c8
SHA512 5a51164749d755905054975749138f8a177888c3042df9c7838326e1b6c3dc6a4054043a1daffd7f5994e4ac8b0e42eac24eb89e2246616057021e48ce7e9e35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8aac85ac044370325f888675dc0833c
SHA1 3c6154305435c3fc689799766de484b506d27d09
SHA256 bc0011a7d272476c686a8701caa7d6ccae12373d178bf53525deadd8bfd43dd2
SHA512 ed195cbbfa6b157f6fc5c42d90b7a9390768633615a9f1a1aaee812c2d42ddb5c7d870e5c76d2b73b7ec9d4367157b5a2dbfe9263402048a8c4b0714391c13f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7cbb7fc3b8714908e0df78eead4db236
SHA1 0c6099bf71eade519502fba81966346b86322b19
SHA256 7ef574bd3089c70e3396c34cffa67bbb9bab4fcaf23e2f272f24e27653e7814f
SHA512 8efd658549ca7263f688a869d8b2ba6a9dd55e8ce73ff33f2690c241ffa42779724e951c2dc12ae19a9f49ba4a7c3e9412b36e24c3e473300a27138bfe09c510

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dc6ee0e592ca211a0a9a630fa05f11a5
SHA1 58bfd549db79b7b6e329f1834391cf14a2da1262
SHA256 e811aeaa875154a38279c710b66cdab63c1750885785f04b28bdeec36c378527
SHA512 ce18fe05ec3865c638f80668251d7daf0022aa36387df70f50a6322bd965f90a640c8993dc9ef3c548c0a20b558d2ecfe72bf6141b79904d00534d1c03e35bb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\CabD643.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1588-96-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-101-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-104-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe

MD5 9b00df1cca53e81d90dfc2548f8d9114
SHA1 a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA256 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

memory/1404-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1404-121-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2372-122-0x00000000001C0000-0x00000000001EC000-memory.dmp

memory/2372-120-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1404-125-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1404-126-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1588-127-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarEB98.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 2b82eb950c4b07624724358abaee1e17
SHA1 35b7e43f3e60c7c9423773458715f65d010c854e
SHA256 883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727
SHA512 2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

memory/1588-214-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1372-225-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1372-237-0x00000000012B0000-0x0000000001B64000-memory.dmp

memory/1372-236-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1372-239-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1372-241-0x0000000077300000-0x0000000077301000-memory.dmp

memory/1372-240-0x00000000012B0000-0x0000000001B64000-memory.dmp

memory/1372-243-0x00000000012B0000-0x0000000001B64000-memory.dmp

memory/564-287-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/2968-298-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2968-296-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3020-293-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2968-292-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3020-290-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2968-288-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1404-301-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2372-303-0x00000000001C0000-0x00000000001EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57C5.exe

MD5 14f7c4b98e2c837e555d030bfbe740c4
SHA1 695e50ac70754d449445343764d8a0c339323a04
SHA256 585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0
SHA512 c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

memory/1396-311-0x0000000000100000-0x00000000001C6000-memory.dmp

memory/1396-312-0x0000000072CE0000-0x00000000733CE000-memory.dmp

memory/1208-318-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1396-324-0x0000000004C90000-0x0000000004D58000-memory.dmp

memory/1396-325-0x0000000004E60000-0x0000000004F2A000-memory.dmp

memory/1396-326-0x0000000004E60000-0x0000000004F23000-memory.dmp

memory/1396-327-0x0000000004E60000-0x0000000004F23000-memory.dmp

memory/2876-1137-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2876-1260-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1396-1268-0x00000000043A0000-0x0000000004400000-memory.dmp

memory/1396-1269-0x0000000000580000-0x00000000005CC000-memory.dmp

memory/1396-1287-0x0000000072CE0000-0x00000000733CE000-memory.dmp

memory/1952-1293-0x0000000000401000-0x0000000000450000-memory.dmp

memory/2616-1299-0x0000000000080000-0x00000000000F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31BA.exe

MD5 8f1d79f77c7f0c6bc7fe6c1361cc6919
SHA1 47aad1811054297f2877bfb36dcc4eb9fbde6687
SHA256 786feb7c36343b93848ba49429ff31aa25d587a5d443c8d079c39edbda8ee0d3
SHA512 d5d9452c593cbcb97d7b6c3988f56a625e1e082ebe81fa40eeff0bd70db745a6d689e048a490237cd55c917c0a04d93b0d33117dc9817e2d486f0d64451bd27c

memory/2616-1317-0x0000000072D60000-0x000000007344E000-memory.dmp

memory/2404-1316-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2224-1323-0x00000000002F2000-0x0000000000302000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A