Malware Analysis Report

2025-06-16 02:13

Sample ID 240123-1mgs1aahf9
Target toolspub1(1).exe
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
Tags
djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881

Threat Level: Known bad

The file toolspub1(1).exe was found to be: Known bad.

Malicious Activity Summary

djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan

SmokeLoader

Detect Vidar Stealer

Djvu Ransomware

Detect ZGRat V1

ZGRat

Detected Djvu ransomware

Vidar

Downloads MZ/PE file

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Deletes itself

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Modifies registry class

Creates scheduled task(s)

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 21:45

Reported

2024-01-23 21:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c7340cf-4d1b-41b7-8a09-8b9671ff532c\\7485.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7485.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5F11.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5F11.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5F11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5F11.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FC9B.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F11.exe
PID 1216 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F11.exe
PID 1216 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F11.exe
PID 1216 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F11.exe
PID 1216 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1216 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1216 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1216 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2644 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2644 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 2644 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1840 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\Temp\7485.exe
PID 1216 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C34.exe
PID 1216 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C34.exe
PID 1216 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C34.exe
PID 1216 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C34.exe
PID 2272 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 2272 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 2272 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 2272 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7485.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1728 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe
PID 1216 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\9070.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

C:\Users\Admin\AppData\Local\Temp\5F11.exe

C:\Users\Admin\AppData\Local\Temp\5F11.exe

C:\Users\Admin\AppData\Local\Temp\7485.exe

C:\Users\Admin\AppData\Local\Temp\7485.exe

C:\Users\Admin\AppData\Local\Temp\7485.exe

C:\Users\Admin\AppData\Local\Temp\7485.exe

C:\Users\Admin\AppData\Local\Temp\7485.exe

"C:\Users\Admin\AppData\Local\Temp\7485.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7485.exe

"C:\Users\Admin\AppData\Local\Temp\7485.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6c7340cf-4d1b-41b7-8a09-8b9671ff532c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7C34.exe

C:\Users\Admin\AppData\Local\Temp\7C34.exe

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe

"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe"

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe

"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\9070.exe

C:\Users\Admin\AppData\Local\Temp\9070.exe

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe

"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe

"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1452

C:\Users\Admin\AppData\Local\Temp\FC9B.exe

C:\Users\Admin\AppData\Local\Temp\FC9B.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B91CC48A-BFA5-461D-B59F-CC4E50367F2D} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
AR 190.224.203.37:80 brusuax.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 82.147.84.194:80 82.147.84.194 tcp
US 172.67.139.220:443 api.2ip.ua tcp
AR 190.224.203.37:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
CO 186.147.159.149:80 habrafa.com tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
CO 186.147.159.149:80 habrafa.com tcp
US 8.8.8.8:53 udp
FI 65.109.242.152:443 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
DE 146.0.41.68:80 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
IT 185.196.10.146:80 185.196.10.146 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 udp
N/A 149.154.167.99:443 tcp
N/A 149.154.167.99:443 tcp
N/A 149.154.167.99:443 tcp
N/A 149.154.167.99:443 tcp
US 8.8.8.8:53 udp
N/A 104.103.202.103:443 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp

Files

memory/1272-2-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1272-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1272-1-0x0000000000550000-0x0000000000650000-memory.dmp

memory/1272-5-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1216-4-0x0000000002D70000-0x0000000002D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F11.exe

MD5 9ce6a73712203e69e4e95ebcf891d198
SHA1 137acc0d91bfa8793c3f8f95f9a85665b22c1e97
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
SHA512 d146f29c944b322bacf93e2deca44d27c160a708a27f27309cfd4176ff89a54f0c63527bfb3697b383a17562d91613ad1ee7b423bba70a59757ff3800301925d

memory/2832-18-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/2832-19-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1216-20-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/2832-21-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7485.exe

MD5 3ff2d354490b034a1654fb2b0783bfc4
SHA1 0452ced8b9a8f8c4a72bd795313bb7f048aa3d2b
SHA256 c6572bdb6ccd2bbebeef871d39fc32fe8c9f6578aeb78cddb3c3f9cea22bc3f5
SHA512 3a7d79390c45507a5b8aa5d2fa1a2137566c6242403828c486d919003a103f1dce2d012780fe414cbf4f6759ef08b82b22c160f8246a4e501e8fe5fc2e3563ad

memory/2652-31-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2652-30-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2644-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2644-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2652-34-0x0000000001D50000-0x0000000001E6B000-memory.dmp

memory/1840-64-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/1840-72-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2272-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2272-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1840-66-0x00000000002C0000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7A7D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12e3c96bd51f976d3efb8f6ac5c1ed4d
SHA1 e4f39f69e321114450e6f24ceb70da3853810545
SHA256 cf2bfaa11394efc794aa4a1855eee619e72b2c7bd85a3418ac4083a1da976bf0
SHA512 20f22afa8dbf59b0daa3996cc1652a8158af637d1244e1d91db86f73d85af7672440d4d80e9467ed94edebf5335aaf3b79645e95c85a7175a8db5e5aa1ff83ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 085fbd5d300d51dc0d6c044135552021
SHA1 33cb8290ac63d3593623c57c1a3ade1d471ec819
SHA256 74587035115a21bade794ac1203a018ed76ffd118657f6b95f4275a708275aa3
SHA512 d3a11af9ff44c3a6cb0b068f0753c4aa9c5464a6c1546f2027211d5d9f089ea43445a933af8f152a520441f81ef7c8e888e5e16ae545f6de9ff51701d6888eb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7cbb7fc3b8714908e0df78eead4db236
SHA1 0c6099bf71eade519502fba81966346b86322b19
SHA256 7ef574bd3089c70e3396c34cffa67bbb9bab4fcaf23e2f272f24e27653e7814f
SHA512 8efd658549ca7263f688a869d8b2ba6a9dd55e8ce73ff33f2690c241ffa42779724e951c2dc12ae19a9f49ba4a7c3e9412b36e24c3e473300a27138bfe09c510

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 022452a2b0ec6c488292353f53b259dd
SHA1 eae14b960462e427476faa46023d472be35e86de
SHA256 c89cb303e3c0b6423d0b013f598b36273102469a842be6137ba8b0986d42039a
SHA512 22c2e2309261e05231fcc4a4526432243fbd46d8c980d8a47e8a1c5802fa09aab94ad2d25c0be2669e6b15482b35dd4d4e38eddefcb8dbceb0161f553cdc7068

memory/2272-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2272-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C34.exe

MD5 2ec5bf4cdacfa2c66740dd1394d837fa
SHA1 6370da235c5af89816a11bdc863b060e02ee5e6b
SHA256 a57d515b1ed6beffd11acbd421d918acdb1a45fe81ba5c57573a019136fcb243
SHA512 55c961b7ef980c7a1509f5789ca7b2c21cb4c4facfe000ec79f3adda725aa244be9248f327d1ec6455f6bab4abf9726f7bd28505b26cccbe3895f9828db30df6

memory/2304-97-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2304-99-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/2304-98-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2304-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2272-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2272-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2272-105-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe

MD5 9b00df1cca53e81d90dfc2548f8d9114
SHA1 a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA256 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

memory/860-120-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1728-123-0x0000000000240000-0x0000000000340000-memory.dmp

memory/860-122-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1728-125-0x00000000003B0000-0x00000000003DC000-memory.dmp

memory/860-128-0x0000000000400000-0x000000000063F000-memory.dmp

memory/860-129-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2272-127-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar8BDC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\9070.exe

MD5 2b82eb950c4b07624724358abaee1e17
SHA1 35b7e43f3e60c7c9423773458715f65d010c854e
SHA256 883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727
SHA512 2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2272-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-223-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1872-227-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1872-235-0x0000000001290000-0x0000000001B44000-memory.dmp

memory/1872-238-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2192-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1068-242-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1872-246-0x0000000001290000-0x0000000001B44000-memory.dmp

memory/2192-248-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2192-253-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2192-251-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1872-245-0x00000000770E0000-0x00000000770E1000-memory.dmp

memory/1068-239-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/860-296-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC9B.exe

MD5 14f7c4b98e2c837e555d030bfbe740c4
SHA1 695e50ac70754d449445343764d8a0c339323a04
SHA256 585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0
SHA512 c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

memory/1764-307-0x00000000729A0000-0x000000007308E000-memory.dmp

memory/1764-306-0x0000000000EE0000-0x0000000000FA6000-memory.dmp

memory/1764-310-0x0000000000AF0000-0x0000000000BB8000-memory.dmp

memory/1764-309-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/1764-311-0x0000000000BC0000-0x0000000000C8A000-memory.dmp

memory/1764-317-0x0000000000BC0000-0x0000000000C83000-memory.dmp

memory/1764-319-0x0000000000BC0000-0x0000000000C83000-memory.dmp

memory/1764-315-0x0000000000BC0000-0x0000000000C83000-memory.dmp

memory/1764-313-0x0000000000BC0000-0x0000000000C83000-memory.dmp

memory/1764-312-0x0000000000BC0000-0x0000000000C83000-memory.dmp

memory/2000-891-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/2084-899-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/1764-902-0x00000000729A0000-0x000000007308E000-memory.dmp

memory/1764-904-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/2084-912-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/2484-927-0x0000000000970000-0x0000000000A70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A