Malware Analysis Report

2025-06-16 02:13

Sample ID 240123-z81ybsaec5
Target toolspub1(1).exe
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
Tags
djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881

Threat Level: Known bad

The file toolspub1(1).exe was found to be: Known bad.

Malicious Activity Summary

djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan

Detected Djvu ransomware

Vidar

ZGRat

Djvu Ransomware

Detect Vidar Stealer

Detect ZGRat V1

SmokeLoader

Modifies Installed Components in the registry

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 21:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 21:24

Reported

2024-01-23 21:26

Platform

win7-20231215-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d052634d-5efb-4cbe-bee2-cd3c6716b9a2\\DF6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DF6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA46.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA46.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA46.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A3A3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA46.exe
PID 1240 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA46.exe
PID 1240 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA46.exe
PID 1240 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA46.exe
PID 1240 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 1240 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 1240 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 1240 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2596 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 1240 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\18EF.exe
PID 1240 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\18EF.exe
PID 1240 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\18EF.exe
PID 1240 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\18EF.exe
PID 2588 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Windows\SysWOW64\icacls.exe
PID 2588 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2588 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2588 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2588 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2044 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\Temp\DF6.exe
PID 2748 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 2748 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 2748 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 2748 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\DF6.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\322B.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe
PID 3024 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"

C:\Users\Admin\AppData\Local\Temp\FA46.exe

C:\Users\Admin\AppData\Local\Temp\FA46.exe

C:\Users\Admin\AppData\Local\Temp\DF6.exe

C:\Users\Admin\AppData\Local\Temp\DF6.exe

C:\Users\Admin\AppData\Local\Temp\DF6.exe

C:\Users\Admin\AppData\Local\Temp\DF6.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d052634d-5efb-4cbe-bee2-cd3c6716b9a2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\18EF.exe

C:\Users\Admin\AppData\Local\Temp\18EF.exe

C:\Users\Admin\AppData\Local\Temp\DF6.exe

"C:\Users\Admin\AppData\Local\Temp\DF6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DF6.exe

"C:\Users\Admin\AppData\Local\Temp\DF6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe

"C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe"

C:\Users\Admin\AppData\Local\Temp\322B.exe

C:\Users\Admin\AppData\Local\Temp\322B.exe

C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe

"C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe"

C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build3.exe

"C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1468

C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build3.exe

"C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5659EF17-4605-4655-B3E6-43858ED6C867} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\A3A3.exe

C:\Users\Admin\AppData\Local\Temp\A3A3.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\A3A3.exe

C:\Users\Admin\AppData\Local\Temp\A3A3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 156

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.181.24.132:80 brusuax.com tcp
RU 82.147.84.194:80 82.147.84.194 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.181.24.132:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
PA 190.218.35.224:80 habrafa.com tcp
PA 190.218.35.224:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
DE 146.0.41.68:80 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
FI 65.109.242.152:443 65.109.242.152 tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
FI 65.109.242.152:443 65.109.242.152 tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
FI 65.109.242.152:443 65.109.242.152 tcp
IT 185.196.10.146:80 185.196.10.146 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

memory/2204-1-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/2204-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2204-3-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2204-5-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1240-4-0x00000000021F0000-0x0000000002206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA46.exe

MD5 9ce6a73712203e69e4e95ebcf891d198
SHA1 137acc0d91bfa8793c3f8f95f9a85665b22c1e97
SHA256 d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
SHA512 d146f29c944b322bacf93e2deca44d27c160a708a27f27309cfd4176ff89a54f0c63527bfb3697b383a17562d91613ad1ee7b423bba70a59757ff3800301925d

memory/2140-18-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2140-19-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF6.exe

MD5 3ff2d354490b034a1654fb2b0783bfc4
SHA1 0452ced8b9a8f8c4a72bd795313bb7f048aa3d2b
SHA256 c6572bdb6ccd2bbebeef871d39fc32fe8c9f6578aeb78cddb3c3f9cea22bc3f5
SHA512 3a7d79390c45507a5b8aa5d2fa1a2137566c6242403828c486d919003a103f1dce2d012780fe414cbf4f6759ef08b82b22c160f8246a4e501e8fe5fc2e3563ad

memory/2596-26-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2596-28-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2140-29-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2596-31-0x00000000006D0000-0x00000000007EB000-memory.dmp

memory/1240-27-0x0000000003A00000-0x0000000003A16000-memory.dmp

memory/2588-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2588-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2596-40-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2588-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2588-42-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\18EF.exe

MD5 2ec5bf4cdacfa2c66740dd1394d837fa
SHA1 6370da235c5af89816a11bdc863b060e02ee5e6b
SHA256 a57d515b1ed6beffd11acbd421d918acdb1a45fe81ba5c57573a019136fcb243
SHA512 55c961b7ef980c7a1509f5789ca7b2c21cb4c4facfe000ec79f3adda725aa244be9248f327d1ec6455f6bab4abf9726f7bd28505b26cccbe3895f9828db30df6

memory/3052-68-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/3052-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3052-69-0x0000000000500000-0x0000000000581000-memory.dmp

memory/2588-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2044-75-0x0000000000570000-0x0000000000602000-memory.dmp

memory/2044-76-0x0000000000570000-0x0000000000602000-memory.dmp

memory/2748-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-84-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7cbb7fc3b8714908e0df78eead4db236
SHA1 0c6099bf71eade519502fba81966346b86322b19
SHA256 7ef574bd3089c70e3396c34cffa67bbb9bab4fcaf23e2f272f24e27653e7814f
SHA512 8efd658549ca7263f688a869d8b2ba6a9dd55e8ce73ff33f2690c241ffa42779724e951c2dc12ae19a9f49ba4a7c3e9412b36e24c3e473300a27138bfe09c510

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dcbd6208e126074651bdcfe614df6984
SHA1 c655f5824455ee7dd6dd2c314d23905b997b1d3c
SHA256 ea218816822f3a9e80fa079c3e60b7c45a8fff4f7a1771cb0d57abc4f079eb9e
SHA512 8c88646d0916f4c3d6fdcb0bc7f6b2cd5d9d1140907e1fcfbfa916aec19aed2a0b1a3af985c2ce3013243095567d05cb9542a9665935d3cd613f4e06c2e03e00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 139bdc4bdf13cf4f0233bd4b576b8b9a
SHA1 57ed5560f7beb825a40c6b349e6c41a4c18f0452
SHA256 afbf080a0febdf78d442959a3fa56bb4e570e63b12e7e64d4de63841932a66b8
SHA512 5341c0523b71839ff188904dd19b66e6d91144bb61697e1a5469e76d2321aebb4ed000e30dd73f420220a62601a51b1183ec4b17a8027423e0ff336cff9f347a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bd16e8e846fcb38253604fd2d62bac1
SHA1 8534931ba5594d4cee19e9c93a3f62ce20793d7c
SHA256 60482fabfb98906a286635a2f7ee7424c2492c8bc2e0f5218ce4ba8732ddfa6e
SHA512 c6599d187bb1066205dd871908fc74336e98e03d3e7c9b4e50525f1e3b2326a0b4f4e0bcf5b23a82ef4fb2f9b536f1ecd1db3fa202d54ef5d1a38d8a2f0303b7

C:\Users\Admin\AppData\Local\Temp\Cab225F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2748-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-104-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-105-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build2.exe

MD5 9b00df1cca53e81d90dfc2548f8d9114
SHA1 a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA256 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

memory/3024-118-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3024-120-0x0000000000230000-0x000000000025C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\322B.exe

MD5 2b82eb950c4b07624724358abaee1e17
SHA1 35b7e43f3e60c7c9423773458715f65d010c854e
SHA256 883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727
SHA512 2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

memory/576-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/576-128-0x0000000000400000-0x000000000063F000-memory.dmp

memory/576-131-0x0000000000400000-0x000000000063F000-memory.dmp

memory/576-132-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2748-133-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-144-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\59228284-e901-457a-8a11-7ec0fb57e63c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2024-145-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2024-147-0x0000000000F40000-0x00000000017F4000-memory.dmp

memory/2024-149-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2024-151-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2024-152-0x0000000077940000-0x0000000077941000-memory.dmp

memory/2024-155-0x0000000000F40000-0x00000000017F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar409A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/3052-280-0x0000000000500000-0x0000000000581000-memory.dmp

memory/2596-279-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1940-281-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/2596-284-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1940-283-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2596-290-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2596-292-0x0000000000400000-0x0000000000406000-memory.dmp

memory/576-298-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2408-300-0x0000000000C50000-0x0000000000D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3A3.exe

MD5 14f7c4b98e2c837e555d030bfbe740c4
SHA1 695e50ac70754d449445343764d8a0c339323a04
SHA256 585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0
SHA512 c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

memory/1336-316-0x0000000000040000-0x0000000000106000-memory.dmp

memory/1336-317-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1240-319-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/1336-324-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/1336-325-0x0000000001FA0000-0x0000000002068000-memory.dmp

memory/1336-326-0x0000000002100000-0x00000000021CA000-memory.dmp

memory/1336-1262-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/1336-1264-0x0000000002070000-0x00000000020BC000-memory.dmp

memory/1336-1263-0x0000000004980000-0x00000000049E0000-memory.dmp

memory/2192-1265-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/1336-1281-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/2192-1300-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/1908-1310-0x00000000002B0000-0x00000000003B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A