Malware Analysis Report

2025-05-28 16:27

Sample ID 230707-yntsvabb45
Target 33aeb3636988834cb63c7bf4b.exe
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
Tags
agilenet njrat hacked evasion themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369

Threat Level: Known bad

The file 33aeb3636988834cb63c7bf4b.exe was found to be: Known bad.

Malicious Activity Summary

agilenet njrat hacked evasion themida trojan

njRAT/Bladabindi

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Checks BIOS information in registry

Drops startup file

Themida packer

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-07 19:56

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-07 19:56

Reported

2023-07-07 19:58

Platform

win7-20230703-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe

"C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 212.ip.ply.gg udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 192.229.211.108:80 tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp

Files

memory/2400-54-0x0000000000920000-0x0000000000EA6000-memory.dmp

\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

memory/2400-60-0x0000000004ED0000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

memory/2400-62-0x0000000074540000-0x0000000074B59000-memory.dmp

memory/2400-63-0x0000000074540000-0x0000000074B59000-memory.dmp

memory/2400-64-0x0000000074540000-0x0000000074B59000-memory.dmp

memory/2400-65-0x0000000075400000-0x0000000075480000-memory.dmp

memory/2400-66-0x00000000002B0000-0x00000000002BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

memory/2400-73-0x0000000074540000-0x0000000074B59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

memory/2400-75-0x0000000074540000-0x0000000074B59000-memory.dmp

memory/1108-76-0x0000000000EC0000-0x0000000001446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

memory/1108-79-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-80-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-81-0x0000000074BA0000-0x0000000074C20000-memory.dmp

memory/1108-83-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-82-0x0000000005010000-0x0000000005050000-memory.dmp

memory/1108-84-0x0000000074580000-0x0000000074B99000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

memory/1108-86-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-87-0x0000000005010000-0x0000000005050000-memory.dmp

memory/1108-88-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-89-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-90-0x0000000074580000-0x0000000074B99000-memory.dmp

memory/1108-94-0x0000000074580000-0x0000000074B99000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-07 19:56

Reported

2023-07-07 19:59

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe

"C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 212.ip.ply.gg udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 8.8.8.8:53 212.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 209.25.141.212:17869 212.ip.ply.gg tcp
US 209.25.141.212:17869 212.ip.ply.gg tcp

Files

memory/2964-133-0x0000000000210000-0x0000000000796000-memory.dmp

memory/2964-134-0x00000000052C0000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

memory/2964-142-0x0000000071120000-0x0000000071739000-memory.dmp

memory/2964-143-0x0000000071120000-0x0000000071739000-memory.dmp

memory/2964-144-0x0000000071120000-0x0000000071739000-memory.dmp

memory/2964-145-0x00000000731E0000-0x0000000073269000-memory.dmp

memory/2964-146-0x00000000054D0000-0x000000000556C000-memory.dmp

memory/2964-147-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/2964-149-0x0000000071120000-0x0000000071739000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

memory/2964-157-0x00000000052C0000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 33aeb3636988834cb63c7bf4b65581e1
SHA1 2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA256 3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA512 55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb

memory/2964-162-0x0000000071120000-0x0000000071739000-memory.dmp

memory/2964-163-0x0000000071120000-0x0000000071739000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

C:\Users\Admin\AppData\Local\Temp\754dcc14-7394-45e0-ba36-ff311d7c80f1\AgileDotNetRT.dll

MD5 105e678e6ee84e0fa7fbe34df1f9639c
SHA1 17e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA256 4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA512 3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

memory/2776-166-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-167-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-169-0x00000000731E0000-0x0000000073269000-memory.dmp

memory/2776-168-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2776-170-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-172-0x0000000005F50000-0x0000000005FE2000-memory.dmp

memory/2776-173-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-174-0x0000000005F10000-0x0000000005F1A000-memory.dmp

memory/2776-175-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/2776-176-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2776-177-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-179-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-181-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-184-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-185-0x0000000072160000-0x0000000072779000-memory.dmp

memory/2776-188-0x0000000072160000-0x0000000072779000-memory.dmp