Malware Analysis Report

2025-03-15 06:27

Sample ID 240120-z5jvmsggem
Target a09a3b6b6bea6ef91aef5d0dd4581b88.exe
SHA256 6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25
Tags
hacked njrat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25

Threat Level: Known bad

The file a09a3b6b6bea6ef91aef5d0dd4581b88.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat evasion persistence trojan

njRAT/Bladabindi

Njrat family

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 21:17

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 21:17

Reported

2024-01-20 21:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe C:\Users\Admin\windows updator_prdas.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe C:\Users\Admin\windows updator_prdas.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." C:\Users\Admin\windows updator_prdas.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." C:\Users\Admin\windows updator_prdas.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe

"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"

C:\Users\Admin\windows updator_prdas.exe

"C:\Users\Admin\windows updator_prdas.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\windows updator_prdas.exe" "windows updator_prdas.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:10929 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.59.75:10929 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:10929 4.tcp.eu.ngrok.io tcp

Files

memory/2144-0-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2144-1-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2144-2-0x0000000000C10000-0x0000000000C50000-memory.dmp

\Users\Admin\windows updator_prdas.exe

MD5 a09a3b6b6bea6ef91aef5d0dd4581b88
SHA1 098ed5d82ade538154634a9f44d8f91607c23392
SHA256 6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25
SHA512 42c383b30292cb2521f70e3dcc30b96553e50866ab965f9304bf2808d90ea4be01efa12d380f6d9b76ffe57f09974d5563e5a6018a2009328ce18a25b4b3d1f8

memory/2404-10-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2144-12-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2404-13-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2404-11-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2404-15-0x0000000074100000-0x00000000746AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 21:17

Reported

2024-01-20 21:20

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe C:\Users\Admin\windows updator_prdas.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe C:\Users\Admin\windows updator_prdas.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." C:\Users\Admin\windows updator_prdas.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." C:\Users\Admin\windows updator_prdas.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\windows updator_prdas.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: 33 N/A C:\Users\Admin\windows updator_prdas.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\windows updator_prdas.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe

"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"

C:\Users\Admin\windows updator_prdas.exe

"C:\Users\Admin\windows updator_prdas.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\windows updator_prdas.exe" "windows updator_prdas.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:10929 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 86.253.127.3.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:10929 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:10929 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 211.112.28.52.in-addr.arpa udp

Files

memory/3096-0-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/3096-1-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/3096-2-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

C:\Users\Admin\windows updator_prdas.exe

MD5 a09a3b6b6bea6ef91aef5d0dd4581b88
SHA1 098ed5d82ade538154634a9f44d8f91607c23392
SHA256 6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25
SHA512 42c383b30292cb2521f70e3dcc30b96553e50866ab965f9304bf2808d90ea4be01efa12d380f6d9b76ffe57f09974d5563e5a6018a2009328ce18a25b4b3d1f8

memory/4336-21-0x0000000000F40000-0x0000000000F50000-memory.dmp

memory/4336-23-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/3096-22-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/4336-24-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/4336-26-0x0000000075340000-0x00000000758F1000-memory.dmp