Malware Analysis Report

2025-03-15 06:26

Sample ID 240121-pzfwpadec7
Target 2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil
SHA256 bad8a99a5d4ea817a2fb51918b41f0d69d8bb4e8b2af14837d5f16d23ab2b7e6
Tags
njrat hacked evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bad8a99a5d4ea817a2fb51918b41f0d69d8bb4e8b2af14837d5f16d23ab2b7e6

Threat Level: Known bad

The file 2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil was found to be: Known bad.

Malicious Activity Summary

njrat hacked evasion trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 12:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 12:45

Reported

2024-01-21 12:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Local\Temp\Dungreed.exe
PID 1940 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Local\Temp\Dungreed.exe
PID 1940 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Local\Temp\Dungreed.exe
PID 1940 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Local\Temp\Dungreed.exe
PID 1940 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1940 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1940 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1940 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Dungreed.exe C:\Windows\SysWOW64\WerFault.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Dungreed.exe C:\Windows\SysWOW64\WerFault.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Dungreed.exe C:\Windows\SysWOW64\WerFault.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Dungreed.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2672 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2672 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2704 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\system32\netsh.exe
PID 2704 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\system32\netsh.exe
PID 2704 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe"

C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

"C:\Users\Admin\AppData\Local\Temp\Dungreed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 36

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 myinsu.zz.am udp

Files

memory/1940-2-0x00000000030A0000-0x00000000030E0000-memory.dmp

memory/1940-1-0x0000000074B50000-0x00000000750FB000-memory.dmp

memory/1940-0-0x0000000074B50000-0x00000000750FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 9a1a2bc5eaba3af71a195eddae56dbf0
SHA1 f43cbf777fa58966c5fc16ce08dee8013e392d60
SHA256 ae1ec069c5375f6bf759de71b942ba02e62dd4198b3e26d9eae4d42c4a229a4d
SHA512 3e60a735bf4819edbe0dd71f17a1ac45335b70c484d22cd4102e292b46c5428885d0a13bb29a97c934b348751ab8fefefe30b5ae90037cec3a5fe24aae9273cb

C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 3eed71eab5f2a4ef3307c22d8f40bb5c
SHA1 8039c48e850ad843115a4a863b5f3349338af047
SHA256 58795876fe74fe3d9f0fd961a71172734797950ac147fdde1f4b1c31c8e3b5f7
SHA512 5a8c6d4907ad94d6379999261fd0e43703366949e67f3570a01f203efe66454086b5cae76a56e5af4eb927a24e701c74b63a31e43dbde8c1c5046118625c17b1

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 eebc0bb463c9848ee0a677dd76bfad40
SHA1 828ed8b09fea31cbf754e72fe764862f777346a0
SHA256 81a2c76032e9ddba52b9aefba29839267379222c005a3fd383112737d83e1887
SHA512 7bc263cb94cc5491c1ff7ab5a76b3bd262ee9ea4f180c15fcf2467a760a2ba1ff2e032779010ddabae027faed7a81433e8ef0fb45d476a0aa7ae5e80839ada77

memory/1940-15-0x0000000074B50000-0x00000000750FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 b6456fb5a61fd7a2f36736b8093e2d12
SHA1 64328368cda13afe1084c75f225af00c46541c92
SHA256 cbca4bb26ea176dcf378d27dc12cac0127c9484ce4e3ee2806de8e3139ccbb8f
SHA512 714ec8430a46e12a19a4c442fa7991a3b9820c771e11ab8aa4cba87894180db3787cad154110a21f77157677f49309a5deed772d2c02a788a33cbd28b16d1a45

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 fbb94c4d3fa3872879969cdc37710494
SHA1 73de5c788f9a93c6a414e3a6893f339fb2cdbd1f
SHA256 e8c478c77eac937ee7b5f28c5fd05b170c1a6cf7d75ccfe2569687e261b517ef
SHA512 c7d567fea7063e805c729ed1cf09f852121e9304e665ddd32d23eeb63c72fef3df8412c7fe643ba444ca29545806da27aa5b7477ed34a382e9566e786e0cbe82

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 6e06e5c5c818aec8ece3a03bd2c1963a
SHA1 ded5e1c421c35ec23a9c248653db375a386c1514
SHA256 a5e6a048c25dae47f5abea06a8b39b67b70ad868de0b2c23268c9f510dfa317a
SHA512 6faa8acda8436230654508f581b64e27723a7ed9cf2fcdff86424c433635c805fa5d71ee809c93f8a124325e346e4a87b958df8e2fcfb29f005c66e105d18f88

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 ae85b7a541cf203d13e6ddc3e2ef81b6
SHA1 922cfc671778ae80d449c4c8ac8416a53c69ae02
SHA256 ad2cab9d357e4943e91989080884da47c7a622ccdad22f0b4c5abe388d8e12b6
SHA512 8369ff5dfe4620194411c2d8a724df08cec67d74d3dcbfe7f256bea0cf9d509f5cece016a677fe75f3462bc47573fae53eea237dcea7e101a09ecc3de8208249

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 5ecf61d01316136a656f37e7a7a12304
SHA1 e44f9aa3373bead01da695395b142a7ef54414c3
SHA256 33885fb4ec914807af3f413ca70d50a8f46f041b151a45d67ac4c9b1f50d53bb
SHA512 34703bc5c570826a1c49bd01bd9568bd83bc1f87f5bf0d6fa6f1c9d2042b98871e866dbb372caa327420f4a48f47d2d77653d913af32a89221c061f87b30384b

\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 177d8330f10f247128dbec2af4a483ee
SHA1 d368dea02bf8db25aa01cb82a55710cce4b8d2d0
SHA256 76e985db376d5dafd6437e5d800e9304ff78435cd4a773c658894334c9dde229
SHA512 5ab0be8147355e1dac1111dc59af5a2ada72fa8bd23d041004963711bf4730cdc66a782168fbf1c50b1f23c26d7ed5565b5d0535043e59dcbd95f34745e0680a

memory/2672-22-0x0000000000090000-0x00000000000A4000-memory.dmp

memory/2672-24-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/2672-25-0x000000001AF30000-0x000000001AFB0000-memory.dmp

memory/2672-26-0x0000000000260000-0x000000000026C000-memory.dmp

memory/2672-27-0x0000000000290000-0x000000000029E000-memory.dmp

memory/2704-33-0x0000000001140000-0x0000000001154000-memory.dmp

memory/2704-34-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/2672-36-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/2704-35-0x000000001AD50000-0x000000001ADD0000-memory.dmp

memory/2704-37-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

memory/2704-38-0x000000001AD50000-0x000000001ADD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 12:45

Reported

2024-01-21 12:48

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-21_250b60b4db9e04b067d2a1594a90eedd_mafia_revil.exe"

C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

"C:\Users\Admin\AppData\Local\Temp\Dungreed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2756 -ip 2756

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 184

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 myinsu.zz.am udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 myinsu.zz.am udp

Files

memory/4740-0-0x0000000074B70000-0x0000000075121000-memory.dmp

memory/4740-1-0x0000000074B70000-0x0000000075121000-memory.dmp

memory/4740-2-0x0000000002170000-0x0000000002180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 2f896c0d56343d30c125e96dbb3db9af
SHA1 ade89c34a3497dc5f0957b4a53577b08d46bbe9d
SHA256 30dadd7a0d3812f29c57a5cfc3ef46d3807c6af32d9c4386899ae0d2d22095e4
SHA512 e6b2f90777788e68119dcfd13dca2cd1d6ce78be1fa7226cbd89f2685fafa4d77c1bb3f185b285923bfdf3df9e71cbc25e0d521e0ba8c68b28c96bdd0ee7322e

C:\Users\Admin\AppData\Local\Temp\Dungreed.exe

MD5 3794efb9f6a25187d7c6cf9190e8493d
SHA1 9b62d13ac63e231fc783ec1b248d02f32c5c1620
SHA256 696a4fb0a67f3340914112a8d0ac1fec15655593802f92bd09a51a47a14e772f
SHA512 0ecf07ac954e9083559106a89e137b242149792f74f2d489f6b7219ff4b871e271d03622d4c6ec745f442ed3a1670cab5a21f5fd8683703d103a761d16b108b5

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 eebc0bb463c9848ee0a677dd76bfad40
SHA1 828ed8b09fea31cbf754e72fe764862f777346a0
SHA256 81a2c76032e9ddba52b9aefba29839267379222c005a3fd383112737d83e1887
SHA512 7bc263cb94cc5491c1ff7ab5a76b3bd262ee9ea4f180c15fcf2467a760a2ba1ff2e032779010ddabae027faed7a81433e8ef0fb45d476a0aa7ae5e80839ada77

memory/1012-25-0x0000000000220000-0x0000000000234000-memory.dmp

memory/4740-26-0x0000000074B70000-0x0000000075121000-memory.dmp

memory/1012-27-0x00007FFAE39B0000-0x00007FFAE4471000-memory.dmp

memory/1012-28-0x000000001AE30000-0x000000001AE3C000-memory.dmp

memory/1012-29-0x000000001AF50000-0x000000001AF5E000-memory.dmp

memory/1656-42-0x00007FFAE39B0000-0x00007FFAE4471000-memory.dmp

memory/1012-44-0x00007FFAE39B0000-0x00007FFAE4471000-memory.dmp

memory/1656-43-0x000000001BA70000-0x000000001BA80000-memory.dmp

memory/1656-45-0x00007FFAE39B0000-0x00007FFAE4471000-memory.dmp

memory/1656-46-0x000000001BA70000-0x000000001BA80000-memory.dmp