Malware Analysis Report

2025-03-15 06:25

Sample ID 240127-qyd65sfbbr
Target Keygen Xdecoder.exe
SHA256 567c4101aa7ad812b7bd42d87a5ba7d9c4f82dd7096daa7b079cfa70649dec2e
Tags
njrat hacked persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

567c4101aa7ad812b7bd42d87a5ba7d9c4f82dd7096daa7b079cfa70649dec2e

Threat Level: Known bad

The file Keygen Xdecoder.exe was found to be: Known bad.

Malicious Activity Summary

njrat hacked persistence trojan

njRAT/Bladabindi

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 13:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 13:39

Reported

2024-01-27 14:04

Platform

win7-20231215-en

Max time kernel

1200s

Max time network

1200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Windows\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Windows\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\svchost.exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\svchost.exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\svchost.exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\svchost.exe
PID 2800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe

"C:\Users\Admin\AppData\Local\Temp\Keygen Xdecoder.exe"

C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe

"C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe"

C:\Users\Admin\AppData\Local\Temp\paylod.exe

"C:\Users\Admin\AppData\Local\Temp\paylod.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
US 8.8.8.8:53 ecutuning.ddns.net udp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp
DZ 105.105.91.157:11560 ecutuning.ddns.net tcp

Files

memory/1700-0-0x00000000003A0000-0x0000000000CDA000-memory.dmp

memory/1700-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1700-2-0x0000000077E60000-0x0000000077E61000-memory.dmp

memory/1700-4-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1700-3-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/1700-5-0x0000000074CB0000-0x000000007525B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe

MD5 64cba06221b0fa10d6bb53f8af7d8b22
SHA1 d915a4b440eecff67d420c5b04d99d7463eab120
SHA256 a3ae13ffd73b423f57cc6ac82fd7555f6d84609b3e7e0c7c54fb2ca7e093d3bc
SHA512 2b1152bbd52204727244e019580887d4a8521a3c9da27eb0bb2d0def5396e36c2d4bef32d19a3a43caa8546afbd54d8408d7793c8e9ff07585d82997f6f512c9

C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe

MD5 a5e0303ac288d0889ad7009e759f615b
SHA1 4c1a9b890fb183e58f9bf0842a91589cf7c5918e
SHA256 0ec55b3530366d0141f3cd4e29c35ca71412ccc49516bb3bd9aaf933f606efa1
SHA512 c668b36d4a7f0453a196263b1857da7326ecaebdc6c9ffa030dc69757a8d3c7b138920e83d8453d45b12f1f2a16c41ff65e4e57db1456931f0c3d1995037e626

memory/2904-26-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1700-25-0x00000000003A0000-0x0000000000CDA000-memory.dmp

\Users\Admin\AppData\Local\Temp\Keygen (2).exe

MD5 0a02a328b2bb782dff9218bf822cf8e5
SHA1 32a42df6999c62ee8bc3fd6d20b22aef54f048b5
SHA256 94e4b017d7da3f7ebd79937f9fb07914f983840163667cd152785061a5b2f36c
SHA512 034b2c186e50d79c1854541c1453657115ecdb2410344bd1224fe1e027c65384121a1fc3c200b8f7715e84f221587c71fb6216f2213bdb13ef62553350fb5fc0

C:\Users\Admin\AppData\Local\Temp\paylod.exe

MD5 e6149ed0cdf7e22aaa3c79dfc7150900
SHA1 d9e1b9e3feff75897030366ba28d2c460374afa2
SHA256 b107529ccc4a4ad32ab1bd60ef6ae6b1cebc5e5252c0a6cd53a0cf6028e346d2
SHA512 f086c90a52981143e79066482b73c5e673c0e72332f204fa8f33b2ff180dbe52f1ee93bb44a1852d513569c3091ce81ba1185e511e00abdbbe1f2182a853f67e

\Users\Admin\AppData\Local\Temp\Keygen (2).exe

MD5 01c972bd45505e5fe75b7cb83b27533c
SHA1 e5c713841eed54be1fb263920108bd58beb6e0b8
SHA256 41ef1d31a4782f939a024ca127eb1e6ea616a44ed0ed618ff5b31bd91b66cdb7
SHA512 7caf6a572a960218716e3f3a40983b5ccc29c06320bef144465c4598abf4fbbb7e298c964edefd9a8fa8fdef08bb26ff9c3838e95ad98fe099581092afad282d

memory/2800-27-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/1700-28-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1700-29-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2800-30-0x00000000717A0000-0x0000000071E8E000-memory.dmp

memory/2628-41-0x00000000010B0000-0x00000000010BC000-memory.dmp

memory/2800-43-0x00000000717A0000-0x0000000071E8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 387937c39ce58e167c8ba732bd92931a
SHA1 d31fb8d416efd34f9b965115edb54917e778f63f
SHA256 b3b40e302cb318abff9736936e3e8e02953aeb8949c686a4e0583880ecfa51cc
SHA512 e9265317d845d61e1cdc81942e1e37caa2ab9af7f6de6396610929bc56860d7f1fea9f39636d89885b417c49a4205fe2b322921997f3ef6040a1286df0d734e8

memory/2628-42-0x00000000717A0000-0x0000000071E8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 93b3ed8bc82c8b93c3aaa87b9d984542
SHA1 1b01bbe3f7aef5a5114b3142c42cd4d9f694928b
SHA256 366b5a32bc0bec7ce9b4e97179ea7062ed9b20e9f04807b3fb44790757019d24
SHA512 75d176a38fc1f54e14ec97aa1daf7b753e4a89c189df2777d0304f68835370896757646cd49cfbc7796437559cb18fe88135807e6bd2d3f8a37c2b9c65c8d781

memory/2904-48-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/2904-50-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2628-51-0x0000000005810000-0x0000000005850000-memory.dmp

memory/2904-52-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/2628-54-0x00000000717A0000-0x0000000071E8E000-memory.dmp

memory/2628-56-0x0000000005810000-0x0000000005850000-memory.dmp