Malware Analysis Report

2025-08-05 15:31

Sample ID 240203-lhzqpagfam
Target 8bfdedc30182ece284b09591788cc931
SHA256 00b99ceddb783a0fe3cac7aa2faa936ab54c5d6ff42280aaa307b04175c97103
Tags
njrat pdf evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00b99ceddb783a0fe3cac7aa2faa936ab54c5d6ff42280aaa307b04175c97103

Threat Level: Known bad

The file 8bfdedc30182ece284b09591788cc931 was found to be: Known bad.

Malicious Activity Summary

njrat pdf evasion persistence trojan upx

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 09:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 09:32

Reported

2024-02-03 09:35

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1460 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1460 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3036 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 3036 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 3036 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 1100 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1100 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 1100 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe

"C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 164

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hhhmach.ddns.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4288-0-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 a03fed79dc35f460551dd70da2f46715
SHA1 375f9048b51b92b7ecf4a8606070368be1ad71cb
SHA256 d180b725c61b5e56850904832aff1ce0f6d99cd26d02f119f5f8cea60146ab9e
SHA512 8e67f1e688238193034bece7d2bf87601ced58e2ef2319fbd4e2b3c0998b8972bfc9ae5d24b35846b7a5a35a6f57c10de4879fe77dcd87f653fc098e6e644266

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 42c5854aa0709d8bf6c28ea82c67b9a5
SHA1 124ea473f0572009de85a4a46f361109f4fae7d6
SHA256 71e1add662041fee9ff0ddf0139154cf006538559af45f34047aac91efb1b8eb
SHA512 c0f4412f2237138b5b66ecc285d7f44bacd67ae23feb0a55561cd4f7850ee6b0fd1b1dac3d2725ed4932aaf155b0fbda284a69b07594789bdb4cbcf0f499d95a

memory/3036-7-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/3036-6-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/3036-5-0x0000000074DD0000-0x0000000075381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5 72b73eaf6a91ecfaf35b96652a94e3b3
SHA1 9459172d9c6f1f67da9c278d4eb9f0be437ef5ec
SHA256 bf1be6dc394164cdb8f185955e634febb6a1e6229c7d5c3183b5c4cc1545d5f2
SHA512 dd6913a7014e34162e3b5dbf929fcc99e1aa1491051fc9c35d1440fe5c100061c911adb8f2c5c05acf62a35125d195f2c6a143c6bd6c7914e0b4d4c4aecaee7d

memory/3036-17-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1100-20-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1100-21-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/1100-19-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4288-22-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1100-23-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1100-24-0x0000000000C60000-0x0000000000C70000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 09:32

Reported

2024-02-03 09:35

Platform

win7-20231215-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2416 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2416 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2416 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2668 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2668 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2668 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2668 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2932 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2932 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2932 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2932 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe

"C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hhhmach.ddns.net udp

Files

memory/1956-0-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 42c5854aa0709d8bf6c28ea82c67b9a5
SHA1 124ea473f0572009de85a4a46f361109f4fae7d6
SHA256 71e1add662041fee9ff0ddf0139154cf006538559af45f34047aac91efb1b8eb
SHA512 c0f4412f2237138b5b66ecc285d7f44bacd67ae23feb0a55561cd4f7850ee6b0fd1b1dac3d2725ed4932aaf155b0fbda284a69b07594789bdb4cbcf0f499d95a

memory/2668-5-0x0000000074460000-0x0000000074A0B000-memory.dmp

memory/2668-6-0x0000000001D60000-0x0000000001DA0000-memory.dmp

memory/2668-7-0x0000000074460000-0x0000000074A0B000-memory.dmp

memory/2932-16-0x0000000074460000-0x0000000074A0B000-memory.dmp

memory/2668-15-0x0000000074460000-0x0000000074A0B000-memory.dmp

memory/1956-18-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2932-17-0x0000000000B40000-0x0000000000B80000-memory.dmp

memory/2932-21-0x0000000000B40000-0x0000000000B80000-memory.dmp

memory/2932-20-0x0000000074460000-0x0000000074A0B000-memory.dmp