Malware Analysis Report

2024-08-06 19:48

Sample ID 240617-bt6m9sscjr
Target f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe
SHA256 f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478
Tags
njrat neuf persistence trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478

Threat Level: Known bad

The file f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf persistence trojan evasion

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:27

Reported

2024-06-17 01:29

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe" C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 set thread context of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1640 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1640 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 916 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe

"C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 80

Network

Files

memory/1640-0-0x0000000074D32000-0x0000000074D33000-memory.dmp

memory/1640-1-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/1640-2-0x0000000074D30000-0x00000000752E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 f43810503be1e72671b693bc572e018e
SHA1 9bc8a169499481f7a8a55af2187bfea527278a62
SHA256 996d2851006797d4e31bae28690ff0f39c14ce988aa7ee88a08ffbab66e016ab
SHA512 62c6d5fb6790fddaf16ec832445dc75fdf410e079a8b6cfc384db97e9ca925a1c416ba61b81fe759aba366dd1fa7343cbe50ca51ed4424a7d066e0c85fc94260

memory/1640-17-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/916-19-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/916-18-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/2172-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/916-25-0x0000000074D30000-0x00000000752E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:27

Reported

2024-06-17 01:29

Platform

win7-20240611-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe" C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2640 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe

"C:\Users\Admin\AppData\Local\Temp\f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp

Files

memory/2620-0-0x0000000074971000-0x0000000074972000-memory.dmp

memory/2620-1-0x0000000074970000-0x0000000074F1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1631.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar16B5.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d032bb0c2c677007a8fdcbd98b4555d
SHA1 0759ff7ee131bc2bfe4f56fb5552b64b725d3154
SHA256 74d68be8c5d561b448f64ae2c7e846659c62faecd500ba7f22e61e3911dd22be
SHA512 2c8bdef8349c93403786033688c93cf236b94186230c57a56fc858d1f0ccb5724c5cf1667750f32c6d5f0da6aaf019e111bac797acc82227d35cb23403a40e5c

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 a083ef534511b3e9334a3d4c5a159458
SHA1 23a5fdff9071ab8e5b6e607ea3d973f9c546c103
SHA256 0491b078863bf1624c78c9c9240c6773f3b315e67591d7c9043de9ebf947ae2b
SHA512 d988100418da85a8ce1d72adca1d463637e49e3e1ea4b7c3cafad7ad788b74b86461c95e68c1b8dc304eac6e2075f7bb038a092166e545860e3c6c0fc95ac266

memory/2620-159-0x0000000074970000-0x0000000074F1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4580b32852d21a749941bf328d019428
SHA1 35b2295efb4bdf89bbbebb291fe10e4b80e81dfb
SHA256 e330d18534f50fe37a5b40911a1752c9e79b10e00f5e516cdf7090a828a9fbf2
SHA512 74df7a6363faba15378bef3b1e1679c4b762c8d9d7f2cd2a791a3fba3aad054cb0a9ee0a01f1e2eb93098b4de82c035f1a484dac39e645df9a5afc95cf2dbb28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1c497cdb033914e6d704554e6c53a3f
SHA1 9477dfd3e405fc5204c19c07e4872e77fbbb9566
SHA256 007f5e3815503eb37211e45fdf3cabc58b07794e21396d4b20813cfdab12de77
SHA512 6d863b165daf67d694064f82d893aa327239f4c4fc4549e05fd25ed2f1b80bce5439190b2fe0b4d2d40efc54efbe05c81de138e1a77c45aa097b8606358d7f9b

memory/1748-302-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1748-305-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1748-304-0x0000000000400000-0x000000000040C000-memory.dmp