Malware Analysis Report

2024-08-06 19:47

Sample ID 240618-x4h6lsvdrd
Target 20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0
SHA256 20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0
Tags
njrat neuf evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0

Threat Level: Known bad

The file 20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0 was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 19:24

Reported

2024-06-18 19:26

Platform

win7-20240611-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe" C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2620 set thread context of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2432 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2620 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe

"C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp

Files

memory/2432-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

memory/2432-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2432-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 faa3a42eee02bed8ca62227cfe1eb4fc
SHA1 e5fc0529a6e0f06b7e70f4faa966be46d15641f0
SHA256 3f01cde88508cbab3c41f920631498d135f53bab510805cce0d5f0d78aa8f5bc
SHA512 3a8fbc4a082245077f940f69f185ab2cc72c25aced70f23a04345d779852c1be8c56c09beee3706a72b5baa02dc67177be5a8a3eeb20ba0d45a0d23e9a9b65e3

memory/2432-15-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2620-18-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2620-17-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2620-16-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2672-19-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2620-25-0x00000000749E0000-0x0000000074F8B000-memory.dmp

memory/2672-24-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2672-22-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2620-26-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 19:24

Reported

2024-06-18 19:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe" C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 668 set thread context of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4584 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 668 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1196 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1196 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1196 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe

"C:\Users\Admin\AppData\Local\Temp\20c291ce22e552c46474b8ff8830eeaff52a9aa7fb84c8880c518e546da445b0.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 113.251.17.2.in-addr.arpa udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 udp

Files

memory/4584-0-0x0000000075552000-0x0000000075553000-memory.dmp

memory/4584-1-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/4584-2-0x0000000075550000-0x0000000075B01000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 6182d7adf3cc1a7b4780d2c37dd2fe59
SHA1 162f13018f05de27765a190ff51a3f3a9af15e8b
SHA256 e65441b215df19d82a310b0331ad3f3035c99c16dafb743dd75c51551da0c06b
SHA512 c76889fd3896233b097449bacf9477c5345da17008d7df9e96428b846cf1cd966e118f73d4373f322dc65ee0e983cbc527417d920401ce54f8027079557010a2

memory/668-17-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/4584-18-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/668-19-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/668-20-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/1196-21-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/1196-26-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/1196-25-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/668-27-0x0000000075550000-0x0000000075B01000-memory.dmp

memory/1196-28-0x0000000075550000-0x0000000075B01000-memory.dmp