Malware Analysis Report

2024-10-19 08:17

Sample ID 240622-3y297avcmn
Target وزنية زاحفههه.exe
SHA256 71b39da7c5a7414f5308daae6f98208d1c1636e69dbaa51d09c8ebc84b180c38
Tags
njrat server evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71b39da7c5a7414f5308daae6f98208d1c1636e69dbaa51d09c8ebc84b180c38

Threat Level: Known bad

The file وزنية زاحفههه.exe was found to be: Known bad.

Malicious Activity Summary

njrat server evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 23:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 23:56

Reported

2024-06-22 23:59

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 1856 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 1856 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 1856 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 1856 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 1856 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 1856 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 1856 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 1532 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 1532 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 1532 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 1532 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 2788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe

"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

C:\Users\Admin\AppData\Local\Temp/Client.exe

C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe

C:\Users\Admin\AppData\Local\Temp/EqualizerAPO32-1.3.2.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

Network

Country Destination Domain Proto
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp

Files

C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe

MD5 340537574c05238b1bec13fe9f9e80b0
SHA1 4d77a3a81c4272073d1ca80267e5dac1316fc421
SHA256 580d8e5253a6610f8089d5a60597620c6ecb619f7bbb4d28ed75393342fbb708
SHA512 c283d4096cf6c1713fb2a6e4c56c7d76093e167736ff84f62d437512ed2161a01aaab916b80b62486b29d50abd525b518b6b3f6de99399db77320a50dabd2901

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 0400e17a5bdb1fa5877c12d609dd15f8
SHA1 0e2af75fd16b9d2902a69c94a6eaa1cef4565f64
SHA256 99b91723fd7afa33700fb055e3dd505af43957841774d35945271d92c3388e6b
SHA512 6fa737ef7ec683b9dae18a9f150555f1dc5da6cf0e9c74b8b3aca58055539a8f5ded243bee14f2247712373213c1da5aee9d7c6149791fc7950ad9293d0eed9a

memory/1532-20-0x00000000743E1000-0x00000000743E2000-memory.dmp

memory/1532-22-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/1532-23-0x00000000743E0000-0x000000007498B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso149C.tmp\NSISpcre.dll

MD5 bfe060c22b44914e05d3f5367de6c9fe
SHA1 24c72b0b57b0066a5e8b235104a0502400e44b9a
SHA256 43041f8540dccbc33268bfbef53037d17170b037f6393e77c21429f303ae828f
SHA512 ad3a23edd8d62b198e4a2ccf03f6d607dee41fa23fd6f9dfabdc5ee424b5e22a6e00b8a28e50fe177829a2cc25ce05484423e97c682036fc5146e2adf560bc44

memory/1532-36-0x00000000743E0000-0x000000007498B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 23:56

Reported

2024-06-22 23:59

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 792 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 792 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 792 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 792 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 792 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
PID 376 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 376 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 376 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\Trojan.exe
PID 3488 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 3488 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe
PID 3488 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe

"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

C:\Users\Admin\AppData\Local\Temp/Client.exe

C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe

C:\Users\Admin\AppData\Local\Temp/EqualizerAPO32-1.3.2.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

Network

Country Destination Domain Proto
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp
N/A 127.0.0.1:6522 tcp

Files

C:\Users\Admin\AppData\Local\Temp\aut50C1.tmp

MD5 340537574c05238b1bec13fe9f9e80b0
SHA1 4d77a3a81c4272073d1ca80267e5dac1316fc421
SHA256 580d8e5253a6610f8089d5a60597620c6ecb619f7bbb4d28ed75393342fbb708
SHA512 c283d4096cf6c1713fb2a6e4c56c7d76093e167736ff84f62d437512ed2161a01aaab916b80b62486b29d50abd525b518b6b3f6de99399db77320a50dabd2901

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 0400e17a5bdb1fa5877c12d609dd15f8
SHA1 0e2af75fd16b9d2902a69c94a6eaa1cef4565f64
SHA256 99b91723fd7afa33700fb055e3dd505af43957841774d35945271d92c3388e6b
SHA512 6fa737ef7ec683b9dae18a9f150555f1dc5da6cf0e9c74b8b3aca58055539a8f5ded243bee14f2247712373213c1da5aee9d7c6149791fc7950ad9293d0eed9a

memory/376-18-0x00000000744A2000-0x00000000744A3000-memory.dmp

memory/376-19-0x00000000744A0000-0x0000000074A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsa53FE.tmp\NSISpcre.dll

MD5 bfe060c22b44914e05d3f5367de6c9fe
SHA1 24c72b0b57b0066a5e8b235104a0502400e44b9a
SHA256 43041f8540dccbc33268bfbef53037d17170b037f6393e77c21429f303ae828f
SHA512 ad3a23edd8d62b198e4a2ccf03f6d607dee41fa23fd6f9dfabdc5ee424b5e22a6e00b8a28e50fe177829a2cc25ce05484423e97c682036fc5146e2adf560bc44

memory/376-24-0x00000000744A0000-0x0000000074A51000-memory.dmp

memory/376-38-0x00000000744A0000-0x0000000074A51000-memory.dmp