Malware Analysis Report

2025-01-22 13:14

Sample ID 240720-fljkzs1bmf
Target 50454d6954463f1a1971d4f3714b62e0N.exe
SHA256 2a2b536fc29312cedbe7cbb445c2a8dbeaf1b7de929b8744dbc0bc317ffe325d
Tags
njrat jjj evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a2b536fc29312cedbe7cbb445c2a8dbeaf1b7de929b8744dbc0bc317ffe325d

Threat Level: Known bad

The file 50454d6954463f1a1971d4f3714b62e0N.exe was found to be: Known bad.

Malicious Activity Summary

njrat jjj evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

NTFS ADS

Modifies registry class

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 04:57

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 04:57

Reported

2024-07-20 04:59

Platform

win7-20240708-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2772 set thread context of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2072 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2072 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2072 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2160 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2160 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2160 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2160 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2592 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2772 wrote to memory of 2688 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2688 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2688 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2688 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2492 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2492 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2492 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2492 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2592 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2592 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2592 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2772 wrote to memory of 2256 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2256 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2256 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2256 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2516 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2516 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2516 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2516 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2016 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2016 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2016 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2016 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1988 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1988 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1988 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1988 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1752 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1752 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1752 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe

"C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\50454D~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\50454d6954463f1a1971d4f3714b62e0N.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {42EAF562-E836-4BFF-9364-CF653CF9BE49} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 youri.mooo.com udp

Files

memory/2072-9-0x0000000002540000-0x0000000002640000-memory.dmp

C:\PROGRA~3\50454d6954463f1a1971d4f3714b62e0N.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

\ProgramData\winmgr107.exe

MD5 b4d0123a1d9b0b2523504df45d689401
SHA1 c9d5aec232d42e32d0e5fa1c1542c05545baeb90
SHA256 65376ee04b618d0903627ac2c5531243b1bad81a467034c6c1dfe6690a293d6c
SHA512 ec09d8ac2465f3f5813242ed59b1691936c903099969264685ded60a65cccf2d816f9018a0b8b34096c80a9b07a7585349453433a2421b5740522f8c0cd5c10a

memory/2592-25-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2592-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2592-27-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2592-29-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2592-28-0x0000000000090000-0x000000000009C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 04:57

Reported

2024-07-20 04:59

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3232 set thread context of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2028 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2028 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2828 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2828 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 2828 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe C:\ProgramData\winmgr107.exe
PID 3232 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 5116 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5116 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5116 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1800 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1800 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1800 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 3972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 528 wrote to memory of 3972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 528 wrote to memory of 3972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 3232 wrote to memory of 5048 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5048 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5048 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4984 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4984 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4984 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 312 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3212 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3212 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3212 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2428 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2428 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2428 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2948 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2948 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 2948 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1244 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1244 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1244 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5024 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5024 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 5024 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1216 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1216 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 1216 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4108 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4108 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe

"C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\50454D~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\50454d6954463f1a1971d4f3714b62e0N.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp

Files

C:\PROGRA~3\50454d6954463f1a1971d4f3714b62e0N.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

C:\ProgramData\winmgr107.exe

MD5 f825289627359ee809c0dc6c36eca8f3
SHA1 5d41dab6565c75aed18f16793b654c95b25a2598
SHA256 bc9e54f1fd2c52486823f7ebf0395be869bc3ca3e77c6184cf055165d8217aee
SHA512 df74d8fa878f74fc608ef35670ee333001f29d5fe7962308e51e79aaf611ca55fcf417150c755cffc43a7ff16fca123d3f6a81548810dddd2a2ab567a2a299a1

C:\Users\Admin\AppData\Local\Temp\50454d6954463f1a1971d4f3714b62e0N.exe

MD5 50454d6954463f1a1971d4f3714b62e0
SHA1 2b3a9a4c30f6d15fedfaba0dd9f5cbf4c2f9df38
SHA256 2a2b536fc29312cedbe7cbb445c2a8dbeaf1b7de929b8744dbc0bc317ffe325d
SHA512 3862e6b144d387c6b3594b79ed830e5dc35114b2c28c8df62762a72bf175b748df5d2bd2b4daf15af06be9111458dd201144c1a8139e411f69ba64d5a2e9d3c0

memory/528-15-0x0000000001310000-0x000000000131C000-memory.dmp