Malware Analysis Report

2024-10-19 08:03

Sample ID 240813-g5fh4sybqe
Target 52f95d98c397198874195dec02102c10N.exe
SHA256 b0002ec88fadcd00a830fd35bc2fe38a0a7561cae0750f32a8905454f813cedd
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0002ec88fadcd00a830fd35bc2fe38a0a7561cae0750f32a8905454f813cedd

Threat Level: Known bad

The file 52f95d98c397198874195dec02102c10N.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 06:23

Reported

2024-08-13 06:25

Platform

win7-20240704-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\52f95d98c397198874195dec02102c10N.exe" C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1276 set thread context of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2568 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2568 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2568 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1276 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2276 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe

"C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp

Files

memory/2568-0-0x0000000074551000-0x0000000074552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC16D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2568-8-0x0000000074550000-0x0000000074AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC170.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 247148f508ee6d39634ab28c5f4714d3
SHA1 b25d5b49ef1204e68edf2a8697ddc4b57ba26a93
SHA256 9dd14bb7887ec4acec4a19849408704f48cc6e6cbce54db714e5edf692e1d69c
SHA512 36937fcf3f72bee1a81d8b275c128daed88ebdab35b827f2f43f8587cf0eb5453fab7e5e239f2f53d1840e81492a1f2ed86f1aedddcfdcbaaad161ba115d4956

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 8b5484db9ca11864269f4e806365eb60
SHA1 deceab212f023afdf922282f3f54f02f6848315f
SHA256 7d0eff48073679fbd822f85a7483d7c4c8d84d1aad83fcf23efa7656cc1c2ff6
SHA512 b12a140c8c2deec534c4176974541f7410b537aba2c348cba242ff085cc2767f06d562fbcbc18680179758b799dd2c4502f955387c527d4eb72ef3678fac4a23

memory/2568-175-0x0000000074550000-0x0000000074AFB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84638875d1259a6090c1909cbf459c34
SHA1 1b73533587b48660fd4bc7243fc1a2d6cc2f63e2
SHA256 7adeabe3310cb9982793ebaad21b4d5d3f0ec423f1b1c139f3e327db8d6b938d
SHA512 48047cfdb48ef9794b263fd9e33f92eda01210daa4ce145322373b00afcfc63f2503757a1855ba7c059731f50036186d77e162be34e625b4124ad3adf7b768d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 d2e27b636111058451acfe9ba24f9202
SHA1 4c962ddc5e73ff9f4a4a22234da13cd597cf6c84
SHA256 6fb94897558185c4fe0fe97ab999879c954df42889de9117fdde9530af7154c4
SHA512 542dbd1fac7f53b7897d5826a585f9881fba9bb6ce3ebecd12d0f7ed58e922a437f4fb25017064e73bdf0b554780d760848a7d95da1b8d3b982fd9510bb4bb2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b723388c3e183d631b7f83a0e373a25
SHA1 1e2fcfa7504a878640eddd364015cf638d2a3999
SHA256 69fe53182d6077b66719690ab898d975bd4717563fb1be47d0d0c47194151c02
SHA512 fc2cff91f084f60be581d653d62ed46d04194a065f67c47896aa451bf00898d6e400dfd2efa3896d01313f124b31d75c08a86de8242e8dae811888ad62f0d6a5

memory/2276-341-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2276-344-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2276-343-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 06:23

Reported

2024-08-13 06:25

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\52f95d98c397198874195dec02102c10N.exe" C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 set thread context of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3976 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe

"C:\Users\Admin\AppData\Local\Temp\52f95d98c397198874195dec02102c10N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2280 -ip 2280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 84

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
MA 105.155.165.255:10000 doddyfire.linkpc.net tcp

Files

memory/4900-0-0x0000000074652000-0x0000000074653000-memory.dmp

memory/4900-1-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/4900-2-0x0000000074650000-0x0000000074C01000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 c981c3ad707668b7143553713a4a60ef
SHA1 ed8862ed35a172f088f437243cd650e800301170
SHA256 aa6d1c5f558a85b83bc8793d8b767f01e6ca8b69efaa72761b3c5eda03f790b7
SHA512 8b3f86e0501e813bbc9c8cfa4da2bacfde960584034ace4774dc73170fe1ed35654ad32bc05b30a53f659b224adbf93ff9b243006c749226b7030eac020eea75

memory/2000-18-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/2000-19-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/4900-17-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/3976-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/3976-26-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/2000-28-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/3976-29-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/3976-27-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/3976-30-0x0000000074650000-0x0000000074C01000-memory.dmp