Malware Analysis Report

2024-10-19 08:03

Sample ID 240817-ntfs3atcnh
Target 4f26497520ca3310f7f99cbfd80be1e0N.exe
SHA256 0d1405c3eb6cd4d76d02265d9f9259eaa13e37d3a16df0268bc8a0f060eff0ee
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d1405c3eb6cd4d76d02265d9f9259eaa13e37d3a16df0268bc8a0f060eff0ee

Threat Level: Known bad

The file 4f26497520ca3310f7f99cbfd80be1e0N.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 11:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 11:41

Reported

2024-08-17 11:43

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4f26497520ca3310f7f99cbfd80be1e0N.exe" C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1924 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1924 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1964 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3320 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3320 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3320 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe

"C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp

Files

memory/1924-0-0x0000000074FD2000-0x0000000074FD3000-memory.dmp

memory/1924-1-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1924-2-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1924-6-0x0000000074FD2000-0x0000000074FD3000-memory.dmp

memory/1924-7-0x0000000074FD0000-0x0000000075581000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 4325cfe9ac7b28766e0ee27e2c0d173c
SHA1 b9404b66af3f825cf4b17441c10285805d873dd8
SHA256 33f38eba8dd6384cbba064f8d7525cde15074fa88ad44432cfc5518152881056
SHA512 fbd856de6d71e7926671dfec4e5e7ee2fd58e874020149ee183dca1d9210e0b366e3df22785da2e927c9a321702070025aea3b037ca762529949dea1ed4da38d

memory/1924-19-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1964-21-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1924-20-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1964-22-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/3320-23-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/3320-28-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/1964-27-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/3320-29-0x0000000074FD0000-0x0000000075581000-memory.dmp

memory/3320-30-0x0000000074FD0000-0x0000000075581000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 11:41

Reported

2024-08-17 11:43

Platform

win7-20240704-en

Max time kernel

116s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4f26497520ca3310f7f99cbfd80be1e0N.exe" C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2164 set thread context of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2276 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2276 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2276 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2164 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe

"C:\Users\Admin\AppData\Local\Temp\4f26497520ca3310f7f99cbfd80be1e0N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.16.170.123:80 crl.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp
IT 151.89.128.37:10000 doddyfire.linkpc.net tcp

Files

memory/2276-0-0x0000000074011000-0x0000000074012000-memory.dmp

memory/2276-1-0x0000000074010000-0x00000000745BB000-memory.dmp

memory/2276-2-0x0000000074010000-0x00000000745BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE265.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE287.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f32425e25c7c212beec5fc68b7cb714
SHA1 5f0e6c7b8062f48f4718faced6a82e097abebff8
SHA256 0f7c1312a7c50a2f8c6a94553f2cfcf6e42352248c888cd88b03c3dd26877739
SHA512 80d9aede215eaee78587abbe75da717d7af0c611024d5f98bdf2367a6bccf2ddd4d5fb79fbc56153825d2cab5c54c22ec0ef5278d26f6950b74885f05f1e7185

memory/2276-168-0x0000000074010000-0x00000000745BB000-memory.dmp

memory/2276-169-0x0000000074010000-0x00000000745BB000-memory.dmp

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 30dba29ffe57fb67d90aed71e229627f
SHA1 426cc9c27f13b0b636399fa36163d9dc9ccdef17
SHA256 ecbcc0887405014be53c442f12ae5ff1de7146969e018c67c8d021ccaf1e3b91
SHA512 1f44be49ef2952a359e2a9217aed04149e08024b196f2937312f49efbf82c8bd30c2a672b5720ab7a8f90fa0756308da36ed01ac80f831c5882ac41c88547b2a

memory/2276-182-0x0000000074010000-0x00000000745BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84073e8c70e2a2dc717306eb46908f13
SHA1 5900c1138d7574c7842369322e0dde5d5a2f02bc
SHA256 0cfbfb08972e32ced33a2d2a818223d6fec0ebe0e38f79e48ed055edc6e50daa
SHA512 f65ff8fa6764d4099f7126a781268895dbe31ac0a90ba246923c4e0d2d5b4f61935f18cedb956322270c1472f1d3e6eacd916dada37ef513a796cd19a68c79df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 c436f2405e36acf467847a2afb0bc417
SHA1 e019f4720fa6af383aac18ff881dc10526c266da
SHA256 652efbc325f35b783dc200d169d00f8d579c09a2f0520f90e96fc7f592708057
SHA512 e83f1b88a0f6671025ccf1ced05d69fb5bdb0bdd50a791aa15ebffa24c15dfbb519822359de95348764b487c4c27c8d1c74cb4402cf45d60b889ab5db6fc2fa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7fd3f277d2103bb05faddc4d6968137
SHA1 4d1759c9a4c2f706a633c83dceaa16151d6f0eee
SHA256 a79132222b3da68a622e906e0348cd304f7f5ad86e86541cccc3f3fffb945bf3
SHA512 867db4fa215a03c6476b30212cb1fbc599397279bb7c0e9810fb2c3e5eac8dbd8ebb095fc319e82ffde1842e2712206b8e70e53947d4dbf0baa2a3af8ffe807f

memory/2748-348-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2748-350-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2748-351-0x0000000000400000-0x000000000040C000-memory.dmp