Malware Analysis Report

2025-03-15 06:23

Sample ID 240929-et5mrazbnr
Target eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
SHA256 eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
Tags
njrat hacked discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b

Threat Level: Known bad

The file eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion persistence privilege_escalation trojan

UAC bypass

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-29 04:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 04:14

Reported

2024-09-29 04:17

Platform

win7-20240729-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\642\642.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe C:\Users\Admin\AppData\Local\Temp\642\642.exe
PID 2216 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe C:\Users\Admin\AppData\Local\Temp\642\642.exe
PID 2216 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe C:\Users\Admin\AppData\Local\Temp\642\642.exe
PID 2216 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe C:\Users\Admin\AppData\Local\Temp\642\642.exe
PID 2756 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2756 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2756 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2756 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2912 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe

"C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe"

C:\Users\Admin\AppData\Local\Temp\642\642.exe

"C:\Users\Admin\AppData\Local\Temp\642\642.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp

Files

\Users\Admin\AppData\Local\Temp\642\642.exe

MD5 d2a1fbccc12adc5f444e024e94abfd4c
SHA1 40536717fe5ea008d34ec53959834b2fed86369a
SHA256 f94c60a2787bbb7178b62891a351761afb414df5b050de2eac9525aaa8a92dcf
SHA512 72001ff781774b647bf85871ced798f1ebb10d8c7abb161e659d174fb0fb6617f2b011991419b870d347e042c7cbdfb5509b03ec7cf8a60a446832fc3f28e1e9

memory/2756-23-0x00000000748F1000-0x00000000748F2000-memory.dmp

memory/2756-25-0x00000000748F0000-0x0000000074E9B000-memory.dmp

memory/2756-24-0x00000000748F0000-0x0000000074E9B000-memory.dmp

memory/2756-33-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 04:14

Reported

2024-09-29 04:17

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\642\642.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\642\642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\642\642.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe

"C:\Users\Admin\AppData\Local\Temp\eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b.exe"

C:\Users\Admin\AppData\Local\Temp\642\642.exe

"C:\Users\Admin\AppData\Local\Temp\642\642.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 10.10.1.11:5552 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.10.1.11:5552 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 10.10.1.11:5552 tcp
N/A 10.10.1.11:5552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\642\642.exe

MD5 d2a1fbccc12adc5f444e024e94abfd4c
SHA1 40536717fe5ea008d34ec53959834b2fed86369a
SHA256 f94c60a2787bbb7178b62891a351761afb414df5b050de2eac9525aaa8a92dcf
SHA512 72001ff781774b647bf85871ced798f1ebb10d8c7abb161e659d174fb0fb6617f2b011991419b870d347e042c7cbdfb5509b03ec7cf8a60a446832fc3f28e1e9

memory/1032-16-0x0000000072DE2000-0x0000000072DE3000-memory.dmp

memory/1032-17-0x0000000072DE0000-0x0000000073391000-memory.dmp

memory/1032-18-0x0000000072DE0000-0x0000000073391000-memory.dmp

memory/2568-30-0x0000000072DE0000-0x0000000073391000-memory.dmp

memory/1032-29-0x0000000072DE0000-0x0000000073391000-memory.dmp

memory/2568-28-0x0000000072DE0000-0x0000000073391000-memory.dmp

memory/2568-31-0x0000000072DE0000-0x0000000073391000-memory.dmp