Malware Analysis Report

2025-03-15 06:23

Sample ID 241001-d3ra2sybqq
Target 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN
SHA256 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce
Tags
njrat hacked discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce

Threat Level: Known bad

The file 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Disables Task Manager via registry modification

Drops file in Drivers directory

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 03:32

Reported

2024-10-01 03:34

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe C:\ProgramData\Dllhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe C:\ProgramData\Dllhost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe" C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\%tmp%.exe = "C:\\Program Files (x86)\\%tmp%.exe" C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." C:\ProgramData\Dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." C:\ProgramData\Dllhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3028 set thread context of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\%tmp%.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
File opened for modification C:\Program Files (x86)\%tmp%.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\88590.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rEG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rEG.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 2808 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 2808 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 2808 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 3044 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 3044 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 3044 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 3044 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2332 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2332 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2332 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2332 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 2608 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 2608 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 2608 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 2608 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 372 wrote to memory of 1324 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 372 wrote to memory of 1324 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 372 wrote to memory of 1324 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 372 wrote to memory of 1324 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 372 wrote to memory of 2020 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 372 wrote to memory of 2020 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 372 wrote to memory of 2020 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 372 wrote to memory of 2020 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 1096 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2512 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3028 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe

"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"

C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

"C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

"C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\rEG.exe

rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxyettkl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF191.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF190.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 404

C:\Users\Admin\AppData\Roaming\88590.exe

"C:\Users\Admin\AppData\Roaming\88590.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1108

C:\ProgramData\Dllhost.exe

"C:\ProgramData\Dllhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.ip.gl.ply.gg udp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp

Files

memory/2808-0-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

MD5 97ae997014319227a2a3b08033fd81df
SHA1 95b7acd68273a81951ed13890ac6efd746258c42
SHA256 ef41566edb201f685cfedd097970f9b1edb4832c2dabb6309a79f0fb34ee0402
SHA512 103931d8c70e3d9a3f1757b81428b7313c7cda178f3d19ffb4c1ee169e3c642156468ea8d9a4c33802bc0afc0408bc81a6d248789c023565f31b8dd7f45c0fd1

memory/372-13-0x0000000074972000-0x0000000074974000-memory.dmp

memory/372-12-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/2808-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/2808-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/372-14-0x0000000074970000-0x0000000074F1B000-memory.dmp

memory/2808-15-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

memory/372-18-0x0000000074970000-0x0000000074F1B000-memory.dmp

memory/2808-16-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\java.bat

MD5 1896de26a454df8628034ca3e0649905
SHA1 76b98d95a85d043539706b89194c46cf14464abe
SHA256 d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208
SHA512 ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

\Windows\Temp\System.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

\Users\Admin\AppData\Local\Temp\%tmp%.exe

MD5 6b97067ea717e5c72685a38a15109ecc
SHA1 0ec286ff24307650bcd1881106980d420c646610
SHA256 b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17
SHA512 80613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d

C:\Users\Admin\AppData\Roaming\invs.vbs

MD5 c578d9653b22800c3eb6b6a51219bbb8
SHA1 a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA256 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA512 3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

C:\Users\Admin\AppData\Roaming\java2.bat

MD5 e8170b6565dfb34d114cfa398ba77296
SHA1 9079335b0ec9a509b7344cb98713fc0b52afa36e
SHA256 76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b
SHA512 1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

C:\Users\Admin\AppData\Local\Temp\Default.mp3

MD5 071720d5f39c31b27711d70b09ef9b3b
SHA1 1fe68bf69c8418454a0d91ad321b99fe9065a1db
SHA256 f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7
SHA512 7db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014

\??\c:\Users\Admin\AppData\Local\Temp\cxyettkl.cmdline

MD5 c773d7ef7586d1d257d99ca28b18cf0a
SHA1 7e23aceefaeacbb4e01d20e07465b18109d91ff0
SHA256 027380b2db8ece17d9ad88b2ce7004f54f55c6be11c188aa24aa51da291a2200
SHA512 5030e00272d531dbff6378ed3c90fb7e689c034ae7e02505013f81165f2f1eda769287a3755ce0d5aac237ec5cf2ac72ec3fce3ca6bc7a64526b550dd7ab7d81

\??\c:\Users\Admin\AppData\Local\Temp\cxyettkl.0.cs

MD5 b63430207638c1a36b9b27002e0da3da
SHA1 54356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256 fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA512 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

C:\Users\Admin\AppData\Local\Temp\cxyettkl.dll

MD5 b11cec678c53eeb81fba231d72a07b45
SHA1 f3d1938b40218eea584e71f552c291ac83dd016d
SHA256 ec116f031b8d6e8f4f2fe81376436198a605cd53181dd697819edf5f126825e0
SHA512 acb3bef7a0a5b343317d11d40a2e77c589a9fca650963c7a9883968272893875d0312e5ad15019d492ad87d7913620da9b3d9683f5fab9deee96bb505093cc9a

C:\Users\Admin\AppData\Local\Temp\RESF191.tmp

MD5 0dbdd307f04c80ea0dab3cb1f2cb8853
SHA1 3371a811e9fafe004da12c4b5e63c5c6dd09b42c
SHA256 da69fc919b81b7961da1ba0dd19afa70f0e7ab8a1d44ca96aa4e49887b351c30
SHA512 45ce70633888b3b54216ab9c5ec6f8d63036e34ba733709af35d00083dd813dba689fd82a01d227df7ab29f0be60ecfad4b12fc77c9e6e141e87a42af1d39569

\??\c:\Users\Admin\AppData\Local\Temp\CSCF190.tmp

MD5 f70e631a1a44542dfc072c473d8b4965
SHA1 d854536a8555234bc2637810b365125575123184
SHA256 5fe10afb98c6f23fca1da0f10938e8fbee443d44faa4b72814c95725913d61a6
SHA512 4c6bcbb10f815817b80ffdab46bbf91851ca92429de9c6114d6c836db683de38509df19938afe347fd3af7fde30ed3ec885907db7ef5a6988892e1681f7909a5

memory/1184-86-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-88-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1184-83-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-81-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-79-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-77-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1184-87-0x0000000000400000-0x000000000040C000-memory.dmp

memory/372-110-0x0000000074972000-0x0000000074974000-memory.dmp

memory/372-109-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/372-111-0x0000000074970000-0x0000000074F1B000-memory.dmp

memory/2972-112-0x000000013F320000-0x000000013F418000-memory.dmp

memory/2972-113-0x000007FEF7980000-0x000007FEF79B4000-memory.dmp

memory/2972-115-0x000007FEF68C0000-0x000007FEF68D8000-memory.dmp

memory/2972-114-0x000007FEF5F30000-0x000007FEF61E6000-memory.dmp

memory/2972-116-0x000007FEF66E0000-0x000007FEF66F7000-memory.dmp

memory/2972-117-0x000007FEF65B0000-0x000007FEF65C1000-memory.dmp

memory/2972-118-0x000007FEF6590000-0x000007FEF65A7000-memory.dmp

memory/2972-119-0x000007FEF6570000-0x000007FEF6581000-memory.dmp

memory/2972-120-0x000007FEF5DE0000-0x000007FEF5DFD000-memory.dmp

memory/2972-121-0x000007FEF5DC0000-0x000007FEF5DD1000-memory.dmp

memory/2972-123-0x000007FEF4B00000-0x000007FEF4D0B000-memory.dmp

memory/2972-122-0x000007FEF4D10000-0x000007FEF5DC0000-memory.dmp

memory/2972-124-0x000007FEF4AB0000-0x000007FEF4AF1000-memory.dmp

memory/2972-125-0x000007FEF4A80000-0x000007FEF4AA1000-memory.dmp

memory/2972-126-0x000007FEF4A60000-0x000007FEF4A78000-memory.dmp

memory/2972-127-0x000007FEF4A40000-0x000007FEF4A51000-memory.dmp

memory/2972-128-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp

memory/2972-129-0x000007FEF4A00000-0x000007FEF4A11000-memory.dmp

memory/2972-130-0x000007FEF49E0000-0x000007FEF49FB000-memory.dmp

memory/2972-132-0x000007FEF49A0000-0x000007FEF49B8000-memory.dmp

memory/2972-131-0x000007FEF49C0000-0x000007FEF49D1000-memory.dmp

memory/2972-133-0x000007FEF4970000-0x000007FEF49A0000-memory.dmp

memory/2972-134-0x000007FEF4900000-0x000007FEF4967000-memory.dmp

memory/2972-135-0x000007FEF4880000-0x000007FEF48FC000-memory.dmp

memory/2972-136-0x000007FEF4860000-0x000007FEF4871000-memory.dmp

memory/2972-137-0x000007FEF4840000-0x000007FEF4858000-memory.dmp

memory/2972-138-0x000007FEF4820000-0x000007FEF4831000-memory.dmp

memory/2972-139-0x000007FEF47C0000-0x000007FEF4817000-memory.dmp

memory/2972-140-0x000007FEF4790000-0x000007FEF47BF000-memory.dmp

memory/2972-141-0x000007FEF4770000-0x000007FEF4783000-memory.dmp

memory/2972-142-0x000007FEF4750000-0x000007FEF4761000-memory.dmp

memory/2972-144-0x000007FEF4240000-0x000007FEF4268000-memory.dmp

memory/2972-143-0x000007FEF4680000-0x000007FEF4745000-memory.dmp

memory/2972-145-0x000007FEF4210000-0x000007FEF4234000-memory.dmp

memory/2972-146-0x000007FEFB9F0000-0x000007FEFBA00000-memory.dmp

memory/2972-147-0x000007FEF41F0000-0x000007FEF4206000-memory.dmp

memory/2972-148-0x000007FEF41A0000-0x000007FEF41E2000-memory.dmp

memory/2972-149-0x000007FEF4130000-0x000007FEF4192000-memory.dmp

memory/2972-150-0x000007FEF40C0000-0x000007FEF412D000-memory.dmp

memory/372-152-0x0000000074970000-0x0000000074F1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 03:32

Reported

2024-10-01 03:34

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\23526.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe C:\ProgramData\Dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe C:\ProgramData\Dllhost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe" C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%tmp%.exe = "C:\\Program Files (x86)\\%tmp%.exe" C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." C:\ProgramData\Dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .." C:\ProgramData\Dllhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3732 set thread context of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\%tmp%.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
File opened for modification C:\Program Files (x86)\%tmp%.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rEG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\23526.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Dllhost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rEG.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A
Token: 33 N/A C:\ProgramData\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Dllhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 1188 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 1188 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
PID 1212 wrote to memory of 60 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 60 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 60 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 60 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 60 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 1212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 2268 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1092 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1092 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1092 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1484 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1484 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 1484 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\Temp\System.exe
PID 1212 wrote to memory of 4432 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1212 wrote to memory of 4432 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 1212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 1212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
PID 1212 wrote to memory of 4004 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 1212 wrote to memory of 4004 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 1212 wrote to memory of 4004 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\REG.exe
PID 1212 wrote to memory of 1988 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 1212 wrote to memory of 1988 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 1212 wrote to memory of 1988 N/A C:\Users\Admin\AppData\LocalfRDeAalfWC.exe C:\Windows\SysWOW64\rEG.exe
PID 3120 wrote to memory of 544 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 544 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 544 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3732 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3732 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 452 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 452 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 452 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3732 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1536 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1536 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1536 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 3732 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Users\Admin\AppData\Roaming\23526.exe
PID 3732 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Users\Admin\AppData\Roaming\23526.exe
PID 3732 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Users\Admin\AppData\Roaming\23526.exe
PID 3732 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 3732 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 3732 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\%tmp%.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4100 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\23526.exe C:\ProgramData\Dllhost.exe
PID 4100 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\23526.exe C:\ProgramData\Dllhost.exe
PID 4100 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\23526.exe C:\ProgramData\Dllhost.exe
PID 4296 wrote to memory of 4524 N/A C:\ProgramData\Dllhost.exe C:\Windows\SysWOW64\netsh.exe
PID 4296 wrote to memory of 4524 N/A C:\ProgramData\Dllhost.exe C:\Windows\SysWOW64\netsh.exe
PID 4296 wrote to memory of 4524 N/A C:\ProgramData\Dllhost.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe

"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"

C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

"C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java.bat" "

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Windows\Temp\System.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

"C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\rEG.exe

rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l_yjabx1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DBA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8DB9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 788

C:\Users\Admin\AppData\Roaming\23526.exe

"C:\Users\Admin\AppData\Roaming\23526.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1864

C:\ProgramData\Dllhost.exe

"C:\ProgramData\Dllhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.ip.gl.ply.gg udp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp
US 147.185.221.22:57731 22.ip.gl.ply.gg tcp

Files

memory/1188-0-0x00007FFDE9C95000-0x00007FFDE9C96000-memory.dmp

memory/1188-1-0x00007FFDE99E0000-0x00007FFDEA381000-memory.dmp

memory/1188-3-0x00007FFDE99E0000-0x00007FFDEA381000-memory.dmp

C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

MD5 97ae997014319227a2a3b08033fd81df
SHA1 95b7acd68273a81951ed13890ac6efd746258c42
SHA256 ef41566edb201f685cfedd097970f9b1edb4832c2dabb6309a79f0fb34ee0402
SHA512 103931d8c70e3d9a3f1757b81428b7313c7cda178f3d19ffb4c1ee169e3c642156468ea8d9a4c33802bc0afc0408bc81a6d248789c023565f31b8dd7f45c0fd1

memory/1188-16-0x00007FFDE99E0000-0x00007FFDEA381000-memory.dmp

memory/1212-17-0x00000000749F2000-0x00000000749F3000-memory.dmp

memory/1212-18-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/1212-19-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/1212-20-0x00000000749F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\java.bat

MD5 1896de26a454df8628034ca3e0649905
SHA1 76b98d95a85d043539706b89194c46cf14464abe
SHA256 d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208
SHA512 ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

C:\Windows\Temp\System.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

C:\Users\Admin\AppData\Roaming\invs.vbs

MD5 c578d9653b22800c3eb6b6a51219bbb8
SHA1 a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA256 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA512 3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

C:\Users\Admin\AppData\Local\Temp\Default.mp3

MD5 071720d5f39c31b27711d70b09ef9b3b
SHA1 1fe68bf69c8418454a0d91ad321b99fe9065a1db
SHA256 f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7
SHA512 7db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

MD5 6b97067ea717e5c72685a38a15109ecc
SHA1 0ec286ff24307650bcd1881106980d420c646610
SHA256 b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17
SHA512 80613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d

C:\Users\Admin\AppData\Roaming\java2.bat

MD5 e8170b6565dfb34d114cfa398ba77296
SHA1 9079335b0ec9a509b7344cb98713fc0b52afa36e
SHA256 76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b
SHA512 1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

\??\c:\Users\Admin\AppData\Local\Temp\l_yjabx1.cmdline

MD5 c32f3c6fa1d95b9c24ee03beedf95aa5
SHA1 94c03ec3c968766f348d165b279464e059ae99db
SHA256 977a8c824ff7558cde670571d52484e0f530844d35248ccffc9c9ea6be7206c6
SHA512 6560255d9ebbe184fd6ccc19afcbaae27ae19b7ac4d4018febfb8edb17ff2574b85b9089b11f99e05dc1a0b2682b1986bd2cb91eaaf9311e46e1981a096efd8c

\??\c:\Users\Admin\AppData\Local\Temp\l_yjabx1.0.cs

MD5 b63430207638c1a36b9b27002e0da3da
SHA1 54356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256 fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA512 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

\??\c:\Users\Admin\AppData\Local\Temp\CSC8DB9.tmp

MD5 daa3a61260e23e288828141defb86ed3
SHA1 301402cfba1393a97a074c581a1bf96e4f3300b0
SHA256 6c36c2b343b73b5dd44d225f161f8cd41af748e6ca8f697a6767ad79626abbf1
SHA512 3923e87b4db42ea9b94921463e0d0770ab72af8a2e2d5d513f58134436fd2e2a629b2ef916cce5ac3d340b38c88669af4e62b6b49a0a902bc0e3af352921244f

C:\Users\Admin\AppData\Local\Temp\RES8DBA.tmp

MD5 fa9fbfe490d2d97871d4e88e5d2ffc69
SHA1 ba4309ef50bba7ef17de4ce6e37bd491d85babe0
SHA256 c97bb82e6c2edbb2ad8b19dbdd6ea81cb8f5cff9bfdd632847fd0cad31be7e58
SHA512 0b81cccc8d398e1291c06bdaa17314160ff678e0fe0a499c167564b597056b25d5c4a6311a1075c271760b22ff288dbb398d1ad1bcdd00ba45873329fb0daf7c

C:\Users\Admin\AppData\Local\Temp\l_yjabx1.dll

MD5 db9f20dce927fc33e7c1970f1d527f6e
SHA1 6044c52702401fefc23fb531b4a83f636769cfd0
SHA256 510fc3eec0d2b8da2101629b19639d6323b124d2821e2c8461849d20dbf9463a
SHA512 33ec19ccc9222c590df049ff1843482348a84dba8202e5a66650524e1e0af162a8c715a2b9693c20e0042c8b63ee248f6188f7e19fe145e96ef0b926dddb6595

memory/1536-69-0x0000000000400000-0x000000000040C000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F7F.tmp.xml

MD5 b0a98e486aa67048f887ee8d956a6c14
SHA1 9577aaea50b27985e95b4835f68b52388c947cf2
SHA256 fd5322d27327529d59ecc618427091d401e291e771e48e6752e4a2eb1bd43fb0
SHA512 8e4f94b27a8653b1e784eced21ff1d98c1434d994c0ffeb8a50087152de03b650e88e5df1793ae66d2452a076645a7a985e1dcc7cfe60468b04222e8d4739bd1

memory/1536-89-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/1212-92-0x00000000749F2000-0x00000000749F3000-memory.dmp

memory/1212-93-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4432-104-0x00007FFDF8D00000-0x00007FFDF8D34000-memory.dmp

memory/4432-103-0x00007FF673800000-0x00007FF6738F8000-memory.dmp

memory/4432-111-0x00007FFDF8AC0000-0x00007FFDF8ADD000-memory.dmp

memory/4432-112-0x00007FFDF8AA0000-0x00007FFDF8AB1000-memory.dmp

memory/4432-105-0x00007FFDE9DA0000-0x00007FFDEA056000-memory.dmp

memory/4432-109-0x00007FFDF8B60000-0x00007FFDF8B77000-memory.dmp

memory/4432-108-0x00007FFDF8B80000-0x00007FFDF8B91000-memory.dmp

memory/4432-107-0x00007FFDF8F80000-0x00007FFDF8F97000-memory.dmp

memory/4432-106-0x00007FFDFEFF0000-0x00007FFDFF008000-memory.dmp

memory/4432-110-0x00007FFDF8B40000-0x00007FFDF8B51000-memory.dmp

memory/4432-114-0x00007FFDF88C0000-0x00007FFDF8901000-memory.dmp

memory/4432-113-0x00007FFDF3FA0000-0x00007FFDF41AB000-memory.dmp

memory/4432-120-0x00007FFDF81E0000-0x00007FFDF81F1000-memory.dmp

memory/4432-119-0x00007FFDF8200000-0x00007FFDF8211000-memory.dmp

memory/4432-118-0x00007FFDF8220000-0x00007FFDF8231000-memory.dmp

memory/4432-117-0x00007FFDF8870000-0x00007FFDF8888000-memory.dmp

memory/4432-116-0x00007FFDF8890000-0x00007FFDF88B1000-memory.dmp

memory/4432-115-0x00007FFDE8CF0000-0x00007FFDE9DA0000-memory.dmp

memory/1212-123-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/4432-154-0x00007FFDE8CF0000-0x00007FFDE9DA0000-memory.dmp