Malware Analysis Report

2024-12-07 17:03

Sample ID 241113-cr5hvstpdt
Target bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832
SHA256 bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832
Tags
njrat jjj defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832

Threat Level: Known bad

The file bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832 was found to be: Known bad.

Malicious Activity Summary

njrat jjj defense_evasion discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Njrat family

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Subvert Trust Controls: Mark-of-the-Web Bypass

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Modifies registry class

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:19

Reported

2024-11-13 02:22

Platform

win7-20240903-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2320 set thread context of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2552 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 2552 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 2552 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 2552 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2832 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2320 wrote to memory of 2356 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2356 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2356 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2356 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2620 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2620 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2620 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2620 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2320 wrote to memory of 1276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1276 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 296 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 296 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 296 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 296 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2924 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2924 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2924 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2924 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1480 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1480 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1480 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1480 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1704 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1704 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1704 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1704 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2700 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2700 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2700 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 2700 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1228 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1228 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1228 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 1228 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 3032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 3032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 3032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe

"C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\BFE0DE~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {272FE6E4-F7EA-4F52-8B86-5F3E014B69EA} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 youri.mooo.com udp

Files

C:\PROGRA~3\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

\ProgramData\winmgr107.exe

MD5 e822c55dc4be92574d3bddb4ace9cefc
SHA1 a3eef2ca2ea4fac5b31c61a855106cd6b54580d9
SHA256 efc34e83e0cc69fe7bf614a527b386dfdf8f1c7d57f56d42e771901b6d90d23d
SHA512 ce692e70a19854e7986ad9a44d104cc07f5fbb079f276e6681c19160c6e970b37a2b79b5ab543f3644f0c11c98dbb661cbea070d945cea1a68e41ec8971216c3

memory/2832-27-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2832-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-29-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2832-31-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2832-30-0x0000000000090000-0x000000000009C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:19

Reported

2024-11-13 02:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\winmgr107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3928 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3928 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1128 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 1128 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 1128 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe C:\ProgramData\winmgr107.exe
PID 1996 wrote to memory of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1996 wrote to memory of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1996 wrote to memory of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1996 wrote to memory of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1996 wrote to memory of 3556 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1996 wrote to memory of 1772 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1772 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1772 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1592 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1592 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1592 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 3556 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 3556 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 3556 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 1996 wrote to memory of 4648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4740 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4740 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4740 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 5032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 5032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 5032 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4892 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4892 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4892 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4080 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4080 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4080 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4996 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4996 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4996 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 336 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 336 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 336 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2156 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2156 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2156 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1476 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3344 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3344 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3344 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4936 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4936 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 4936 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 5012 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 5012 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe

"C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\BFE0DE~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp

Files

C:\PROGRA~3\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

C:\ProgramData\winmgr107.exe

MD5 46962ad1106b1393c8ca7e989382ae03
SHA1 d9593048b02b693444c1154f88d50d09457d2546
SHA256 3358fac7b071c1a48bd820431e0b4fcc875fc87a98084e728b424eb5c3454cc2
SHA512 257f00be8005106ea727a7132efa40cbfe2303a82b19dec77eb986e0d595654f2effe739edf28c1ad9782ef69585e73ef38d3f629dc10dd5a42df715255d3c73

C:\Users\Admin\AppData\Local\Temp\bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832.exe

MD5 0d632dcfd9f9624f7fe121b90d76be4c
SHA1 1ab681579538b669573a2fffec2c08c6f017b23a
SHA256 bfe0deac3ef53a5fbbd492a6e48174df4e82f1b4bbcc25728646ea07ebb9d832
SHA512 457e5e39e983deda59afed72195173dfaaac1f9a3cde7fdd535498216503bf5d5f91422bac364364cf5d05160f725a9ec2a47c95843cc69c65c60adf36db46ce

memory/3556-15-0x0000000001130000-0x000000000113C000-memory.dmp