Loading ...

Play interactive tourEdit tour

Analysis Report XQehPgTn35.exe

Overview

General Information

Sample Name:XQehPgTn35.exe
Analysis ID:433012
MD5:595c00bf9ca4baa42b4490f2782cf2d3
SHA1:d1441cc336655f36efc3db070f84701a1f68e51a
SHA256:6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file has nameless sections
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XQehPgTn35.exe (PID: 6468 cmdline: 'C:\Users\user\Desktop\XQehPgTn35.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
    • server.exe (PID: 6616 cmdline: 'C:\Windows\server.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
      • netsh.exe (PID: 6700 cmdline: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 3544 cmdline: netsh firewall delete allowedprogram 'C:\Windows\server.exe' MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5700 cmdline: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Microsoft Corporation.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
  • Google.exe (PID: 6716 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exe' MD5: 595C00BF9CA4BAA42B4490F2782CF2D3)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "714bcaf02dc680243f761ccdcdc54f71", "Install Dir": "system 32", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "[i]", "Port": "MTU0MDkg", "Network Seprator": "714bcaf02dc680243f761ccdcdc54f71", "Mutex Name": "False", "BSOD Active": "MTU0MDkg", "Pastebin Link": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
XQehPgTn35.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\SublimeText.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
C:\Program Files (x86)\Google.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x1162b1:$s1: zffb(==
Click to see the 11 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x1585d:$reg: SEE_MASK_NOZONECHECKS
    • 0x154e3:$msg: Execute ERROR
    • 0x15537:$msg: Execute ERROR
    • 0x15aaf:$ping: cmd.exe /c ping 0 -n 2 & del
    0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x1585d:$reg: SEE_MASK_NOZONECHECKS
      • 0x154e3:$msg: Execute ERROR
      • 0x15537:$msg: Execute ERROR
      • 0x15aaf:$ping: cmd.exe /c ping 0 -n 2 & del
      00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.server.exe.9c0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        11.0.Microsoft Corporation.exe.da0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        0.0.XQehPgTn35.exe.ae0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        14.0.Google.exe.1310000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x1162b1:$s1: zffb(==
        0.2.XQehPgTn35.exe.ae0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Netsh Port or Application AllowedShow sources
          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Windows\server.exe' , ParentImage: C:\Windows\server.exe, ParentProcessId: 6616, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Windows\server.exe' 'server.exe' ENABLE, ProcessId: 6700

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: XQehPgTn35.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Windows\server.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\system 32.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\Program Files (x86)\Google.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Source: C:\SublimeText.exeAvira: detection malicious, Label: HEUR/AGEN.1128047
          Found malware configurationShow sources
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "714bcaf02dc680243f761ccdcdc54f71", "Install Dir": "system 32", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "[i]", "Port": "MTU0MDkg", "Network Seprator": "714bcaf02dc680243f761ccdcdc54f71", "Mutex Name": "False", "BSOD Active": "MTU0MDkg", "Pastebin Link": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: 4.tcp.ngrok.ioVirustotal: Detection: 12%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeVirustotal: Detection: 44%Perma Link
          Source: C:\Program Files (x86)\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Program Files (x86)\Google.exeReversingLabs: Detection: 61%
          Source: C:\SublimeText.exeMetadefender: Detection: 42%Perma Link
          Source: C:\SublimeText.exeReversingLabs: Detection: 61%
          Source: C:\Umbrella.flv.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Umbrella.flv.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMetadefender: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeReversingLabs: Detection: 61%
          Multi AV Scanner detection for submitted fileShow sources
          Source: XQehPgTn35.exeVirustotal: Detection: 44%Perma Link
          Source: XQehPgTn35.exeMetadefender: Detection: 42%Perma Link
          Source: XQehPgTn35.exeReversingLabs: Detection: 61%
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Windows\server.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\system 32.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Umbrella.flv.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google.exeJoe Sandbox ML: detected
          Source: C:\SublimeText.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: XQehPgTn35.exeJoe Sandbox ML: detected
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.2.XQehPgTn35.exe.afc000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 14.2.Google.exe.132c000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 14.2.Google.exe.1310000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 11.2.Microsoft Corporation.exe.dbc000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpackAvira: Label: TR/Dropper.Gen

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\XQehPgTn35.exeUnpacked PE file: 0.2.XQehPgTn35.exe.ae0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeUnpacked PE file: 11.2.Microsoft Corporation.exe.da0000.0.unpack
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeUnpacked PE file: 14.2.Google.exe.1310000.0.unpack
          Source: XQehPgTn35.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

          Spreading:

          barindex
          Contains functionality to spread to USB devices (.Net source)Show sources
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, Usb1.cs.Net Code: infect
          Source: 14.2.Google.exe.1310000.0.unpack, Usb1.cs.Net Code: infect
          Creates autorun.inf (USB autostart)Show sources
          Source: C:\Windows\server.exeFile created: C:\autorun.infJump to behavior
          Source: XQehPgTn35.exeBinary or memory string: [autorun]
          Source: XQehPgTn35.exeBinary or memory string: \autorun.inf
          Source: XQehPgTn35.exeBinary or memory string: autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: \autorun.inf
          Source: Microsoft Corporation.exeBinary or memory string: [autorun]
          Source: Google.exeBinary or memory string: [autorun]
          Source: Google.exeBinary or memory string: \autorun.inf
          Source: Google.exeBinary or memory string: autorun.inf
          Source: autorun.inf.2.drBinary or memory string: [autorun]
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00D67A2C FindFirstFileA,0_2_00D67A2C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49727 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49729 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49730 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49731 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49732 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49733 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49734 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49735 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49736 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49737 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49738 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49739 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49740 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49741 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49742 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49743 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49744 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49745 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49746 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49747 -> 3.129.187.220:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49748 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49749 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49750 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49751 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49752 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49753 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49754 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49755 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49756 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49757 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49758 -> 3.136.65.236:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49759 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49760 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49761 -> 3.138.180.119:15409
          Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.3:49762 -> 3.138.180.119:15409
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: [i]
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 3.136.65.236 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 3.129.187.220 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 3.138.180.119 ports 0,1,15409,4,5,9
          Source: global trafficTCP traffic: 192.168.2.3:49727 -> 3.138.180.119:15409
          Source: global trafficTCP traffic: 192.168.2.3:49730 -> 3.129.187.220:15409
          Source: global trafficTCP traffic: 192.168.2.3:49748 -> 3.136.65.236:15409
          Source: Joe Sandbox ViewIP Address: 3.129.187.220 3.129.187.220
          Source: Joe Sandbox ViewIP Address: 3.138.180.119 3.138.180.119
          Source: Joe Sandbox ViewIP Address: 3.136.65.236 3.136.65.236
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownDNS traffic detected: queries for: 4.tcp.ngrok.io
          Source: Google.exe, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/
          Source: XQehPgTn35.exe, 00000000.00000002.201116536.0000000000AFC000.00000040.00020000.sdmp, Microsoft Corporation.exe, 0000000B.00000002.254136129.0000000000DBC000.00000040.00020000.sdmp, Google.exe, 0000000E.00000002.286075738.000000000132C000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
          Source: Microsoft Corporation.exe, 0000000B.00000002.253950253.0000000000C4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\XQehPgTn35.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Windows\server.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          E-Banking Fraud:

          barindex
          Yara detected NjratShow sources
          Source: Yara matchFile source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Google.exe PID: 6716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XQehPgTn35.exe PID: 6468, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 5900, type: MEMORY
          Source: Yara matchFile source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          PE file has nameless sectionsShow sources
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: XQehPgTn35.exeStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: server.exe.0.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Google.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: Microsoft Corporation.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: section name:
          Source: C:\Windows\server.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Windows\server.exeJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_00AE20500_2_00AE2050
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035942980_2_03594298
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035954590_2_03595459
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594B5B0_2_03594B5B
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359505D0_2_0359505D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035945440_2_03594544
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359536F0_2_0359536F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359470F0_2_0359470F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035950000_2_03595000
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035946300_2_03594630
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035949360_2_03594936
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594F2F0_2_03594F2F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035947D40_2_035947D4
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035949F90_2_035949F9
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035944F10_2_035944F1
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035950E30_2_035950E3
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_0359499D0_2_0359499D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594F9D0_2_03594F9D
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_03594C8F0_2_03594C8F
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: 0_2_035942870_2_03594287
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeCode function: 11_2_00DA205011_2_00DA2050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeCode function: 14_2_0131205014_2_01312050
          Source: C:\Users\user\Desktop\XQehPgTn35.exeCode function: String function: 00B00264 appears 61 times
          Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmpBinary or memory string: originalfilename vs XQehPgTn35.exe
          Source: XQehPgTn35.exe, 00000000.00000002.204876570.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs XQehPgTn35.exe
          Source: XQehPgTn35.exe, 00000000.00000002.204526243.0000000006400000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs XQehPgTn35.exe
          Source: XQehPgTn35.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: XQehPgTn35.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000E.00000002.286063064.0000000001312000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000B.00000002.254123068.0000000000DA2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 00000000.00000002.201103366.0000000000AE2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\SublimeText.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\system 32.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Windows\server.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Program Files (x86)\Google.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.server.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.0.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.0.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.0.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.XQehPgTn35.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.Microsoft Corporation.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 14.2.Google.exe.1310000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: XQehPgTn35.exeStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: XQehPgTn35.exeStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: server.exe.0.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: server.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: Google.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: Google.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: Microsoft Corporation.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: Microsoft Corporation.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: Section: ZLIB complexity 0.989884561567
          Source: 714bcaf02dc680243f761ccdcdc54f71Windows Updater.exe.2.drStatic PE information: Section: .data ZLIB complexity 0.997420238423
          Source: classification engineClassification label: mal100.spre.troj.adwa.evad.winEXE@14/27@35/3
          Source: C:\Windows\server.exeFile created: C:\Program Files (x86)\Google.exeJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
          Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\714bcaf02dc680243f761ccdcdc54f71
          Source: C:\Windows\server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_01
          Source: C:\Users\user\Desktop\XQehPgTn35.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\server.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\server.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\XQehPgTn35.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\server.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\